--- Day changed Thu Jan 01 2015
00:05 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
01:09 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has quit [Read error: Connection reset by peer]
01:28 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
01:43 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
01:53 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has quit [Remote host closed the connection]
02:26 -!- ColdFeet [~Dani@expopremier.com] has quit [Quit: Leaving]
02:56 -!- sireebob is now known as Baxtir
02:58 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
02:59 -!- Baxtir is now known as sireebob
04:05 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
04:28 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:46 -!- Novice201y [~lubuntu@aauk230.neoplus.adsl.tpnet.pl] has joined #openvpn
05:47 < Novice201y> Hi. Is it possible to make tunel between PC that are behind the same router?
06:01 -!- cosinus [~ec2-user@ec2-54-194-237-2.eu-west-1.compute.amazonaws.com] has left #openvpn []
06:05 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
06:06 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Remote host closed the connection]
06:17 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
06:17 -!- Novice201y [~lubuntu@aauk230.neoplus.adsl.tpnet.pl] has quit [Ping timeout: 272 seconds]
06:32 -!- Novice201y [~lubuntu@aekp58.neoplus.adsl.tpnet.pl] has joined #openvpn
06:40 -!- AnonGirl [janice@need.sleep.caffeinet.uk.to] has left #openvpn []
06:53 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
06:54 -!- Novice201y [~lubuntu@aekp58.neoplus.adsl.tpnet.pl] has quit [Ping timeout: 256 seconds]
07:06 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Remote host closed the connection]
07:10 -!- Novice201y [~lubuntu@afmq208.neoplus.adsl.tpnet.pl] has joined #openvpn
07:17 -!- ExtraCarpety [~ExtraCarp@2607:5300:60:a0d::1] has joined #openvpn
07:18 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
07:18 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
07:34 <@Dougy> happy new year to you lads
07:35 <@Dougy> Novice201y:
07:35 <@Dougy> Novice201y | Hi. Is it possible to make tunel between PC that are behind the same router?
07:35 <@Dougy> in same LAN? sure
07:37 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 264 seconds]
07:38 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 245 seconds]
07:39 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
07:46 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 255 seconds]
07:51 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
07:54 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
07:54 -!- deranged [Jess@sciurus.net] has quit [Ping timeout: 244 seconds]
07:56 -!- deranged [Jess@sciurus.net] has joined #openvpn
07:58 -!- deranged [Jess@sciurus.net] has quit [Excess Flood]
07:58 -!- deranged [Jess@sciurus.net] has joined #openvpn
08:11 -!- Novice201y [~lubuntu@afmq208.neoplus.adsl.tpnet.pl] has quit [Ping timeout: 245 seconds]
08:20 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
08:20 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
08:22 -!- havingFun is now known as xrosnight
08:25 -!- Novice201y [~lubuntu@afjh127.neoplus.adsl.tpnet.pl] has joined #openvpn
08:42 -!- Novice201y [~lubuntu@afjh127.neoplus.adsl.tpnet.pl] has quit [Quit: Leaving.]
09:50 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 255 seconds]
10:45 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has quit [Ping timeout: 256 seconds]
10:52 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has joined #openvpn
11:00 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
11:19 < esde> turns out i wasn't copying over the init script in its entirety
11:19 < esde> :D
11:19 < esde> only took a few hours to figure it out
11:19 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
11:27 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Quit: Headin Out...]
11:51 -!- Brutser [~plater@d51A48718.access.telenet.be] has joined #openvpn
11:51 -!- atyoung [~darkwurm@gateway/tor-sasl/darkwurm] has quit [Remote host closed the connection]
11:51 < Brutser> hi all, when i try connect from client, i receive: read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
11:51 < Brutser> is it a problem with the certificates?
11:52 < Brutser> i want to check here before re-creating them
11:52 -!- atyoung [~darkwurm@gateway/tor-sasl/darkwurm] has joined #openvpn
11:54 < Brutser> Oh yes, Happy New Year! :)
11:56 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
12:13 -!- julius_ [~julius_@p3EE284E4.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds]
12:14 -!- julius_ [~julius_@p3EE292BE.dip0.t-ipconnect.de] has joined #openvpn
12:24 -!- Brutser [~plater@d51A48718.access.telenet.be] has quit []
12:39 -!- Schrottfresse [~quassel@schrottfresse.de] has joined #openvpn
12:58 -!- Brutser [~plater@d51A48718.access.telenet.be] has joined #openvpn
12:59 < Brutser> constantly I keep getting: read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
13:00 < Brutser> research on google give various reasons, but no solution seem to work (yet)
13:00 < Brutser> most basic setup I used
13:18 < BtbN> It's a generic connection issue.
13:19 < BtbN> Basicaly, fix your connection to that host.
13:19 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Quit: Headin Out...]
13:25 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
13:33 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 245 seconds]
13:36 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
13:43 -!- justinzane [~justinzan@67.21.190.132] has joined #openvpn
14:27 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
14:35 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has joined #openvpn
14:35 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
14:38 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Ping timeout: 256 seconds]
14:44 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has joined #openvpn
14:46 -!- simlay [~simlay@maderas.amandrai.net] has joined #openvpn
15:23 -!- Henryabcd [~Henryabcd@dyndsl-091-096-021-081.ewe-ip-backbone.de] has joined #openvpn
15:35 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
15:36 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
15:41 -!- xTz [~xTz@DeathStar.Techn0.eu] has quit [Remote host closed the connection]
15:51 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has quit [Ping timeout: 244 seconds]
15:52 -!- justinzane [~justinzan@67.21.190.132] has quit []
15:52 -!- justinzane [~justinzan@67.21.190.132] has joined #openvpn
15:52 -!- Mike-- [mad@mx.probie.nl] has quit [Read error: Connection reset by peer]
15:57 -!- ketas- [~ketas@65-38-190-90.dyn.estpak.ee] has joined #openvpn
15:59 -!- _KaszpiR__ [quasselcor@unaffiliated/kaszpir/x-3157048] has joined #openvpn
16:03 -!- moparsthbest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
16:03 -!- jrg_ [jrg@unaffiliated/jrg] has joined #openvpn
16:03 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
16:05 -!- pipi-_ [~pipi-@unaffiliated/pipi-] has joined #openvpn
16:05 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 256 seconds]
16:05 -!- nath_schwarz [~nath_schw@HSI-KBW-134-3-105-207.hsi14.kabel-badenwuerttemberg.de] has quit [Ping timeout: 256 seconds]
16:05 -!- zoredache_ [~zoredache@pdpc/supporter/professional/zoredache] has quit [Ping timeout: 256 seconds]
16:05 -!- jrg [jrg@unaffiliated/jrg] has quit [Ping timeout: 256 seconds]
16:05 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Ping timeout: 256 seconds]
16:05 -!- adaptr [~jgeilman@unaffiliated/adaptr] has quit [Ping timeout: 256 seconds]
16:05 -!- ketas [~ketas@65-38-190-90.dyn.estpak.ee] has quit [Ping timeout: 256 seconds]
16:05 -!- _KaszpiR_ [quasselcor@unaffiliated/kaszpir/x-3157048] has quit [Ping timeout: 256 seconds]
16:05 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 256 seconds]
16:05 -!- pipi- [~pipi-@unaffiliated/pipi-] has quit [Ping timeout: 256 seconds]
16:06 -!- jrg_ is now known as jrg
16:06 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 264 seconds]
16:06 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
16:07 -!- mode/#openvpn [+v RBecker] by ChanServ
16:07 -!- mattock is now known as mattock_afk
16:07 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Ping timeout: 250 seconds]
16:07 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
16:09 -!- ketas- is now known as ketas
16:09 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
16:15 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Quit: Leaving]
16:31 -!- simlay [~simlay@maderas.amandrai.net] has left #openvpn []
16:36 < Brutser> anyone around at this time?
16:46 -!- Brutser [~plater@d51A48718.access.telenet.be] has quit []
16:48 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
16:50 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
16:50 < tempus_fol> !goal
16:50 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:52 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
16:55 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Read error: Connection reset by peer]
16:56 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
17:08 < tempus_fol> !configs
17:08 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
17:11 -!- Henryabcd [~Henryabcd@dyndsl-091-096-021-081.ewe-ip-backbone.de] has quit [Quit: Leaving]
17:32 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
17:34 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
17:45 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
17:46 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
17:50 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
17:51 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
17:51 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Read error: Connection reset by peer]
17:52 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
18:34 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
18:37 -!- Zune [~Zune@188-180-61-96-dynamic.dk.customer.tdc.net] has joined #openvpn
18:42 -!- Zune [~Zune@188-180-61-96-dynamic.dk.customer.tdc.net] has quit [Ping timeout: 240 seconds]
18:43 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
18:45 -!- Zune [~Zune@188-180-61-96-dynamic.dk.customer.tdc.net] has joined #openvpn
18:46 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 272 seconds]
18:53 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:06 -!- Zune [~Zune@188-180-61-96-dynamic.dk.customer.tdc.net] has quit [Ping timeout: 255 seconds]
19:07 -!- Zune [~Zune@188-180-61-96-dynamic.dk.customer.tdc.net] has joined #openvpn
19:10 -!- Strogg [~jean@unaffiliated/strogg] has quit [Quit: WeeChat 0.3.8]
19:21 -!- Zune [~Zune@188-180-61-96-dynamic.dk.customer.tdc.net] has quit [Ping timeout: 255 seconds]
19:27 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has joined #openvpn
19:31 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
19:54 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Remote host closed the connection]
20:01 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
20:26 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
20:28 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Client Quit]
20:32 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
20:36 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 264 seconds]
20:37 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Client Quit]
20:45 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Quit: Leaving]
20:46 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
21:02 -!- rich0_ is now known as rich0
21:07 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
21:12 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
21:35 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
21:54 -!- krzee [~k@openvpn/community/support/krzee] has quit [Excess Flood]
21:56 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
21:56 -!- mode/#openvpn [+o krzee] by ChanServ
23:33 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
23:35 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
23:35 -!- ShadniX [dagger@p579416B4.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:38 -!- ShadniX [dagger@p5481CB16.dip0.t-ipconnect.de] has joined #openvpn
23:44 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
--- Day changed Fri Jan 02 2015
00:18 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
00:22 -!- julius_ [~julius_@p3EE292BE.dip0.t-ipconnect.de] has left #openvpn ["Leaving"]
00:30 -!- arkie [~arkie@unaffiliated/arkie] has quit [Quit: Bye]
00:33 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
01:11 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
01:22 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
01:44 -!- mattock_afk is now known as mattock
01:44 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
01:45 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
02:05 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
02:11 -!- le0 [~le0@unaffiliated/le0] has joined #openvpn
02:12 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Read error: No route to host]
02:39 -!- Orbixx_ is now known as Orbixx
02:45 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has quit [Ping timeout: 244 seconds]
02:48 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
03:35 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
03:40 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
03:43 -!- xTz [~xTz@DeathStar.Techn0.eu] has joined #openvpn
04:02 -!- Fraxinus [4e16614e@gateway/web/freenode/ip.78.22.97.78] has joined #openvpn
04:02 < Fraxinus> Anyone in here to help?
04:16 < KjetilK> Fraxinus, I probably can't but see the topic on how to get started
04:17 < Fraxinus> Well got it working ^^
04:17 < Fraxinus> I see the qulity of the stream on netflix isn't good tho
04:17 < Fraxinus> i guess because the vpn is heavily used and thus slow?
04:17 < Fraxinus> anyone know a good free vpn link?
04:19 < Fraxinus> us/uk based
04:23 -!- Fraxinus [4e16614e@gateway/web/freenode/ip.78.22.97.78] has quit [Ping timeout: 246 seconds]
04:33 -!- Fraxinus [c6073ecc@gateway/web/freenode/ip.198.7.62.204] has joined #openvpn
04:34 < Fraxinus> Got dcd, does anyone know a fast free vpn ?
04:42 -!- Fraxinus [c6073ecc@gateway/web/freenode/ip.198.7.62.204] has quit [Ping timeout: 246 seconds]
04:43 -!- bone_idol [~bone_idol@apple.rat.burntout.org] has left #openvpn []
04:46 -!- wobelinger [~hexer81@p54B19084.dip0.t-ipconnect.de] has joined #openvpn
04:51 -!- wobelinger [~hexer81@p54B19084.dip0.t-ipconnect.de] has quit [Remote host closed the connection]
04:52 -!- wobelinger [~hexer81@209.197.20.209] has joined #openvpn
04:52 -!- wobelinger [~hexer81@209.197.20.209] has quit [Remote host closed the connection]
04:52 -!- wobelinger [~hexer81@209.197.20.209] has joined #openvpn
04:52 -!- wobelinger [~hexer81@209.197.20.209] has quit [Max SendQ exceeded]
04:54 -!- wobelinger [~hexer81@209.197.20.209] has joined #openvpn
04:54 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:59 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
04:59 -!- mode/#openvpn [+o dazo_afk] by ChanServ
04:59 -!- dazo_afk is now known as dazo
05:00 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Read error: Connection reset by peer]
05:00 -!- MrsSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
05:00 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:16 < tempus_fol> Hello, I heve these configs server and client side: http://fpaste.org/164932/42019638/ ; everything worked perfectly 'till I upgraded the client OS (from Fedora 20 to Fedora 21). OpenVPN allegedly works fine, I can't see anything strange in the logs (server and client side). If, after having established the VPN connection, I connect from my client to web services/sites (like whatismyip, ifconfig.me and so on) that show my ip address, they
05:16 < tempus_fol> correctly report my openvpn server's ip address; the same occurs from the terminal as well (e.g. curl ifconfig.me) Everything seems working fine, except that I noticed (at first, thanks to knemo) that not all the traffic is routed through the VPN. This is hugely self-evident with Ktorrent; in Ktorrent, connections to UDP peers are routed via the VPN (tun0) whilst connection established via TCP are routed via wlp0s20u2 (sorry for the ugly
05:16 < tempus_fol> device name, you know, "it's a feature"). This is not consistent with the web browser checks. I've checked with wireshark whilst trying to torrent something, and I can confirm that only some of the traffic (it seems only UDP traffic, as far as Ktorrent is concerned) is routed. Whilst browsing, I've noticed anyway that such double-routing occurs in other occasions as well. Here the `netstat -rn' client-side before and after the VPN
05:16 < tempus_fol> connection: http://fpaste.org/164933/01971011/
05:18 < esde> holy wall o text
05:19 < tempus_fol> Final note: on the server there's a different openvpn tcp server running (listening on 443) that I use when I'm behind some restrictive networks; . I've tried to use that, it behaves in the same way.
05:20 < tempus_fol> yep, sorry, I didn't realize I wrote that much. I've tried to post everything I could think relevant
05:21 < tempus_fol> TL;DR some traffic is not routed through the VPN
05:22 -!- Turn_Left [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:27 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco_]
05:30 -!- dazo is now known as dazo_afk
05:35 -!- Turn_Left [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
05:47 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 240 seconds]
05:49 -!- dazo_afk is now known as dazo
05:53 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
06:18 -!- jkli [~jkli@brln-4d072903.pool.mediaways.net] has joined #openvpn
06:26 -!- Brutser [~brutser@d51A48718.access.telenet.be] has joined #openvpn
06:26 < Brutser> with basic setup I keep receiving: read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
06:26 < Brutser> must be some firewall issue
06:26 < Brutser> i disabled selinux already
06:27 < Brutser> what i need to upload to get some help on this?
06:27 < Brutser> or what i need to check?
06:31 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
06:36 < Brutser> !configs
06:36 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
06:38 < Brutser> !logs
06:38 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
06:42 -!- jkli [~jkli@brln-4d072903.pool.mediaways.net] has quit [Quit: Computer has gone to sleep.]
06:43 < Brutser> some of the relevant files: http://pastebin.com/L4DREmvJ
06:55 -!- jkli [~jkli@brln-4d072903.pool.mediaways.net] has joined #openvpn
06:58 < Brutser> no packets captured on server when tcpdump on tun0
06:58 < Brutser> is that normal?
07:08 -!- moparsthbest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
07:13 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
07:43 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco_]
07:47 -!- wobelinger [~hexer81@209.197.20.209] has quit [Ping timeout: 250 seconds]
08:06 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Read error: Connection reset by peer]
08:12 -!- mirco_ [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn
08:17 -!- pa [~pa@unaffiliated/pa] has quit [Read error: Connection reset by peer]
08:22 < tempus_fol> Brutser: I have zero knowledge in the windows realm, but it really sounds a firewall issue
08:22 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
08:25 < esde> Fromt he topic, "Your problem is probably firewall, Really"
08:25 < tempus_fol> About the issue I tried to describe earlier ( http://fpaste.org/164932/42019638/ ; http://fpaste.org/164933/01971011/ ; only some traffic is routed through the VPN after an upgrade of the client's OS), I've discovered that if I browse whatismyipaddress.com I'm presented with my home ip, whilst whatismyip.com shows me my VPN server's ip... in the same browser
08:25 < esde> *from the
08:33 -!- pipi-_ is now known as pipi-
08:38 < tempus_fol> I've tried to wireshark it as well.. after querying the dns for whatismyip.com, the connection is performed via VPN, whilst with whatismyaddress.com the connection is performed directly.. and I don't know why. routel: http://fpaste.org/164979/42020946/
08:51 < Brutser> firewall issue is logical, but what is the issue? :)
08:51 < Brutser> server is centos 6.6
08:52 < KjetilK> Brutser, just to be sure, you have opened port 1194?
08:53 < KjetilK> for UDP traffic, even?
08:53 < Brutser> iptables -A INPUT -p udp --dport 1149 -m state --state NEW,ESTABLISHED -j ACCEPT
08:53 < Brutser> iptables -A OUTPUT -p udp -m state --state ESTABLISHED -j ACCEPT
08:53 < Brutser> those 2 lines were issued for that
08:54 < KjetilK> *cough*
08:54 < KjetilK> 1194... :-)
08:55 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
08:55 < Brutser> sorry i made typo only here
08:55 < KjetilK> typical thing you can stare at for ages, and not discover that you've written 1149 :-)
08:55 < Brutser> i changed to another port to test on that
08:55 < KjetilK> oh, ok
08:56 < Brutser> i put iptables -L in pastebin
08:56 < Brutser> http://pastebin.com/L4DREmvJ
08:57 -!- mirco_ [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Quit: mirco_]
08:57 * KjetilK started with OpenVPN last weekend, my ability to help doesn't go very far
08:57 -!- mirco_ [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn
08:58 < KjetilK> have you nmapped the server to see if there are any other things that are surprisingly not there?
09:02 < tempus_fol> Brutser: the CentOS server is on a VPS? OpenVZ or KVM? `iptables -L -n -v -t nat' ?
09:04 < tempus_fol> (in the meanwhile, about my issue, even `$ ip r get $(dig whatismyip.com +short) ; ip r get $(dig whatismyipaddress.com +short)' client-side confirms that some of the traffic passes through tun0, some doesn't)
09:06 < tempus_fol> (what turns me mad is that this untouched OpenVPN setup worked wonders over two client OS' upgrades... and now this)
09:17 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
09:18 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
09:19 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
09:29 < Brutser> tempus_fol: no it is dedicated
09:29 < Brutser> moment i will get the output
09:33 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has quit [Ping timeout: 272 seconds]
09:45 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
09:48 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Ping timeout: 250 seconds]
09:57 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
10:14 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:15 < tempus_fol> (in the meanwhile, about my issue, a `ip r a default via 10.8.0.5' issued once the VPN connection has been established seems to "patch" the issue, all the traffic gets routed thorugh tun0 - but the "redirect-gateway def1 bypass-dhcp" push were always received by the client, so I don't know why is it required an explict, subsequent, manual routing)
10:18 -!- An_Ony_Moose [~linus@static.3.75.76.144.clients.your-server.de] has quit [Quit: leaving]
10:20 -!- le0 [~le0@unaffiliated/le0] has quit [Quit: Leaving]
10:20 < tempus_fol> I have an idea...
10:25 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
10:25 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
10:26 -!- jkli [~jkli@brln-4d072903.pool.mediaways.net] has quit [Quit: Computer has gone to sleep.]
10:28 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has quit [Ping timeout: 250 seconds]
10:43 < tempus_fol> The suspicion is: the new NetworkManager tries to "manage" an openvpn connection even if it's started from the CLI, presenting a new config for it and possibly (? it's a speculation) messing with the routing tables _after_ the "redirect-gateway def1 bypass-dhcp" push
10:43 < tempus_fol> (I'm checking this)
10:44 < Brutser> switched to debian on the server, now with win7 client
10:44 < Brutser> exact same problem as with centos - winxp
10:45 < Brutser> Fri Jan 02 17:43:23 2015 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
10:45 < Brutser> just default config on 10.8.0.0/24
10:46 < Brutser> client cannot ping server on 10.8.0.1
10:57 < tempus_fol> it's not CentOS or Debian (I'm more used to CentOS-alike stuff)... anyway, I did not see the output `iptables -L -n -v -t nat' ; also, I'm not aware if windows and/or something in the middle is blocking/firewalling the relevant UDP port (I haven't used windows for ~5 years)
10:58 < Brutser> http://pastebin.com/XBTZFi1Z
10:59 < tempus_fol> Eh. That's it.
10:59 <@krzee> !factoids search --values iptables-save
10:59 <@vpnHelper> 'iptables-rules' and 'netfilter'
10:59 <@krzee> !iptables-rules
10:59 <@vpnHelper> "iptables-rules" is When posting iptables rules, please use the `iptables-save` syntax as it is easiest to read. While we try to be helpful, #netfilter may be more appropriate for complex netfilter issues
10:59 <@krzee> tempus_fol, that sucks, i hate network mangler
11:00 < Brutser> tempus_fol: so in more detail, what you suggest?
11:00 < tempus_fol> Brutser: a look at https://wiki.archlinux.org/index.php/OpenVPN#Using_iptables can help maybe
11:00 <@vpnHelper> Title: OpenVPN - ArchWiki (at wiki.archlinux.org)
11:02 < Brutser> added the masquerade, but it makes no difference
11:03 < Brutser> i know i need to add that, but i was not even that far, because client cannot reach server
11:03 < tempus_fol> krzee: it seems that NetworkManager *wants* me to use the NetworkManager-openvpn plugin.. but it doesn't have all the relevant option/switches, and anyway I don't see why NetworkManager should "handle" a tun0 not crafted by it
11:04 < Brutser> new iptables: http://pastebin.com/2rZLWBPC
11:04 < BtbN> NM handles everything. If you want to use OpenVPN not via NM, give the device a specific name in the config, and add that device name to the NM ignore list.
11:04 < BtbN> But the last time i checked, the NM-OpenVPN options seemed quite complete.
11:04 -!- MrsSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
11:05 < BtbN> Brutser, stop querying me about stuff that belongs in this channel please.
11:06 < tempus_fol> Last time I checked, it constantly triggered MITM warnings and did not have some options I used.
11:06 < BtbN> Brutser, i already told you, connection reset by peer is not an openvpn issue, it's a generic networking issue.
11:07 < tempus_fol> ...I was not aware that you can put some device names in ignore list
11:08 < BtbN> It's not unlikely that NM will break/overwrite VPN specific routes
11:08 < tempus_fol> ..but it never happened to me before - I guess I should have been prepared
11:09 < BtbN> The behaviour changed some versions ago
11:10 < Brutser> BtbN: ok, i try to setup a test setup local with virtualization, using virtualbox at the moment - most likely this will influence the network behaviour, but I find so many people using this exact same setup to create an openvpn test setup
11:11 < BtbN> Well, you are doing something wrong with your networking. Not realy possible to tell what exactly.
11:11 < tempus_fol> Brutser: I'd like to help more but I do not even know how to check routing tables, interfaces and pings and whatnot in windows. Sorry about that... maybe you can try with a non-windows client (a Live distro could be fine as well), it may give some insight (in case it's not a windows-firewall thing)
11:12 < Brutser> tempus: i turned off the firewall in win7
11:13 < Brutser> btbN: yes i am doing something wrong, but i just start from a clean setup, the host as well, install minimal centos, clean windows client - but whatever i do, i keep getting the same issue
11:13 < Brutser> also i tried with a ubuntu as host
11:13 -!- kexmex [~kexmex@195.42.130.233] has joined #openvpn
11:13 < kexmex> hi
11:13 < kexmex> stupid question
11:13 < kexmex> if OpenVPN server goes down, can clients still maintain a network
11:13 < kexmex> ?
11:13 < tempus_fol> ...a virtualization would just add an additional layout of complication in something that is not clear...also, distro-hopping won't really help (never helps)
11:14 < Brutser> tempus: yea i know, i just not have the means to get an additional server just for testing, so that is why i want to try it local
11:14 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
11:15 < tempus_fol> kexmex: I'd rush to say "no", but I'm somewhat curious about why do you think otherwise
11:16 < kexmex> well
11:16 < kexmex> if machines are clustered via OpenVPN
11:16 < kexmex> for say, DB redundancy
11:16 < kexmex> like if one of the 3 machiens in cluster goes down, another one takes over as primary DB
11:16 < kexmex> but if one shitty openVPN server goes down, then the whole cluster goes down?
11:18 -!- tobinski [~tobinski@x2f5f47a.dyn.telefonica.de] has joined #openvpn
11:26 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
11:28 < tempus_fol> I don't have any experience in openvpn clusters, but it could be doable to create different lans, in each of those a openvpn server & client of all the others openvpn servers.... it seems fun
11:35 -!- Brutser [~brutser@d51A48718.access.telenet.be] has quit [Ping timeout: 240 seconds]
11:38 -!- kexmex [~kexmex@195.42.130.233] has quit [Quit: Computer has gone to sleep.]
11:41 < BtbN> OpenVPN is strictly client/server. All traffic goes through the single server. Public/Private key communication just works like that.
11:42 < BtbN> The only P2P VPN i can think of is hamachi, but even that relies on a central server to initialy connect the hosts. And it's a proprietary tool.
11:46 < tempus_fol> BtbN: I've tried to blacklist tun0 (adding a [keyfile] section in /etc/NetworkManager/NetworkManager.conf, and adding there the line "unmanaged-devices=interface-name:tun0"; after a NetworkManager restart restart NetworkManager, still I can't get tun0 in unmananged state...
11:47 < BtbN> It should appear as unmanaged in the ui
11:47 < BtbN> if it doesn't it didn't work
11:48 < BtbN> https://gist.github.com/5229f18503b992874d82 that's how i blacklisted some of my vmware devices
11:48 <@vpnHelper> Title: /etc/NetworkManager/NetworkManager.conf (at gist.github.com)
11:48 < tempus_fol> in the ui I see that a new tun0 "profile" is created right after the connection to the VPN server
11:48 < BtbN> And don't name it tun0, give it some more specific name
11:48 < BtbN> could easily become tun1 at some point otherwise
11:49 < tempus_fol> (indeed, I blacklisted tun0 and tun1)
11:50 < BtbN> My openvpn interfaces usualy have usefull names, which indicate which vpn it is
11:50 < BtbN> you can freely name them
11:50 < tempus_fol> that's a nice feature to consider, first I just wanted to make sure I can blacklist the device properly..
11:53 < tempus_fol> yay, I managed to blacklist it properly... apparently, a systemctl restart NetworkManager wasn't enough, it wanted a systemctl force-reload too
11:54 < tempus_fol> now my routing tables are proper, the first default gw in the routing tables is 10.8.0.5 on tun0.... ok, now I'll check more in depth the tun0-renaming
11:55 < BtbN> The problem is, a single change via NM will entirely overwrite the routing table
11:55 < BtbN> To the state NM expects
11:55 < BtbN> so everything except the implicit route to your VPN network will be gone
12:01 -!- kexmex [~kexmex@195.42.130.233] has joined #openvpn
12:01 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 245 seconds]
12:03 -!- justinzane [~justinzan@67.21.190.132] has quit [Ping timeout: 272 seconds]
12:14 -!- justinzane [~justinzan@67.21.190.132] has joined #openvpn
12:16 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
12:17 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Read error: Connection reset by peer]
12:33 -!- Brutser [~brutser@d51A48718.access.telenet.be] has joined #openvpn
12:34 < Brutser> lol, decided to grab my old laptop and install centos on there, but now im rebuilding 6.x because cpu not support pae
12:35 < Brutser> i really wonder why virtualbox makes it for me impossible to setup basic openvpn server ... :/
12:35 < Brutser> it is such a convenient way for me to test things
13:01 -!- kexmex [~kexmex@195.42.130.233] has quit [Quit: Computer has gone to sleep.]
13:07 -!- RGamma [~RGamma@ip-84-118-23-37.unity-media.net] has quit [Remote host closed the connection]
13:10 -!- RGamma [~RGamma@ip-84-118-23-37.unity-media.net] has joined #openvpn
13:18 -!- mirco_ [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Quit: mirco_]
13:28 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
13:30 -!- Denial [~Denial@81.141.3.116] has quit [Ping timeout: 240 seconds]
13:45 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
13:46 -!- asper [~argali@volans.uberspace.de] has joined #openvpn
13:55 -!- bruxC [~bruxC@66.63.84.178] has joined #openvpn
13:57 -!- bruxC [~bruxC@66.63.84.178] has quit [Client Quit]
14:01 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Changing host]
14:01 -!- mistermajestic [~mistermaj@gateway/vpn/privateinternetaccess/mistermajestic] has joined #openvpn
14:06 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
14:24 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
14:35 -!- BtbN [btbn@btbn.de] has quit [Quit: Bye]
14:35 -!- BtbN [btbn@btbn.de] has joined #openvpn
14:38 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
14:41 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
14:50 < kexmex> can an openvpn cluster function
14:50 < kexmex> if server is down?
14:53 < esde> "The basic idea is that you can run two (or three, or more) OpenVPN servers, and add all of their IP addresses or hostnames to your VPN client configurations. Also, the client should re-try quickly in order to minimize the downtime experienced by the user. When one server fails, the client rotates to the next address in its connect-to list, and the connection gets re-established in pretty short order."
14:53 < esde> could be outdated information though. got it from http://serverfault.com/questions/110105/redundant-openvpn-configuration
14:53 <@vpnHelper> Title: high availability - redundant openvpn configuration - Server Fault (at serverfault.com)
14:57 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 276 seconds]
14:59 -!- tobinski_ [~tobinski@x2f5f47a.dyn.telefonica.de] has joined #openvpn
15:00 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
15:02 -!- tobinski [~tobinski@x2f5f47a.dyn.telefonica.de] has quit [Ping timeout: 240 seconds]
15:10 -!- Brutser [~brutser@d51A48718.access.telenet.be] has quit [Ping timeout: 240 seconds]
15:39 -!- stevecrozz [~stevecroz@173.227.0.2] has joined #openvpn
15:39 -!- novae [~novae@unaffiliated/novae] has joined #openvpn
15:41 < stevecrozz> vpn connection established, but cannot ping vpn server IP from the client: [client log --verb 6 http://lithostech.com/openvpnlog]
15:44 < stevecrozz> when I issue a ping 10.8.0.1 from the client, I see TUN READ and UDPv4 WRITE messages in the client log, but there is no reply
15:45 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
15:47 -!- jrg [jrg@unaffiliated/jrg] has left #openvpn []
15:48 -!- mistermajestic [~mistermaj@gateway/vpn/privateinternetaccess/mistermajestic] has quit []
15:48 -!- mistermajestic [~mistermaj@gateway/vpn/privateinternetaccess/mistermajestic] has joined #openvpn
15:50 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has quit [Quit: ZNC - http://znc.in]
15:54 < burp_> I'm trying to run openvpn with a /64 subnet assigned to me, I have a main adapter where I assign the first /65 subnet, and openvpn gets the second /65. A client gets an IP from the second /65 but is not able to ping external ipv6 addresses, though ipv6 forwarding is enabled on the server and routing is pushed
15:55 < burp_> now the interesting/strange thing:
15:56 < burp_> when I add the ipv6 address from the second /65 block that is assigned to a client to the servers main interface (next to the first /65 block) and remove it afterwards, routing/pinging outside works
15:56 < burp_> after a "while" things stop working again and I'd have to alias/unalias the client ip from the main interface again
15:58 < burp_> routing table doesn't change, ipv6 neighbor table seems to stay the same, I'm currently looking for ideas where to look
16:00 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
16:23 -!- u0m3_ [~u0m3@92.80.69.178] has joined #openvpn
16:26 -!- u0m3 [~u0m3@92.80.67.140] has quit [Ping timeout: 255 seconds]
16:27 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has joined #openvpn
16:31 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
16:31 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
16:36 -!- tekk [~me@185.17.149.149] has joined #openvpn
16:43 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco_]
16:47 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
17:07 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
17:23 -!- Brutser [~brutser@d51A48718.access.telenet.be] has joined #openvpn
17:24 < Brutser> Need some help: openvpn server on centos 6.6 seem to work fine, but when i connect from windows client, browsing works on some urls, but times out on others - how can i find the cause of this problem? should i run some tcpdump on the server to find out and how to do this?
17:24 -!- sireebob [sireebob@unaffiliated/sireebob] has quit [Ping timeout: 244 seconds]
17:26 -!- stevecrozz [~stevecroz@173.227.0.2] has left #openvpn ["Leaving"]
17:26 -!- jkli [~jkli@brln-4d072903.pool.mediaWays.net] has joined #openvpn
17:26 -!- jkli [~jkli@brln-4d072903.pool.mediaWays.net] has left #openvpn []
17:26 < Brutser> also can someone say me if these iptables settings are acceptable?
17:26 < Brutser> http://pastebin.com/iCHytReR
17:27 < Brutser> port for openvpn is obviously 2244 udp
17:27 < Brutser> maybe i put too many rules or not right order
17:27 < Brutser> all help is appreciated!
17:31 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
17:33 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
17:34 -!- sireebob [sireebob@unaffiliated/sireebob] has joined #openvpn
17:40 < Brutser> i can watch a youtube movie through the vpn, but ibm.com times out .. :S
17:46 < Brutser> seems i only can reach ipv6
18:00 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
18:02 -!- dazo is now known as dazo_afk
18:07 < burp_> and linux client works?
18:07 < burp_> try pinging server tunnel end on clients for ipv4,ipv6
18:08 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
18:11 -!- tobinski_ [~tobinski@x2f5f47a.dyn.telefonica.de] has quit [Quit: Leaving]
18:13 < Brutser> burp_: ok moment
18:14 < burp_> I guess first you should figure out if the tunnel itself works, if server and client can ping each other through the tunnel interface
18:14 < burp_> and if that works for both ipv4 ipv6 you can check the routing
18:24 < Brutser> burp_: seems both not working :S
18:25 < Brutser> so internet i receive in browser is cached, or just not using the vpn tunnel?
18:25 < burp_> can't say, browse http://ifconfig.me to check IP address? :D
18:26 < Brutser> does not open :)
18:26 < Brutser> must be firewall, let me pastebin the rules
18:26 < Brutser> i use bash script, probably some wrong order
18:26 < burp_> I'm not so familiar with iptables
18:27 < burp_> but could be, yea
18:27 < Brutser> http://pastebin.com/vLUvE8ca
18:27 < burp_> can you remove all iptables rules? then you know if the rules break them
18:27 -!- backz [~daniel@189.100.10.39] has joined #openvpn
18:27 < burp_> break it
18:28 -!- backz [~daniel@189.100.10.39] has left #openvpn []
18:28 < Brutser> ok, but the masquerade rule is needed by vpn no?
18:28 < burp_> for NAT?
18:28 < Brutser> yes
18:28 < burp_> for now we're just testing if the tunnel connection works properly
18:28 < Brutser> ok
18:28 < burp_> NAT is only required if you want to reach something externally
18:29 < burp_> you can start with empty iptables everywhere
18:29 < burp_> make sure tunnel works
18:29 < burp_> then enable ip forwarding on server, and set up iptables NAT rules
18:30 < Brutser> stopped iptables
18:30 < Brutser> but tunnel not work it seems
18:32 < Brutser> let me upload server.conf
18:34 < Brutser> also i notice the client not get gateway on the 10.10.10.0 network
18:35 < Brutser> http://pastebin.com/yn49EpiX
18:36 < Brutser> i am for sure overlooking something very basic
18:36 < burp_> so your client gets 10.10.10.2 I guess
18:36 < Brutser> 10.10.10.6
18:36 < burp_> while the server side tunnel is 10.10.10.1
18:36 < burp_> ok
18:36 < burp_> and pinging 10.10.10.1 doesn't work
18:36 < Brutser> no
18:37 < Brutser> iptables i stopped
18:37 < Brutser> centos 6.6 btw the server
18:37 < burp_> client is windows, right?
18:37 < Brutser> yes
18:39 < burp_> well, can't help there :/
18:39 < burp_> for linux I'd check if a route has been set
18:39 < Brutser> selinux?
18:40 < Brutser> i think maybe that give the problem
18:40 < Brutser> possible?
18:41 < burp_> don't know
18:41 < burp_> hmm, maybe you are missing
18:42 < burp_> push "route 10.10.10.0 255.255.255.0" for that to work?
18:42 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:42 < Brutser> i will give that a try, sec
18:43 < Brutser> i thought about that, but it is getting the ip from this network, so thought it was not necessary
18:44 < Brutser> no, does not seem to make much difference
18:44 < burp_> so you still can't ping 10.10.10.1, hmm
18:45 < burp_> I guess my expertise ends here
18:45 < Brutser> and mine too :)
18:45 < Brutser> still sucks :)
18:46 < burp_> on linux client I'd check routing table to check whether 10.10.10.X is really routed through tun0
18:47 < burp_> one can probably do the same on windows, but I don't know the tools there
19:02 < Brutser> switched to tcp
19:02 < Brutser> now receive: SIGUSR1 connection-reset
19:02 < Brutser> from the server
19:03 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
19:07 -!- sand3r [~user@unaffiliated/sand3r] has joined #openvpn
19:07 < sand3r> hi
19:07 < sand3r> how do i disable logs for openvpnserver?
19:07 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
19:07 < sand3r> by verb "0"?
19:08 < Brutser> send log file to /dev/null
19:08 < sand3r> how?
19:08 < sand3r> i thought verb 0 did that?
19:08 < sand3r> verb 0= no logs?
19:09 < burp_> don't you have to specify log or syslog so it logs in first place?
19:09 < Brutser> log /dev/null
19:11 < Brutser> should work fine
19:11 < Brutser> but ok, my setup should work fine too but it does not :)
19:13 < sand3r> burp_: is that a question?
19:13 < burp_> yes
19:14 < sand3r> burp_: you know how to disable logs completyly?
19:14 < burp_> see what Brutser said
19:15 < sand3r> Brutser: whats the different between log /dev/null and verb 0?
19:15 < burp_> 0 -- No output except fatal errors.
19:15 < burp_> says man openvpn
19:16 < sand3r> burp_: you know what the different is?
19:17 < burp_> well, I thought one had to activate log or syslog first before any logging happens
19:18 < Brutser> log /dev/null make sure that if any logging would happen, it is not saved
19:19 < tempus_fol> usually any distro ootb has one of those turned on, and usually it's always better to keep some logging than none. There's also the --mute directive to drop subsequent similar messages...
19:19 < tempus_fol> (one of those logging systems)
19:20 < tempus_fol> (rather than none) I apologize, it's quite late ^^"
19:22 < sand3r> is it like, verb 0 are disable ip, error logs. and log /dev/null are disabling activity logs?
19:22 < sand3r> i am right?
19:23 < tempus_fol> well /dev/null is ... null. void. the emptiness. You can throw anything at it, and it becomes zilch. nada. nothing.
19:23 < Brutser> yea
19:23 < Brutser> verb determine the 'extensiveness' of logging
19:23 < sand3r> so, what function are verb 0 giving?
19:23 < Brutser> but verb 0 still log
19:24 < tempus_fol> with /dev/null it's not exactly "disabling" logs, it's "throwing them in a black hole"
19:24 < Brutser> yea
19:24 < burp_> black hole that doesn't grow with it :D
19:24 < sand3r> lol
19:24 < burp_> even worse thing
19:25 < tempus_fol> verb 0 can log very exceptional fatalities you totally want to know. Why do you want to disable logging in the first place?
19:25 < Brutser> yes, i suggest leave verb 1 at least
19:25 < sand3r> tempus_fol: privacy reasons
19:25 < Brutser> just rotate the logging, so they dont keep long history
19:26 < sand3r> Brutser: should it not be enough with log /dev/null and verb 0 we talkied about?
19:26 < Brutser> log /dev/null and verb 9 will just be the same
19:26 < tempus_fol> sand3r: like? If someone has root access to your box/VPS/server, logs aren't the thing you should focus on
19:27 < sand3r> Brutser: how do i rotate the logging? and why rotate it IF i using log /dev/null?
19:27 < Brutser> netstat reveal just as much
19:27 < tempus_fol> well true
19:27 < sand3r> tempus_fol: what should i focus on?
19:28 < sand3r> then..
19:29 < tempus_fol> sand3r: not letting your box rooted ^^" and giving your box to professionals who can deserve your trust
19:29 < Brutser> swiss guard :)
19:33 < sand3r> please explain more..
19:33 < sand3r> :)
19:34 < sand3r> tempus_fol: mean like fail2ban?
19:34 < tempus_fol> also, most distro include some kind/variant of log rotation, so; but tbh logs aren't hampering any privacy ever; logs are meant to be usable by the system administrator only. Someone not trusted with physical or rooted access (that's what's needed) can do much worse than just reading... it's the worst case scenario you want to avoid
19:36 < tempus_fol> every distro has its way of hardening; some distro (CentOS,RHEL,Fedora) implement SELinux, other implements grsec; tbh "sane" configurations should be enough, but those tools can save an admin from exceptional errors (and some exploit).
19:37 < sand3r> tempus_fol: what about debian 7?
19:37 < tempus_fol> hardening ssh (fail2ban is sometimes used with it) is another thing you could consider... but we would go very offtopic I guess
19:39 -!- sand3r [~user@unaffiliated/sand3r] has quit [Read error: Connection reset by peer]
19:39 < tempus_fol> debian stable is well, stable - make sure to double check the permissions of files/folders you edit/move around, check which services are exposed to the general public, adopt decent passphrases, try to hide ssh login (someone would say that's not really hardening, and mostly it would just avoid to fill logs with intrusion attempts by bots) and so on
19:41 < tempus_fol> it's a wide topic, you should maybe focus on securing openvpn for now ^^ For example Brutser is using CentOS, right? One of the first things whilst troubleshooting is disabling SELinux... it's not really correct, one should check the logs of SELinux and eventually adopt a custom policy
19:47 < tempus_fol> for example, SELinux is expecting OpenVPN on tcp and/or UDP port 1194 ( "# semanage port -l|grep openvpn" ); if you use e.g. port 40123 upd instead, you just run "# semanage port -a -t openvpn_port_t -p udp 40123" ; on SELinux-hardened system it's better to never turn off completely SELinux but at most to put it temporarily in permissive mode. CentOS has a nice (and fast) wiki on SELinux
19:51 < Brutser> yes but even disable iptables and selinux are not giving me any solution right now
19:51 < Brutser> right now i get: MULTI: bad source address from client [::], packet dropped
19:51 < tempus_fol> wait no you don't disable iptables... you need it :|
19:51 < Brutser> i know, but i just try to create the tunnel
19:53 < tempus_fol> maybe me and/or someone else already suggested it but: have you tried to connect to it using a linux client? Just to rule window out. Also a linux client could give you some more details I guess. A so-called "live image" of any distribution should be enough, if you don't want to install it on bare metal.
19:56 < Brutser> tempus_fol: i guess i will have to do that...
19:57 < tempus_fol> also: when pasting iptables it's better to just use iptables-save (iptables-save actually dumps to stdout, doesn't commit any change if you don't redirect the output to a file), so a helper passing by could have a complete overview (and your current "# grep -vE '^#|^;|^$' server.conf" ). And the configuration client side too..
19:58 < Brutser> seems i messed up iptables pretty much
19:58 < tempus_fol> the official openvpn faq suggest, for that specific error, to double check the actual configuration file
19:59 < Brutser> tempus = bot?
20:00 < burp_> lol
20:00 -!- pipi- [~pipi-@unaffiliated/pipi-] has quit [Read error: Connection reset by peer]
20:00 < burp_> does he sound too proficiently? :D
20:01 -!- pipi- [~pipi-@unaffiliated/pipi-] has joined #openvpn
20:01 < Brutser> my smart brother not even sound like that :)
20:02 < tempus_fol> I attempt to be a humble helper for a different linux community but tbh openvpn isn't my bread and butter ^^" Thanks anyway
20:03 < burp_> maybe IBM Watson
20:03 < Brutser> that was a compliment really
20:03 < Brutser> iptables: http://pastebin.com/PEEH9fBc
20:06 < Brutser> MULTI: bad source address from client [::], packet dropped
20:06 < tempus_fol> lol I wish I were IBM Watson... you've set many times "POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE" in the nat table... once is enough, and are you sure that 10.10.10.0/24 is correct? It's not what I'd expect...
20:07 < Brutser> let me paste server.conf
20:07 < Brutser> http://pastebin.com/KP1gGK1j
20:07 < tempus_fol> I'd expect a "-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" (assuming eth0 is correct) but then we need the server.conf as well to double check (and "ifconfig" or better "ip a" )
20:07 < tempus_fol> ninja'd
20:09 < tempus_fol> ok no, you're using "server 10.10.10.0 255.255.255.0" (still one entry in the nat table is enough)
20:12 < Brutser> updated iptables: http://pastebin.com/jFtCKArL
20:13 < Brutser> MULTI: bad source address from client [::], packet dropped
20:13 < Brutser> RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRW
20:14 < Brutser> but i cannot even ping 10.10.10.6 from the server
20:14 < Brutser> and i can also not ping 10.10.10.1 from the client
20:15 < Brutser> and the RRRRRR is not my frustration, but was in the log
20:15 < Brutser> though it could have easily been my frustration too :p
20:17 < tempus_fol> why some lines that were supposed to be grepped out are there? "# sestatus" says that SELinux is disabled, enabled with current mode "permissive" or enabled with current mode "enforcing" ?
20:18 < Brutser> Current mode: permissive
20:19 < Brutser> SELinux status: enabled
20:22 < tempus_fol> if you have conntrack available, you could just state '-A INPUT -m conntrack --ctstate INVALID -j DROP' rather than...ok, I'll try to rearrange a bit, a sec. In the meanwhile, install the setroubleshoot package and "sealert -a /var/log/audit/audit.log > /path/to/mylog.txt" (and check if in mylog.txt there's anything relevant for openvpn)
20:23 < Brutser> MULTI TCP: multi_tcp_post TA_TIMEOUT -> TA_UNDEF
20:28 < tempus_fol> Ah! "-A INPUT -p udp -m state --state NEW -m udp --dport 22244 -j ACCEPT " why only new? wait one more sec
20:29 < Brutser> ok
20:29 < Brutser> it is all set with a bash script, but i collected lines from 3 bash scripts really
20:30 < Brutser> i can upload the bash script?
20:30 < tempus_fol> the bash script isn't really relevant
20:30 < Brutser> yea ok
20:31 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 256 seconds]
20:34 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
20:40 < Brutser> almost done installing setroubleshoot
20:41 < Brutser> i just execute like this? : sealert -a /var/log/audit/audit.log > /root/selinux.txt
20:43 < tempus_fol> yep
20:45 < Brutser> SELinux is preventing /usr/sbin/openvpn from name_bind access on the udp_socket
20:46 < Brutser> and same on tcp_socket
20:46 < tempus_fol> give a look at this basic iptables-save http://pastebin.centos.org/14861/ ; you can import it by echoing to /etc/sysconfig/iptables, and then giving a restart of the openvpn service
20:47 < tempus_fol> sure SELinux complains because you're not using 1194 tcp or udp; see the comment I wrote before
20:48 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 265 seconds]
20:48 < Brutser> ok, the iptables-save you pasted, it not include the ssh port 11122 i seee
20:48 < Brutser> i should put it also there?
20:48 < Brutser> else i cannot access over ssh
20:49 < tempus_fol> sure, add your ssh port, it's just a barebone
20:49 < Brutser> yea ok
20:50 < Brutser> ok iptables done
20:51 -!- moparisthebest [~mitb@gateway/tor-sasl/moparisthebest] has joined #openvpn
20:51 < tempus_fol> have you double checked that the newer iptables are loaded with "iptables -L -n -v", "iptables -L -n -v nat" ?
20:52 < tempus_fol> to instruct SELinux for the custom openvpn udp port, step by step: http://pastebin.centos.org/14866/
20:53 < Brutser> i already have that
20:53 < Brutser> semanage port -l|grep openvpn
20:53 < Brutser> openvpn_port_t tcp 1194
20:53 < Brutser> openvpn_port_t udp 22244, 1194
20:53 < tempus_fol> ok, restart the openvpn service
20:54 < tempus_fol> double check the server logs when you restart it
20:54 < Brutser> 192.168.68.233:62563 MULTI: bad source address from client [::]
20:54 < Brutser> .233 is client
20:56 < Brutser> ping -6 google.com
20:56 < Brutser> give reply from client
20:56 < tempus_fol> nice, now we have to look at the client config, but here (as I've said before) I have no experience with windows.
20:57 < tempus_fol> If only you could check now with a live distro...
20:57 < Brutser> ok
20:57 < Brutser> i have centos in virtualbox, would that be the same?
20:58 < tempus_fol> obviously no
20:58 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has quit [Ping timeout: 255 seconds]
20:58 < Brutser> moment, i think i have kali linux on some usb
20:59 < Brutser> ok it turned out to be backtrack, but that will do
21:00 < tempus_fol> (you can even "burn" a live image on a stick with with dd or (given that you're on windows) with https://github.com/downloads/openSUSE/kiwi/ImageWriter.exe or http://www.netbsd.org/~martin/rawrite32/ , they work with almost any Linux image meant to be burnt)
21:00 <@vpnHelper> Title: Rawrite32 (at www.netbsd.org)
21:00 < tempus_fol> whatever, it will have the openvpn package I guess
21:01 < tempus_fol> you just have to create a configuration file for linux client (it differs from the window one)
21:02 < Brutser> linux distro started
21:02 < Brutser> enabled wifi from the laptop
21:02 < Brutser> now checking to see for openvpn
21:02 < Brutser> ok installed
21:03 < tempus_fol> the "openvpn --version" is on par with the CentOS one?
21:03 < Brutser> 2.1.0
21:03 < Brutser> so not really
21:12 < Brutser> anyway, it is early morning almost
21:12 < Brutser> i need to catch some sleep now
21:12 < Brutser> hope i can fix the problem tomorrow, if you are here, hope you can help me some more
21:13 < Brutser> already i want to thank you for the help so far
21:13 < tempus_fol> the configuration for the client could be http://pastebin.centos.org/14871/
21:13 < tempus_fol> ok, good night and good luck ^^
21:13 < Brutser> ok got the client config
21:13 < Brutser> you won't believe it
21:14 < Brutser> but i restart the server
21:14 < Brutser> and it give some hdd error
21:14 < Brutser> so will need to check on that first thing in morning anyway
21:14 < Brutser> but that is not related i suppose
21:14 < tempus_fol> ...better check
21:14 < Brutser> yes
21:14 < Brutser> thanks so far!
21:15 < tempus_fol> you're welcome
21:15 < Brutser> before my head falls on keyboard: good night!
21:15 < tempus_fol> gn ^^
21:31 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Read error: Connection reset by peer]
21:43 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
21:44 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:49 -!- TommyC [~TommyC@unaffiliated/sepulchralbloom] has joined #openvpn
22:09 < TommyC> Hi, is there a way to exclude certain connections from OpenVPN (e.g. ssh)?
22:12 -!- moparisthebest [~mitb@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
22:17 -!- moparisthebest [~mitb@unaffiliated/moparisthebest] has joined #openvpn
22:59 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Read error: Connection reset by peer]
23:06 < Eugene> !routebyapp
23:06 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
23:06 <@vpnHelper> policies you set. For Linux, read about !lartc
23:08 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has quit [Ping timeout: 272 seconds]
23:10 < TommyC> Eugene: Danke!
23:11 < TommyC> !lartc
23:11 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
23:12 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
23:33 -!- Denial [~Denial@81.141.0.36] has joined #openvpn
23:35 -!- ShadniX [dagger@p5481CB16.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:36 -!- ShadniX [dagger@p5481DE46.dip0.t-ipconnect.de] has joined #openvpn
23:52 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has joined #openvpn
--- Day changed Sat Jan 03 2015
00:00 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Quit: Konversation terminated!]
00:48 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:48 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
00:55 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
01:04 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
01:07 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Quit: Leaving]
01:08 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
01:20 -!- IronWard [~zos@unaffiliated/ironward] has joined #openvpn
01:21 -!- heraclitus [~phobos@unaffiliated/heraclitis] has joined #openvpn
01:21 < IronWard> !ovpnuke
01:21 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
01:21 < IronWard> !welcome
01:21 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
01:21 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:23 < IronWard> !topology
01:23 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
01:23 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has joined #openvpn
01:25 < IronWard> !configs
01:25 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
01:25 < IronWard> !sample
01:25 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
01:37 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
01:45 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
01:45 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
02:26 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 240 seconds]
02:27 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
02:27 -!- mode/#openvpn [+v hazardous] by ChanServ
02:28 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
02:34 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 240 seconds]
02:35 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 256 seconds]
02:37 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
02:41 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
02:41 -!- mode/#openvpn [+v hazardous] by ChanServ
02:45 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has quit [Ping timeout: 255 seconds]
03:02 -!- [1]Kiwi [~Kiwi@ip-118-90-34-236.xdsl.xnet.co.nz] has joined #openvpn
03:04 -!- [1]Kiwi [~Kiwi@ip-118-90-34-236.xdsl.xnet.co.nz] has left #openvpn []
03:14 -!- stewi [~quassel@2400:6800:ffff:2:695c:cad6:863a:31f9] has joined #openvpn
03:24 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Ping timeout: 250 seconds]
03:39 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
04:09 -!- stewi [~quassel@2400:6800:ffff:2:695c:cad6:863a:31f9] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
04:10 -!- stewi [~quassel@2400:6800:ffff:2:695c:cad6:863a:31f9] has joined #openvpn
04:47 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:56 < stewi> If I have an SSL secured OpenVPN connection, am I safe to allow completely unencrypted or secured traffic within the VPN. i.e. I have a quassel IRC core running my server, and a client for it on my personal desktop. I connect to the server through the VPN, external traffic to the quassel core is blocked in the firewall. Would it be a waste of my time to configure quassel to use ssl?
04:57 < stewi> I am strictly using quassel as an example
05:03 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Remote host closed the connection]
05:04 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
05:04 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:04 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:05 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
05:05 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:05 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:06 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:06 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:06 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:07 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:07 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:07 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:08 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:08 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:09 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:09 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:09 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:10 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:10 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:11 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:11 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:11 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:11 -!- u0m3_ [~u0m3@92.80.69.178] has quit [Read error: Connection reset by peer]
05:12 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:12 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:13 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:13 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:13 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:13 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:14 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:14 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:15 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:15 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:15 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:16 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:16 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:16 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:17 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:17 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:18 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:18 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:18 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:19 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:19 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:20 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:20 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:20 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:21 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:21 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:22 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:22 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:22 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:22 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:23 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:23 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:24 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:24 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:24 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:25 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:25 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:25 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has quit [Remote host closed the connection]
05:25 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:26 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:26 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has joined #openvpn
05:26 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:27 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:27 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:27 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:28 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:28 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:28 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:29 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:29 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:30 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:30 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:30 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:30 -!- IronWard [~zos@unaffiliated/ironward] has left #openvpn ["Leaving"]
05:31 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:31 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:32 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:32 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:32 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:33 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:33 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:33 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:34 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:34 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:34 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:35 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:35 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:36 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:36 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:36 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:37 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:37 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:38 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:38 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:38 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:39 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:39 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:40 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:40 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:40 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:41 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:41 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:41 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:42 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:42 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:42 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:43 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
05:59 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:27 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
06:56 < stewi> I have a problem. I am running an OpenVPN server on my VPS, and I need clients to be able to see and connect to eachother for lan (VPN) gaming
06:56 < stewi> Only some clients are visible from soem other clients
06:57 < stewi> I (.8) can see .16, but not .3 or .5
06:58 < stewi> .3 can see .5, .16 and .8
07:00 < stewi> sorry .3 can see .16 and .8, but not .5
07:01 < stewi> .5 can see .8 and .16 but not .3
07:02 < stewi> yet .3 is hosting a game that .5 is connected to, and noone else can connect?!
07:02 < stewi> What is going on?!
07:03 < stewi> iptables --list:
07:03 < stewi> Chain INPUT (policy DROP)
07:03 < stewi> target prot opt source destination
07:03 < stewi> ACCEPT all -- anywhere anywhere
07:03 < stewi> ACCEPT all -- anywhere anywhere
07:03 < stewi> ACCEPT all -- anywhere anywhere state ESTABLISHED
07:03 < stewi> ACCEPT all -- anywhere anywhere state RELATED
07:03 < stewi> ACCEPT udp -- anywhere anywhere udp dpt:9987
07:03 < stewi> ACCEPT tcp -- anywhere anywhere tcp dpt:25565
07:03 < stewi> ACCEPT tcp -- anywhere anywhere tcp dpt:http
07:03 < stewi> ACCEPT icmp -- anywhere anywhere
07:03 < stewi> ACCEPT udp -- anywhere anywhere udp dpt:http-alt
07:03 < stewi> Chain FORWARD (policy ACCEPT)
07:03 < stewi> target prot opt source destination
07:03 < stewi> Chain OUTPUT (policy ACCEPT)
07:03 < stewi> target prot opt source destination
07:04 < stewi> iptables -t nat --list:
07:05 < stewi> target prot opt source destination
07:05 < stewi> Chain INPUT (policy ACCEPT)
07:05 < stewi> target prot opt source destination
07:05 < stewi> Chain OUTPUT (policy ACCEPT)
07:05 < stewi> target prot opt source destination
07:05 < stewi> Chain POSTROUTING (policy ACCEPT)
07:05 < stewi> target prot opt source destination
07:05 < stewi> iptables -t mangle --list:
07:05 < stewi> target prot opt source destination
07:05 < stewi> Chain INPUT (policy ACCEPT)
07:05 < stewi> target prot opt source destination
07:05 < stewi> Chain FORWARD (policy ACCEPT)
07:05 < stewi> target prot opt source destination
07:05 < stewi> Chain OUTPUT (policy ACCEPT)
07:05 < stewi> target prot opt source destination
07:06 < stewi> Chain POSTROUTING (policy ACCEPT)
07:06 < stewi> target prot opt source destination
07:06 < stewi> the first two rules form iptables filter are for the lo and tap1 interfaces
07:08 < stewi> this is my server.conf:
07:08 < stewi> port 8080
07:08 < stewi> proto udp
07:08 < stewi> dev tap
07:08 < stewi> ca ca.crt
07:08 < stewi> cert server.crt
07:08 < stewi> key server.key # This file should be kept secret
07:08 < stewi> dh dh2048.pem
07:09 < stewi> server 10.8.0.0 255.255.255.0
07:09 < stewi> ifconfig-pool-persist ipp.txt
07:09 < stewi> push "dhcp-option DNS 8.8.4.4"
07:09 < stewi> push "dhcp-option DNS 8.8.8.8"
07:09 < stewi> client-to-client
07:09 < stewi> keepalive 10 120
07:09 < stewi> persist-key
07:09 < stewi> persist-tun
07:09 < stewi> status openvpn-status.log
07:09 < stewi> verb 3
07:10 < stewi> and client config:
07:10 < stewi> client
07:10 < stewi> dev tap
07:10 < stewi> proto udp
07:10 < stewi> remote lenqua.net 8080
07:10 < stewi> resolv-retry infinite
07:10 < stewi> nobind
07:10 < stewi> persist-key
07:10 < stewi> remote-cert-tls server
07:10 < stewi> verb 3
07:10 < stewi> ca ca.crt
07:10 < stewi> cert cert.crt
07:10 < stewi> key key.key
07:25 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 264 seconds]
07:26 < _FBi> pastebin brah
07:28 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
07:29 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
07:30 -!- mode/#openvpn [+v s7r] by ChanServ
07:31 <+s7r> if i connect to an openvpn server via tun device and TCP protocol, can I tunnel UDP traffic via that TCP tunnel also?
07:31 <+s7r> like encapsulate UDP in TCP from me to openvpn server, and openvpn server to destination regular UDP ?
07:36 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
07:37 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
07:37 < tempus_fol> s7r: sure
07:38 <+s7r> thanks
07:38 <+s7r> one more thing. what iptable rule do i need to add on the openvpn server in order to allow a client to do UPnP port mapping / remote port opening ?
07:39 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
07:58 -!- u0m3 [~u0m3@92.80.69.178] has joined #openvpn
08:21 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
08:37 -!- BenLue [~No@unaffiliated/benlue] has joined #openvpn
08:38 < BenLue> !paste
08:38 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
08:38 < BenLue> !configs
08:38 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
08:43 < BenLue> !logs
08:43 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
08:44 < BenLue> !logfile
08:44 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
08:44 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
08:45 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
08:49 < BenLue> i have some troubles. Openvpn Client is connected after few min i get an TLS Error! syslog: http://paste.debian.net/139039/ cyberghost.conf: http://paste.debian.net/139035/ cyberghost-up: http://paste.debian.net/139036/
08:49 < BenLue> anyone ideas?
09:01 < BenLue> iptables -nL: http://paste.debian.net/139042/
09:04 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
09:04 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
09:28 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
09:36 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:06 -!- stewi [~quassel@2400:6800:ffff:2:695c:cad6:863a:31f9] has quit [Remote host closed the connection]
10:20 -!- justinzane [~justinzan@67.21.190.132] has quit []
10:25 -!- raidz_away [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 250 seconds]
10:25 <@krzee> BenLue, doesnt look to me like it was connected
10:25 <@krzee> but not enough log to know what happened before
10:28 -!- mattock is now known as mattock_afk
10:29 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
10:29 -!- mode/#openvpn [+o raidz] by ChanServ
10:33 < BenLue> arrrgs damit sry wait a sec pls
10:36 < BenLue> krzee a bit more from syslog: http://paste.debian.net/139050/
10:37 < BenLue> every minute its the same msg
11:15 < Brutser> receive on client: UDPv4 [ECONNREFUSED]: Connection refused (code=111)
11:15 < Brutser> info: http://pastebin.centos.org/14876/
11:16 < Brutser> server CentOS 5.11 - client BackTrack 5 LiveCD / Windows 7
11:20 < Brutser> from Win7 client:
11:20 < Brutser> ping -6 google.com
11:20 < Brutser> Pinging google.com [2a00:1450:4013:c00::66] with 32 bytes of data:
11:20 < Brutser> Reply from 2a00:1450:4013:c00::66: time=43ms
11:20 < Brutser> Reply from 2a00:1450:4013:c00::66: time=52ms
11:20 < Brutser> ping -4 google.com
11:20 < Brutser> Pinging google.com [173.194.65.138] with 32 bytes of data:
11:20 < Brutser> Request timed out.
11:20 < Brutser> Request timed out.
11:21 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
11:28 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Disconnected by services]
11:30 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
11:41 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
11:42 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
11:43 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 244 seconds]
11:44 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
11:44 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 276 seconds]
11:46 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
11:47 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
11:49 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
11:50 < Brutser> ok, the ipv6 is probably because the vpn create tunnel on ipv4 and ipv6 traffic is not going over the tunnel
11:50 < Brutser> for some reason
11:50 < Brutser> so that means the tunnel is still rejecting
11:58 -!- stewi [~quassel@203.143.84.86] has joined #openvpn
12:12 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has joined #openvpn
12:16 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has quit [Ping timeout: 265 seconds]
12:18 -!- tobinski [~tobinski@x2f6158d.dyn.telefonica.de] has joined #openvpn
12:36 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 264 seconds]
12:41 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
12:45 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
12:47 -!- Brutser [~brutser@d51A48718.access.telenet.be] has quit []
13:26 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]]
13:27 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
13:33 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has quit [Ping timeout: 265 seconds]
14:10 <@krzee> BenLue, maybe firewall on tun interface?
14:31 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 240 seconds]
14:34 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
14:54 -!- he_bgb5 [~1badb0y@98.206.248.96] has joined #openvpn
14:54 < he_bgb5> howdy all
14:54 < he_bgb5> first time visitor
14:55 < he_bgb5> Downloaded bitmask to android but not sure its working properly. Any helpers?
14:56 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 256 seconds]
15:01 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
15:04 <+s7r> he_bgb5 never used bitmask
15:04 <+s7r> what's its use anwyay?
15:04 <+s7r> seams like it's badly documented
15:05 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 256 seconds]
15:06 < he_bgb5> vpn
15:06 <+s7r> how is it any different / better than using simple openvpn ?
15:07 < he_bgb5> s7r Bitmask is a VPN joined through riseup.net
15:07 < he_bgb5> supposed to be the most secure by what I've read.
15:07 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
15:10 < he_bgb5> !goal is to build a secure pendrive for anonymous surfing and Tor purchases. Just starting the learning process. Comcast is my ISP so anything trouble I can avoid where they're concerned is paramount.
15:11 < he_bgb5> s7r maybe I'm to paranoid but...
15:12 <+s7r> hehe
15:12 <+s7r> better of using Tor
15:15 < he_bgb5> s7r I thought I'd need to run Tor through a VPN or Virtualbox or something...is this needed?
15:15 <@plaisthos> !providers
15:15 <@plaisthos> !commercial
15:15 <@vpnHelper> "commercial" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
15:15 <@plaisthos> not that one
15:15 <@plaisthos> !support
15:16 < he_bgb5> ok
15:16 < he_bgb5> <--noob
15:16 <+s7r> he_bgb5 no, why pay for it? if you want to hide the fact that you use Tor, better use a bridge
15:16 <+s7r> bridges are free: https://bridges.torproject.org/
15:16 <@vpnHelper> Title: BridgeDB (at bridges.torproject.org)
15:17 < he_bgb5> Lost to learn!! Any blogs...?
15:17 < he_bgb5> lots to learn
15:17 < he_bgb5> No need for VPN than?
15:18 < he_bgb5> just bridges?
15:18 <+s7r> depends on your purpose
15:18 <+s7r> and usemodel
15:19 < he_bgb5> purchasing overseas medication for my disabled niece with bitcoin(which I'm still reading about)
15:19 -!- _KaszpiR__ is now known as _KaszpiR_
15:19 < he_bgb5> She is allergic to the medications in the states
15:20 < he_bgb5> suffered a spinal cord injury lat year...19 years old.
15:21 < he_bgb5> s7r purpose now stated. What advice do you have on set up? Step by step please...noob.
15:23 <+s7r> download tor browser and use it with bridges to obfuscate the fact that you use Tor.
15:23 <+s7r> everything free, nothing required
15:23 < he_bgb5> I have an old Evo N400c 400MB Ram / 20 gb hdd I'd use as a throw away for these needs. Ready to wipe drive and start fresh but lost on os, virtualbox, ssh, etc.
15:23 <+s7r> just be careful how you place your orders and what else you do with Tor simultaneously in order not to leak your real identity
15:24 <+s7r> if you have an old pc for this purpose, why do you need also virtualization?
15:24 <+s7r> install the operating system on bare metal and run Tor
15:24 < he_bgb5> lol ok
15:24 < he_bgb5> not just noob. Paranoid noob.
15:24 <+s7r> you don't need to worry
15:25 <+s7r> just encrypt your hard drive
15:25 <+s7r> FULLY
15:25 <+s7r> and use a strong passphrase
15:25 <+s7r> download Tor Browser, it's like a portable firefox. at first in that menu select that you want to use bridges, and use an obfs3 type bridge.
15:25 <+s7r> that's all you need to do. browse safe and anonymous
15:26 <+s7r> but pay attention to your operational security, don't do stupid things like for example open your real email address in one tab and in second tab place the order with bitcoins
15:26 <+s7r> or your facebook account
15:27 < he_bgb5> I have no operating system disks that will run on the Evo, been looking into puppy, tahrpuppy 6.0 wont load properly...
15:27 < he_bgb5> it included tor
15:27 < he_bgb5> I would never use the Evo for anything but tor
15:28 < he_bgb5> s7r ty for the advice btw
15:28 <+s7r> he_bgb5 i'll give you a better one and spare you the encryption effort
15:29 <+s7r> use Tails, it's a live linux distribution which runs from a flashdrive or a DVD, and routes everything via Tor
15:29 <+s7r> it's very secure and has a lot of encryption tools included in it
15:29 <+s7r> https://tails.boum.org/
15:29 <@vpnHelper> Title: Tails - Privacy for anyone anywhere (at tails.boum.org)
15:30 <+s7r> this is basically something for non tech people who are vulnerable to make mistakes and have the real IP disclosed. like install stuff, open attachments.
15:30 <+s7r> this linux distro has everything covered for you
15:35 < he_bgb5> thank you
15:59 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 244 seconds]
16:51 -!- atyoung [~darkwurm@gateway/tor-sasl/darkwurm] has quit [Ping timeout: 250 seconds]
16:54 -!- atyoung [~darkwurm@gateway/tor-sasl/darkwurm] has joined #openvpn
17:03 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
17:09 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
17:25 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
17:46 -!- jrg [jrg@unaffiliated/jrg] has joined #openvpn
17:54 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
17:57 < he_bgb5> Testing
18:18 -!- he_bgb5 [~1badb0y@98.206.248.96] has quit [Quit: Leaving]
18:26 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:39 -!- BenLue [~No@unaffiliated/benlue] has quit []
18:40 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:94c3:c835:4c38:5077] has joined #openvpn
18:50 -!- tobinski [~tobinski@x2f6158d.dyn.telefonica.de] has quit [Quit: Leaving]
19:02 -!- moparisthebest [~mitb@unaffiliated/moparisthebest] has quit [Ping timeout: 256 seconds]
19:09 -!- moparisthebest [~mitb@gateway/tor-sasl/moparisthebest] has joined #openvpn
19:49 -!- heraclitus [~phobos@unaffiliated/heraclitis] has quit [Ping timeout: 245 seconds]
20:14 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Quit: Turning IRC client off]
20:33 -!- RGamma [~RGamma@ip-84-118-23-37.unity-media.net] has quit [Read error: Connection reset by peer]
20:34 -!- RGamma [~RGamma@ip-84-118-23-37.unity-media.net] has joined #openvpn
20:35 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
20:44 -!- nrdb [~neil@123.185.168.125.sta.wbroadband.net.au] has joined #openvpn
20:47 <@Dougy> evening lads
20:47 <@Dougy> what the . when did i get ops
20:47 < esde> lol
20:48 < nrdb> I am trying to setup a openvpn between two VMs (as a test) ... I keep getting "TLS Error: TLS handshake failed" on the client ... I have confirmed that the ta.key file is the same on both setups... I have confirmed that there are no filewalls involved .. and the "tls-auth ta.key 0" and "tls-auth ta.key 1" seem to be correct ... any ideas on what could be wrong?
20:48 <@Dougy> 10:34:08 -- | Mode #openvpn [+o Dougy] by ecrist
20:48 * Dougy feels empowered
20:49 * Dougy waves at raidz
20:49 < esde> ta.key are the same file on server and client, and are readable by openvpn?
20:50 < nrdb> esde, yes .. its permissions "-rw-r--r-- 1 root root 636 Jan 4 12:31 ta.key"
20:51 < pekster> the tls-auth key isn't related to TLS at all beyond "allowing it to continue"
20:52 < pekster> It's merely an extra level of protection to provide security even if the cipher-suite you're using is (partially) compromised in the future, and as a basic ddos protection. Use --verb 4 on both sides and review the errors from both ends
20:52 < esde> iirc 600 is all that's needed for the tls auth key file
21:01 < nrdb> pekster, would you like me to pastebin the verb=4 output? I don't understand most of it.
21:04 < nrdb> pekster, one thing odd is the last message on the server is "Initialization Sequence Completed" ... there is no indication that the client tried to connect.
21:07 < pekster> Sounds like either packets aren't making it to the server, or your tls-auth key isn't exactly the same on both ends
21:08 < pekster> verb-4 output from the client should confirm that though
21:21 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
21:24 < nrdb> pekster, diff says the files are the same....
21:25 < pekster> easy enough to see if packets are arriving: tcpdump the port you're using on the server and watch for packets (udp/1194, or such)
21:37 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 265 seconds]
21:40 < nrdb> pekster, the tcpdump is showing packets comming in (but none seem to be going out)
21:43 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
21:45 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
21:46 < pekster> If you've no 'initial packet received' message on the server, either 1) your tls-auth key doesn't match (or the direction-arg is bad,) or 2) server has a firewall and the packet doesn't make it to the server
22:26 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:44 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
22:44 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Remote host closed the connection]
22:45 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
22:45 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
23:16 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Quit: Leaving]
23:28 < nrdb> pekster, I found out what was wrong :-)
23:31 < _FBi> sup dougy
23:31 < _FBi> hiya pekster
23:32 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
23:34 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
23:35 -!- ShadniX [dagger@p5481DE46.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:36 -!- ShadniX [dagger@p5481D978.dip0.t-ipconnect.de] has joined #openvpn
23:37 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
23:38 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
23:53 < nrdb> Is there a limit to how many openvpn servers can run on a single computer (ignoring the limit on port numbers)
23:57 < _FBi> and ram
23:57 < _FBi> and processor power
--- Day changed Sun Jan 04 2015
00:02 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:14 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Quit: Leaving]
00:26 -!- not_phunyguy [~vortex@ubuntu/member/phunyguy] has joined #openvpn
00:32 < stewi> If I wanted to play lan games over the VPN, with broadcasts getting through the VPN (lan game discovery, rather than trying to find ip and port manually), would I want tap or tun, and would I need any special configuration to allow broadcasts through?
00:33 < stewi> I have been at this for over a week now, and I can't even ping some clients from the server.
00:33 < _FBi> :S
00:33 < _FBi> !tap
00:33 <@vpnHelper> "tap" is (#1) "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything
00:33 <@vpnHelper> where the protocol uses MAC addresses instead of IP addresses. or (#2) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
00:33 < _FBi> ;)
00:34 < stewi> thanks, but it ethernet bridging not for connecting a VPN to a phisical lan? Like in a busness setting?
00:34 < stewi> I am running off a VPS
00:35 < stewi> I will be using routing
00:37 < _FBi> boss is here, gotta jet
00:41 < stewi> My VPS is not a DHCP server, nor is it a gatway for a phisical subnet. How can I bridge? My VPS eth0 is connected directly to the internet, no LAN at all to bridge to?
00:41 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
01:03 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 244 seconds]
01:04 -!- stewi [~quassel@203.143.84.86] has quit [Quit: No Ping reply in 180 seconds.]
01:04 <@krzee> can do a routed tap if you only need broadcasts between vpn endpoints
01:05 <@krzee> _FBi's answer on bridging was assuming the game server is on the same lan as the server
01:05 <@krzee> !whybridge
01:05 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
01:05 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
01:05 -!- mode/#openvpn [+v hazardous] by ChanServ
01:06 <@krzee> i know broadcasts are l3, but tun doesnt do broadcasts
01:06 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 245 seconds]
01:06 <@krzee> but there is always:
01:06 -!- stewi [~quassel@2400:6800:ffff:2:fdca:4dda:1a6:52a3] has joined #openvpn
01:06 <@krzee> !bcrelay
01:06 <@krzee> !broadcasts
01:06 <@krzee> !factoids search --values broadcast
01:06 <@vpnHelper> 'broadcast-relay', 'bcast', and 'bcast'
01:06 <@krzee> !bcast
01:06 <@vpnHelper> "bcast" is (#1) pptp source tree has bcrelay in it, bcrelay can be used to relay broadcasts over a tun setup or (#2) http://www.hanksoft.de/service/46-udpbroadcastforwarder seems to be a windows program for relaying bcast (use google translate if needed)
01:07 <@krzee> !broadcast-relay
01:07 <@vpnHelper> "broadcast-relay" is a software that comes with pptp. use it in tun mode when needing broadcasts, and WINS isnt enough.
01:09 < nrdb> Is it possible to set the MAC address of the tap interface so it does change?
01:09 * nrdb oops s/does/doesn't/
01:09 <@krzee> whatever you are hoping to do based on that, DONT
01:10 <@krzee> and no.
01:12 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
01:13 < nrdb> krzee, rats!
01:27 < stewi> Let me get this straight, ethernet briging is for connectige two subnets (including VPN) togeather, and is no help to me, trying to set up a VPN to play lan games exclusively over the VPN
01:27 < stewi> connecting*
01:27 < stewi> together*
01:29 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
01:41 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
01:54 -!- phunyguy [~vortex@ubuntu/member/phunyguy] has quit [Remote host closed the connection]
01:54 -!- not_phunyguy is now known as phunyguy
02:44 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
03:06 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
03:09 -!- MACscr [~Adium@2601:d:c800:de3:b96b:9a2d:7865:a240] has joined #openvpn
03:39 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
03:53 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has quit [Remote host closed the connection]
03:54 -!- stewi [~quassel@2400:6800:ffff:2:fdca:4dda:1a6:52a3] has quit [Remote host closed the connection]
03:57 -!- Latrina [~Latrina@ppp-111-3.26-151.libero.it] has quit [Ping timeout: 245 seconds]
03:59 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has joined #openvpn
04:00 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:00 -!- Latrina [~Latrina@adsl-ull-202-194.50-151.net24.it] has joined #openvpn
04:13 -!- tobinski [~tobinski@x2f5f427.dyn.telefonica.de] has joined #openvpn
04:15 < novae> Anyone know what the openvpn configuration equivelents are for VyOS's 'tls role'?
04:17 < novae> Struggling to setup a series of point to point (site-to-site) links between a router and some linux boxes, the links were functional linux to linux but i can't seem to work out how to configure the router the same.
04:18 -!- catsup [d@ps38852.dreamhost.com] has quit [Remote host closed the connection]
04:18 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn
04:19 -!- catsup [~d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer]
04:20 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
04:43 -!- jrg [jrg@unaffiliated/jrg] has left #openvpn []
04:46 < novae> Solved. :)
04:47 < novae> For interests sake 'tls role' refers to tls-client/server. And was NOT in the end the source of my misconfiguration
05:35 <@plaisthos> Orbixx: tls-client/tls-server
05:48 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 244 seconds]
05:48 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:54 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
06:16 -!- stewi [~quassel@203.143.84.86] has joined #openvpn
06:16 -!- Latrina [~Latrina@adsl-ull-202-194.50-151.net24.it] has quit [Ping timeout: 245 seconds]
06:20 -!- Latrina [~Latrina@151.56.181.67] has joined #openvpn
07:03 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 240 seconds]
07:05 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
07:21 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
07:45 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
07:46 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
08:32 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 265 seconds]
08:33 -!- master_of_master [~master_of@p4FF24914.dip0.t-ipconnect.de] has joined #openvpn
08:34 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
08:35 < master_of_master> hi, I'd like to know if it is possible to route two networks between vpn clients?
08:37 < master_of_master> route add -net 172.16.3.0/24 gw 10.8.0.114 dev tun0 leads to "SIOCADDRT: No such process"
09:37 < nrdb> master_of_master, yes it is possible... but remember the packets not only need to get to the destination, but there also needs to be return route as well.
09:38 < master_of_master> nrdb: sure :-) I need also to add a route on the other side. But there "ip route add 192.168.10.0/24 via 10.8.0.110 dev tun0" returns "RTNETLINK answers: Network is unreachable"
09:38 < nrdb> I have on used a setup where 10.8.0.0/24 is at my home 10.7.0.0/24 is the vpn and whatever the DHCP is configured to when I am away.
09:40 < nrdb> can you ping 10.8.0.110 from the 192.168.10.0 net?
09:41 < master_of_master> if I am pinging from the router yes.
09:41 < master_of_master> here my route -n output: http://pastebin.com/sHM1yLmA
09:42 < nrdb> my setup uses "route add -net 10.8.0.0/24 gw 10.7.0.1" without the "dev tun0"
09:42 < nrdb> master_of_master, that is Linux ... what are you using?
09:42 < master_of_master> yes, that is debian Linux
09:43 < master_of_master> well I think what I'm trying is a bit different
09:43 < master_of_master> the VPN server (10.8.0.1) shouldn't be involved, or?
09:46 < master_of_master> or do I need to set up a client specific push rule on the server?
09:46 < nrdb> I haven't
09:47 < nrdb> but the client2 setup seems sus... what is the vpn there you say 10.8.0.114 but use 10.8.0.113
09:49 < nrdb> use ping and tcpdump moving along the chain of I.P.s one at a time.
09:50 -!- JackWinter [~jack@vodsl-4724.vo.lu] has joined #openvpn
09:50 -!- JackWinter_ [~jack@vodsl-11198.vo.lu] has quit [Ping timeout: 272 seconds]
09:50 < master_of_master> 10.8.0.112/30 is the openvpn tun subnet?
09:53 < nrdb> you realise this only give 2 usable addresses 10.8.0.113 and 10.8.0.114
09:53 -!- ChromeShrimp [~chromey@gateway/tor-sasl/chromeshrimp] has joined #openvpn
09:55 < nrdb> the address you gave in client1 is out of this range.
09:59 < master_of_master> well, that is how the openvpn server deligates the ip addresses
09:59 < master_of_master> each client gets its own /30 subnet
10:01 < nrdb> I am using two openvpn setups ... 10.7.0.0/24 and 10.0.0.0/16
10:02 < nrdb> confirmed by ifconfig
10:03 < nrdb> its the ip address that is reported by ifconfig that needs to be in the routing table.
10:04 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Quit: Contact: http://hallowe.lt/]
10:05 < master_of_master> well, this setup is working since years. And I can ping from 10.8.0.110 to .114
10:07 < ChromeShrimp> how can i change the limit of clients connect its saying i can only have max 2 clients and giving me some error?
10:09 < ChromeShrimp> about a license
10:11 < nrdb> one of my server.conf file has the "server 10.0.0.0 255.255.0.0" line...
10:11 < master_of_master> nrdb: I use server 10.8.0.0 255.255.255.0
10:12 < master_of_master> additionally there is a push "route 10.8.0.0 255.255.255.0"
10:12 < nrdb> master_of_master, so its a /24 setup
10:13 < master_of_master> yes, the server uses that /24 net. But each client gets its own /30 subnet out of that
10:13 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has joined #openvpn
10:15 < nrdb> maybe yes/maybe no... but it not of any consequence .... it the I.P. of the tun/tap interface that is important
10:16 < nrdb> otherwise the ARP request packets that are broadcast wont be answered properly.
10:16 < master_of_master> yes, and I thought that it is simple possible to send all traffic for that certain subnet to that ip address in the vpn.
10:16 -!- mode/#openvpn [+e *!*~qizhez@95.211.224.45] by krzee
10:19 < nrdb> my main VPN is run in a VM (so I can reset it if needed) its LAN IP is 10.8.0.101 so that is why my route for the 10.7.0.0/24 network points to that IP.
10:20 -!- mode/#openvpn [+e *!*qizhez@95.211.224.45] by krzee
10:21 < nrdb> I think you have too many routes pointing to tun0 ... that might some of your trouble.
10:21 -!- mode/#openvpn [-r] by krzee
10:21 -!- _bt [~bt@mongs.yotm.com] has joined #openvpn
10:22 -!- qizhez [~qizhez@95.211.224.45] has joined #openvpn
10:22 < ChromeShrimp> !ovpnuke
10:22 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
10:22 -!- mode/#openvpn [+r] by krzee
10:22 < ChromeShrimp> !poodle
10:22 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
10:22 < ChromeShrimp> !heartbleed
10:22 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
10:22 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
10:23 -!- mode/#openvpn [-e *!*qizhez@95.211.224.45] by krzee
10:23 -!- mode/#openvpn [-e *!*~qizhez@95.211.224.45] by krzee
10:24 < ChromeShrimp> !welcome
10:24 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
10:24 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:24 < qizhez> does anybody here know anything about a precisely five hour (300min) window between softhups and complete reconnections?
10:24 <@plaisthos> no
10:24 <@plaisthos> but tls renogiation is 1h
10:25 < master_of_master> nrdb: I think the fact, that 10.8.0.113 is used as router to 10.8.0.0/24 causes the problem. I would need to stack two routes onto each other...
10:25 < qizhez> yeah tls is fine. that doesnt seem to be the problem. this is on android client (arnes) and seems to be totally server agnostic
10:26 < ChromeShrimp> !howto
10:26 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
10:28 < nrdb> so you have a computer (running openvpn) with the 10.8.0.113 IP? what is the network range of the LAN there
10:28 <@plaisthos> qizhez: can you show the log of connection?
10:28 <@plaisthos> qizhez: use the share button to export the log
10:28 <@plaisthos> I never seen that
10:29 < qizhez> plaisthos yes give me a minute. i have a bunch
10:31 < nrdb> master_of_master, the route on the other LAN computers needs to have a gateway IP of the LAN IP of the computer running openvpn
10:31 < master_of_master> nrdb: no the ip of that vpn client is .114
10:31 < qizhez> i dont have a ßhare button. im on a crappy android client. i can privmsg but theres nothing spectacular. it just compeĺetely softhups and restarts every five hours like clockwork.
10:31 < master_of_master> nrdb: 192.168.178.0/24
10:32 < master_of_master> and 172.16.3.0/24 (via vlan3 interface)
10:32 <@krzee> if you're using arne's android client then a) not crappy , b) theres a share button when at the logs
10:35 <@plaisthos> qizhez: you should have
10:35 <@plaisthos> qizhez: are you in the log window?
10:35 <@plaisthos> and see the faq about the share button :)
10:35 < nrdb> master_of_master, so the other computers on that LAN need to have one route for the 10.8.0.0/24 with a gateway of that computer 10.8.0.x IP
10:36 <@plaisthos> https://code.google.com/p/ics-openvpn/wiki/FAQ
10:36 <@vpnHelper> Title: FAQ - ics-openvpn - Openvpn for Android 4.0+ - Google Project Hosting (at code.google.com)
10:36 <@plaisthos> copying log entries
10:36 < qizhez> oh there. i clear those every few hrs lemme check if it happened since the last. ive just been copypasting to tfiles
10:37 < qizhez> plaisthos those do give out a ton of ptivate info tho ;p
10:37 <@plaisthos> qizhez: hardware button? :)
10:37 < qizhez> no my irc client is crappy. arnes client is awesome
10:37 < nrdb> master_of_master, what is the vlan3 network... is that you wi-fi
10:38 < qizhez> sorry very hard to multitask on here. minute.
10:38 < master_of_master> nrdb: well, the computer on the local network use 172.16.3.1 (==10.8.0.114) as default gateway
10:39 < qizhez> the next is due in under an hour but i have one from earlier today. lemme dig up.
10:39 < master_of_master> the problem is not yet on the clients in the local network
10:39 < master_of_master> it is already when I want to add the route to the gateway
10:39 -!- ChromeShrimp [~chromey@gateway/tor-sasl/chromeshrimp] has left #openvpn []
10:44 <@plaisthos> qizhez: you can send the log privately if you want
10:45 < qizhez> i cannot find this mystery button. fwiw i disabled google on here and grab apks via plai.de
10:45 < nrdb> master_of_master, it 3:40AM here I need sleep... I think you need to first get rid of the "push route" in the openvpn config .. simplify the routes to there minimum .. traceroute or ping .. get each step working ... don't try to get it all working at once... once you know what is needed try putting the "push routes" back in the config files.
10:46 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
10:47 <@plaisthos> qizhez: tried your hardware menu key?
10:47 < nrdb> master_of_master, tcpdump filtering for icmp (i.e. ping) packets is very handy too.
10:48 < qizhez> yah doesnt do anything
10:48 < master_of_master> nrdb: thanks for your help! I'll look into client specific config
10:48 <@plaisthos> qizhez: in the log window, there share button should be either a share thing directly in the log window or in the overflow menu
10:48 <@plaisthos> on some devices you need the hw button for the overflow menu
10:49 <@plaisthos> qizhez: the apks on plaisthos.de are identical to the play store apks
10:49 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Read error: Connection reset by peer]
10:49 < qizhez> im on a large screen phone w hardware keys but nada pulls up for that
10:49 < qizhez> well theres the android stock share bit
10:50 < qizhez> but as i said its not in my current log (yet) anyway
10:50 -!- Yoder [~Yoda@unaffiliated/itsyoda] has quit [Quit: YourBNC - (https://yourbnc.co.uk)]
10:50 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
10:50 <@plaisthos> qizhez: yeah I meant the stock android share bit
10:50 < qizhez> itll be in 30 mins when i get dxed hehe
10:51 -!- `Yoda [~Yoda@unaffiliated/itsyoda] has joined #openvpn
10:52 < qizhez> i mean theres nothing to share to that applies either anyway
10:53 <@plaisthos> there should plently options
10:53 <@plaisthos> like drive, email, dropbox, your pastebin android client, sms, ....
10:53 <@Dougy> hi _FBi
10:56 -!- nrdb [~neil@123.185.168.125.sta.wbroadband.net.au] has quit [Remote host closed the connection]
10:57 < qizhez> yeah all those things i disabled because they invade privacy amd leak ip and stuff? lol. i can pastebin manually ;)
10:57 < qizhez> <3 dougie
10:57 < qizhez> dougy that is
10:58 < qizhez> it does strike me i havent tried on wifi only mobile
10:58 < qizhez> since i dont use wifi
10:59 <@Dougy> wut
10:59 <@Dougy> why am i getting some loving
10:59 < qizhez> sorry at this point waiting for it to dx me. i shall rejoin after and pass new log. what i have isnt useful.
10:59 < qizhez> hah i thought you were agreeing all those share methods were sending my vpn info to the fbi ;p
11:00 <@Dougy> oh no
11:00 <@Dougy> i was saying hi to _FBi lol
11:00 < qizhez> id think it might be a carrier issue but ive had it on at least two networks
11:01 < qizhez> i say hi to fbi every day .... even here i bet :)
11:01 < qizhez> not a fan kf the new leaked docs
11:02 < qizhez> about nine minutes more.... la la la
11:04 < qizhez> only somewhat related but when it does reconnect it first tries to pass thru tun0 insteam of ccmi0 as it should (tun0 is tor transproxy and limited to afew apps but it doesnt try to send to localhost or block. it tries to send to the vpn server ip.
11:04 < qizhez> this is for tcp
11:04 < qizhez> and tun
11:04 < qizhez> (persist)
11:07 -!- qizhez [~qizhez@95.211.224.45] has quit [Quit: AndroidIrc Disconnecting]
11:09 -!- mode/#openvpn [-r] by krzee
11:09 -!- qizhez [~qizhez@95.211.224.44] has joined #openvpn
11:09 -!- mode/#openvpn [+r] by krzee
11:19 < qizhez> thanks
11:20 < qizhez> plaisthos get pm? just wanna make sure after flood
11:20 <@plaisthos> qizhez: yes
11:20 <@plaisthos> qizhez: your problem is this line:
11:20 <@plaisthos> 2015-01-04 18:04:55 read TCP_CLIENT [NO-INFO]: Connection timed out (code=110)
11:20 <@plaisthos> that mens your tcp connection is broken
11:21 < qizhez> yes but im not sure why. the connectivity is fine and theres no setting to time it out
11:21 <@plaisthos> qizhez: mobile data or wifi?
11:21 < qizhez> mobile. two diff carriers.
11:22 < qizhez> ymy only other thought was they forbid persistent connections longer than five hours but ive had udp last longer a few times
11:22 <@plaisthos> timeouts for udp might be different
11:22 < qizhez> and ive had nonvpn be fine for more than that
11:22 <@plaisthos> but it is probably the nat in between
11:22 <@plaisthos> it is at least nothing openvpn specific
11:22 < qizhez> yeah i considered that.
11:23 < qizhez> thr other problem is :)
11:23 < qizhez> which ive capped
11:32 < qizhez> hm short of uploading a pic im unable to show you but i can tell you
11:32 -!- mistermajestic [~mistermaj@gateway/vpn/privateinternetaccess/mistermajestic] has quit [Ping timeout: 264 seconds]
11:33 < qizhez> basically when it renegotiates it first tries tun0 to renegotiate then connects thru ccmni0
11:33 <@plaisthos> !?
11:33 <@plaisthos> tls renegoation or what?
11:34 <@plaisthos> ccmni0 is your mobile interface?
11:34 < qizhez> tun0 typicalky being where orbot resides but i turned it off to verify thats not it. couldnt be anyway. doesnt transproxy. uses the vpn ip, proto and prt
11:34 < qizhez> yeah ccmni0 usually unless i switch vpn connections then obv it chamges to ccmni1 etc
11:35 < qizhez> never saw it before the current version. used to use .16 iirc but maybe that was just a fluke
11:36 < qizhez> the dns part always drive me nuts but i cant make heads or tails of it trying to use tun and that has to be the client. using logcat via root with network log
11:37 < qizhez> dns part if i dont hard code ip instead of a fqdn. but thats not a flaw in your app obv. the tun thing i have no idea
11:37 <@plaisthos> openvpn request dns from android
11:37 <@plaisthos> and well that happens to user whatever interface it thinks is best at the meoment
11:37 < qizhez> anyway orbot doesnt proxy all either and firewall doesnt block as tho it were orbot
11:38 < qizhez> yeah not worries about the dns. i may tweak a commit/bramch some time tho to offer you maybe if.i find time. the other thing is strange tho.
11:40 < qizhez> any ideas?
11:41 <@plaisthos> I am still not sure what your problem is
11:41 < qizhez> like afaik tun shoukdnt even exist at all at that point. its almost snake eating its own tailing
11:41 <@plaisthos> dns queries over your mobile interface?
11:41 <@plaisthos> qizhez: persistent-tun?
11:41 < qizhez> no nothing to do with dns
11:41 < qizhez> that was something else
11:42 < qizhez> except it never happened before with persistent tun afaik
11:42 < qizhez> if its just a quirk i can live with it its just weird i guess
11:44 < qizhez> anyway im grateful for the time youve given me.... is there any dev or support or any sort of help i can offer? im pretty good at some stuff.
11:46 < qizhez> i think i came on to find out if thesse were "only me" problems or not so i could narrow things down. you pretty much confirmed what id hoped wasnt but suspected was thebproblem with the first issje
11:48 < qizhez> it does give me ideas tho about the possibility of maybe adding randomisation for people whose carriers might do this... persistent tun might protect against leaks but if someone always drops and comes back like clockwork that sorta ssems like a predictabilitybweakness to me and i wonder if it can be gotten around. esp if you use tor on top etc.
11:48 -!- `Yoda [~Yoda@unaffiliated/itsyoda] has quit [Quit: YourBNC - (https://yourbnc.co.uk)]
11:50 -!- `Yoda [Yoda@unaffiliated/itsyoda] has joined #openvpn
11:50 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
11:52 < qizhez> good night
11:54 -!- qizhez [~qizhez@95.211.224.44] has quit [Quit: AndroidIrc Disconnecting]
12:07 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
12:09 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
12:16 -!- Latrina [~Latrina@151.56.181.67] has quit [Ping timeout: 245 seconds]
12:20 -!- Latrina [~Latrina@adsl-ull-31-216.50-151.net24.it] has joined #openvpn
12:53 -!- mistermajestic [~mistermaj@gateway/vpn/privateinternetaccess/mistermajestic] has joined #openvpn
13:29 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
13:31 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
13:37 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
13:38 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 265 seconds]
13:41 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
13:43 -!- MrsSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
13:45 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Ping timeout: 240 seconds]
13:46 -!- MrsSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
15:17 -!- `Yoda is now known as Yoder
15:18 -!- Yoder is now known as Yoderp
15:40 -!- evelea [~evelea@5469881C.cm-12-2c.dynamic.ziggo.nl] has joined #openvpn
15:40 < evelea> hi
15:41 < evelea> i'm having problems configuring openvpn, the server is a windows machine and the client is a mac
15:41 < evelea> i'm getting the following error: "This computer's apparent public IP address was not different after connecting to "
15:42 < evelea> is anyone around that could help me?
15:43 < evelea> !paste
15:43 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
15:44 < evelea> ping :)
15:46 < evelea> anyone around?
15:50 -!- flyingkiwi [~kiwi@nat.hamburg.contentfleet.com] has quit [Remote host closed the connection]
15:50 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has joined #openvpn
15:52 -!- Latrina [~Latrina@adsl-ull-31-216.50-151.net24.it] has quit [Ping timeout: 244 seconds]
15:52 < evelea> nobody? :(
15:54 < KjetilK> evelea, you probably need to wait for a white, but make sure you read all of the topic and what help that could give you
15:55 < evelea> KjetilK, I've been reading forums and help files for the past 3 hours
15:55 < evelea> before entering this chat channel
15:55 < esde> !goal
15:55 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:56 < esde> Also, you will wait until a user is available to help. Otherwise
15:56 < esde> !commercial
15:56 < evelea> II would like to access the internet over my vpn :)
15:56 <@vpnHelper> "commercial" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
15:56 < esde> !redirect
15:56 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
15:56 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
15:56 < esde> should be everything you need.
15:56 < evelea> !def1
15:56 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
15:57 < KjetilK> evelea, I find it helpful to think carefully about my questions, as it helps pin down the problem
15:57 < evelea> i tried to push redirect-gateway def1 and it stopped working
15:58 < esde> !ipforward
15:58 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
15:58 < KjetilK> I came in here as a complete newbie last Saturday, and got almost to the core of my problem by just the automated messages
15:58 < evelea> that works, the client connects to the server
15:58 < evelea> ah, not port forward but ip.. lemme read that
15:58 < evelea> !winipforward
15:58 <@vpnHelper> "winipforward" is (#1) http://support.microsoft.com/kb/315236 to enable ip forwarding on windows or (#2) reboot after enabling it
16:00 < evelea> KjetilK, as I said, I have been trying to get it working for the past 3 hours.. I like to troubleshoot problems myself
16:01 < evelea> this one, though... can't get it to work and seems every single thing I try breaks things even worse
16:02 < esde> https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide
16:02 <@vpnHelper> Title: Easy_Windows_Guide – OpenVPN Community (at community.openvpn.net)
16:02 < evelea> yup, that's the one I followed
16:02 < evelea> the client connects to the server
16:02 < esde> I (thankfully) don't personally have any experience provisioning openvpn on windows
16:03 < esde> go grab a snack and come back to it with a fresh head
16:04 < evelea> if it will be faster, I don't even mind paying a few bucks (via paypal) for beer for the one that helps me get it done
16:05 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:23 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
16:30 < evelea> ok, so.. bribe does not work ;)
16:36 -!- maxiepax [max@83.241.146.10] has joined #openvpn
16:38 < maxiepax> anyone have an opinion on the "safety" of just using local auth instead of "proper" certificates?
16:40 -!- Latrina [~Latrina@ppp-39-38.26-151.libero.it] has joined #openvpn
16:48 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Ping timeout: 265 seconds]
16:56 < esde> this looks like a fun project http://acksyn.org/docs/smart-cards-openvpn.html
17:05 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
17:06 -!- evelea [~evelea@5469881C.cm-12-2c.dynamic.ziggo.nl] has quit [Quit: Leaving]
17:28 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
17:37 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 244 seconds]
17:43 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
17:51 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
18:00 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
18:26 -!- tobinski [~tobinski@x2f5f427.dyn.telefonica.de] has quit [Quit: Leaving]
19:10 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
19:25 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has quit [Quit: Leaving]
19:33 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has joined #openvpn
19:40 -!- trumee [~parul@2601:e:1580:799::c64] has quit [Quit: ZNC - http://znc.sourceforge.net]
19:43 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
19:50 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
19:50 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
21:23 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
21:52 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has quit [Ping timeout: 244 seconds]
21:53 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
21:54 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has joined #openvpn
22:22 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
22:22 < ljvb> yo
23:32 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Remote host closed the connection]
23:33 -!- ShadniX [dagger@p5481D978.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:34 -!- ShadniX [dagger@p5481D560.dip0.t-ipconnect.de] has joined #openvpn
23:44 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has quit [Quit: Leaving]
--- Day changed Mon Jan 05 2015
00:21 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 244 seconds]
00:31 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has joined #openvpn
00:35 -!- moparisthebest [~mitb@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
00:35 -!- moparisthebest [~mitb@unaffiliated/moparisthebest] has joined #openvpn
00:58 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
01:19 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Ping timeout: 240 seconds]
01:19 -!- master_o1_master [~master_of@p4FF24AC0.dip0.t-ipconnect.de] has joined #openvpn
01:23 -!- master_of_master [~master_of@p4FF24914.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds]
01:29 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
01:42 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Ping timeout: 244 seconds]
01:46 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
01:48 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Read error: Connection reset by peer]
01:57 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
02:00 -!- mattock_afk is now known as mattock
02:00 -!- JackWinter [~jack@vodsl-4724.vo.lu] has quit [Read error: Connection reset by peer]
02:03 -!- le0 [~le0@unaffiliated/le0] has joined #openvpn
02:08 -!- JackWinter [~jack@vodsl-4724.vo.lu] has joined #openvpn
02:12 -!- JackWinter [~jack@vodsl-4724.vo.lu] has quit [Remote host closed the connection]
02:17 -!- abbe [having@badti.me] has quit [Quit: “Everytime that we are together, it's always estatically palpitating!”]
02:27 -!- JackWinter [~jack@vodsl-4724.vo.lu] has joined #openvpn
02:38 -!- abbe [having@badti.me] has joined #openvpn
02:45 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
02:49 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
03:02 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 265 seconds]
03:07 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
03:31 -!- Tracker [~tracker@m88.ip1.anvianet.fi] has joined #openvpn
03:33 -!- Denial [~Denial@81.141.0.36] has quit [Ping timeout: 256 seconds]
03:34 -!- Denial [~Denial@5.80.234.73] has joined #openvpn
03:36 < Tracker> Hi, I have a strange problem with 2 different openvpn servers one 10.8.0.0 255.255.255.128 and one 10.8.0.128 255.255.255.128 , same client keys both servers but different ips other 1-127 and other 129-... when connecting to both servers from windows xp box all ok can ping both 10.8.0.x client ips from openvpn servers local net 192.168.100.x push "route 192.168.100.0 255.255.255.0" is applied..
03:36 < Tracker> but when trying same configuration from windows 7 box cant ping the seconds servers 10.8.0.x client ip anywhere but the second server... windows 7 doesnt know to route the packet trought the same interface its coming from trying to send it trounght servcer 1 its log says MULTI: bad source address from client [10.8.0.138], packet dropped.. any help with my issue?
03:45 -!- tobinski [~tobinski@x2f58ee7.dyn.telefonica.de] has joined #openvpn
04:13 -!- dazo_afk is now known as dazo
04:13 -!- mjkr [jzhmer@gateway/shell/blinkenshell.org/x-zvlhhgylcitxtcng] has joined #openvpn
04:14 -!- hyper_ch [~hyper_ch@81.4.108.20] has joined #openvpn
04:14 < mjkr> what does openvpn offers over openssh's tuntap?
04:14 < hyper_ch> hmmm, I just added tls-auth and cipher AES-256-CBC to my server and client configs. All work fine except the windows 8.1 client
04:15 < hyper_ch> mjkr: drugs, sex, rock'n'roll :)
04:16 < mjkr> seriously...
04:16 <@dazo> mjkr: an easier configuration, especially setting up tun/tap adapters for you. More advanced possibilities for authentication. UDP transport (to avoid tcp-over-tcp issues) ... to mention some things
04:16 < hyper_ch> can't answer that since I don't know openssh's tuntap
04:16 < mjkr> dazo: but with tcp at least you get proper pmtud
04:16 <@dazo> mjkr: openvpn with udp + tls-auth actually hides your open UDP for port scans
04:16 <@dazo> pmtud?
04:17 < mjkr> path mtu discovery
04:17 < hyper_ch> Here's the pastebin... seems something goes wrong but no real idea what... http://paste.debian.net/139217/
04:18 < mjkr> right tls auth and static keys
04:18 <@dazo> mjkr: well, you can use openvpn with tcp too ... but it can seriously give you a noticable performance hit if you're having an unstable connection
04:18 < hyper_ch> damn it... fixed it Ithink.... stupid windows :)
04:19 < mjkr> well, it's the server operator's responsibility to find a stable ip transit.
04:19 <@dazo> mjkr: you can also use a fullblown PKI using CA signed X.509 certificates for authentication ... and you can extend with additional plug-ins, which can f.ex give you better network access control for your clients ... each client can have different firewall profiles
04:20 < mjkr> (there are well-maintained patches around for x509/pgp support in openssh)
04:20 <@dazo> mjkr: well, to some degree ... if you have road warriors travelling, you never know what kind of network they use
04:26 <@dazo> mjkr: you may very well make openssh tuntap stuff work well. But my experience is that it requires far more from the configuration than just setting up an openvpn tunnel. Using UDP+tun devices (not tap) gives you a nice routable subnet and it gives quite good performance out-of-the-box ... and depending on your requirements to security, you have much to choose between in openvpn.
04:27 <@dazo> (plus openvpn with tun drivers enables mobile/tablet devices as well as all major OSes, pretty much out-of-the-box)
04:27 <@dazo> s/tun drivers/tun devices/
04:28 < mjkr> i've done tls auth with tcp/udp before, but i think it doesn't hide openvpn's traffic fingerprint well enough.
04:28 < mjkr> straight blocking from my national firewall
04:28 <@dazo> tls-auth is about HMAC packet authentication ... not hiding the traffic
04:29 < mjkr> but yes, more options is always better
04:29 <@dazo> and the side effect with UDP is that the openvpn server can just drop UDP packets with the wrong signature
04:29 -!- cwillu_at_work [~cwillu@cwillu.com] has quit [Ping timeout: 252 seconds]
04:29 < mjkr> would be great though if you folks implement dtls for udp
04:29 <@dazo> and since there is no handshake, the port is considered closed by scanners
04:29 <@dazo> patches are welcome
04:30 <@dazo> but generally, we've not seen dtls providing enough benefits to provide such support yet ... however, there's been a lot of dtls cve security bugs too, which have never hit openvpn
04:31 < mjkr> that would have depend on the plibrary providing dtls
04:31 <@dazo> (openvpn intercepts the SSL packets and wraps them into it's own containers, so it can be used over UDP ... otherwise SSL/TLS is strictly TCP)
04:32 < mjkr> ah, i see why i can't do openvpn over udp then
04:32 < mjkr> the traffic fingerprint is similar
04:34 < mjkr> plus, there are only very few dtls implementors
04:35 < mjkr> while tls is very common, and dtls 1.2 only bring the number down.
04:35 -!- cwillu_at_work [~cwillu@cwillu.com] has joined #openvpn
04:39 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:54 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 244 seconds]
04:56 -!- defswork [~andy@141.0.50.98] has quit [Ping timeout: 245 seconds]
04:59 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:01 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has quit [Ping timeout: 265 seconds]
05:06 -!- Tracker [~tracker@m88.ip1.anvianet.fi] has quit [Ping timeout: 244 seconds]
05:37 -!- Netsplit *.net <-> *.split quits: mete, ribasushi, Latrina, Taftse|Mac
05:38 -!- Netsplit over, joins: Taftse|Mac
05:38 -!- jareth_ [~jareth_@bak.project-treadstone.nl] has quit [Ping timeout: 250 seconds]
05:38 -!- Champi [Champi@damn.e-leet.be] has quit [Ping timeout: 250 seconds]
05:39 -!- Champi [Champi@damn.e-leet.be] has joined #openvpn
05:39 -!- jareth_ [~jareth_@bak.project-treadstone.nl] has joined #openvpn
05:40 -!- Netsplit over, joins: mete
05:41 -!- Netsplit over, joins: Latrina, ribasushi
06:03 -!- JackWinter [~jack@vodsl-4724.vo.lu] has quit [Remote host closed the connection]
06:05 -!- JackWinter [~jack@vodsl-4724.vo.lu] has joined #openvpn
06:06 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
06:16 -!- JackWinter [~jack@vodsl-4724.vo.lu] has quit [Quit: Konversation terminated!]
06:17 -!- mjkr [jzhmer@gateway/shell/blinkenshell.org/x-zvlhhgylcitxtcng] has quit [Quit: WeeChat 1.0.1]
06:21 -!- Denial [~Denial@5.80.234.73] has quit [Ping timeout: 264 seconds]
06:27 -!- JackWinter [~jack@vodsl-4724.vo.lu] has joined #openvpn
06:27 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Read error: Connection reset by peer]
06:41 -!- Manis_ [~Manis@gateway/tor-sasl/manis] has joined #openvpn
06:56 -!- Manis_ [~Manis@gateway/tor-sasl/manis] has quit [Remote host closed the connection]
07:05 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 250 seconds]
07:25 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
07:49 -!- moparisthebest [~mitb@unaffiliated/moparisthebest] has quit [Ping timeout: 244 seconds]
07:55 -!- moparisthebest [~mitb@gateway/tor-sasl/moparisthebest] has joined #openvpn
07:59 < ljvb> anyone fsmiliar with the iffucial android client. hsving abysmal perf issues. ps, excuse tge mistskes, bumpy flight. snd no, its not the plsne wifi, priblem is over lte on nexus 6
08:00 < ljvb> wow... that was horrible.. too many typos... need better kbd
08:01 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
08:01 -!- kexmex [~kexmex@178.136.234.6] has quit [Max SendQ exceeded]
08:01 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
08:03 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
08:08 -!- nullie [~nullie@linode.nullie.name] has quit [Ping timeout: 250 seconds]
08:08 -!- nullie [~nullie@linode.nullie.name] has joined #openvpn
08:16 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Max SendQ exceeded]
08:16 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
08:22 < asper> hey guys. is it possible to automate the process of client certificate generation with easy-rsa? e.g. no prompting anymore
08:27 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
08:29 < asper> ahh i see no --interact
08:30 -!- defswork [~andy@mailhost.mirrormail.co.uk] has joined #openvpn
08:30 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
08:34 < ljvb> i prefer ssl-admin
08:34 < ljvb> better cert management
08:50 -!- elfixit [~Icedove@2001:1620:2018:11:863a:4bff:fe93:6310] has joined #openvpn
09:08 -!- phunyguy [~vortex@ubuntu/member/phunyguy] has quit [Remote host closed the connection]
09:08 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has quit [Quit: leaving]
09:09 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has joined #openvpn
09:10 -!- phunyguy [~vortex@ubuntu/member/phunyguy] has joined #openvpn
09:30 -!- elfixit [~Icedove@2001:1620:2018:11:863a:4bff:fe93:6310] has quit [Ping timeout: 244 seconds]
09:30 -!- elfixit1 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
09:34 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
10:00 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
10:10 -!- Manis [~manis@gateway/tor-sasl/manis] has joined #openvpn
10:11 < Manis> !welcome
10:11 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
10:11 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:11 < Manis> !/30
10:11 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
10:12 < Manis> hey, I'm trying to harden my OpenVPN config. If no tls-cipher is specified, what will be used?
10:12 < esde> huh
10:12 < esde> !hardening
10:12 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
10:12 < esde> read up on what tls-auth does first
10:13 < Manis> I have tls-auth set up.
10:13 < esde> ok?
10:13 < Manis> esde: What do you mean by ok?
10:14 < esde> RE: >If no tls-cipher is specified, what will be used? Read up on what tls-atuh does
10:14 < esde> *auth
10:14 < Manis> Yes? tls-auth adds HMAC, doesn't it?
10:14 < asper> !topology
10:14 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
10:15 < esde> Correct
10:16 < esde> If tls-auth is not present, you don't have the benefit of it.
10:16 < esde> Not sure how else to answer your question, really.
10:16 < Manis> So afaik OpenVPN first(?) does TLS for handshake and key exchange. So tls-auth authenticates the TLS session but the payload is encrypted, right?
10:16 < Manis> tls-auth is present in my setup.
10:17 < asper> is it possible to set openvpn up in a way such that no client can reach other clients except for one or two i specify? i want to have a network of nodes i want to administrate and don't want to ssh into the server first.
10:17 < esde> Manis, read the summation at the url provided in !hardening
10:18 < esde> asper, I've never done that but it sounds do-able. now that you've stated your goal, idle around and see if another user has any advice :)
10:20 < asper> thanks esde. i will start idling now! :D
10:26 -!- Manis [~manis@gateway/tor-sasl/manis] has quit [Remote host closed the connection]
10:26 -!- Manis_ [~manis@gateway/tor-sasl/manis] has joined #openvpn
10:33 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 250 seconds]
10:34 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
10:46 -!- le0 [~le0@unaffiliated/le0] has quit [Quit: Leaving]
10:53 -!- Manis_ [~manis@gateway/tor-sasl/manis] has quit [Remote host closed the connection]
10:53 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:12 -!- Manis [~manis@gateway/tor-sasl/manis] has joined #openvpn
11:13 -!- Latrina [~Latrina@ppp-39-38.26-151.libero.it] has quit [Ping timeout: 240 seconds]
11:16 < hyper_ch> hmmm, in dhcp you can normally set a certain ip range to not be used by the dhcp server ... is there a way to do that in openvpn?
11:16 < hyper_ch> e.g. provide ips if there's no ccd starting at x.x.x.101
11:19 <@krzee> you could stop using --server and set your own pool
11:19 <@krzee> see what --server does and emulate it, selecting the pool you want
11:19 <@krzee> its simply a helper directive, so make configuration far easier
11:19 <@krzee> s/so/to/
11:20 < hyper_ch> just had a collission case :)
11:20 < hyper_ch> made new certs
11:20 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 245 seconds]
11:20 < hyper_ch> renamed the one of my comp
11:20 <@krzee> could also just assign static ips outside of the pool
11:20 < hyper_ch> and it promptly got assigned an ip reserved to another comp
11:21 < hyper_ch> and I wondered why it's not accepting my password again
11:21 <@krzee> in !policy in the howto they show an example where they assign ccd ips outside the ifconfig-pool
11:21 -!- stewi [~quassel@203.143.84.86] has quit [Quit: No Ping reply in 180 seconds.]
11:22 <@krzee> note that with that you may have additional routing to configure, if you have routing configured
11:22 < hyper_ch> that looks all so complicated and it seems only real gurus can achieve that (in other words, I'm too lazy and was hoping just for a simple configuration line )
11:22 <@krzee> vpns are advanced networking
11:22 < hyper_ch> vpns should be a simple as cooking noodles
11:22 <@krzee> it's easy, but requires understanding it and doing it
11:23 <@krzee> i dont cook ;]
11:23 < hyper_ch> you have a gf/wife to do it for you ;)
11:23 <@krzee> correct!
11:23 < hyper_ch> btw, I don't like android L :(
11:23 <@krzee> havnt seen it yet
11:23 < hyper_ch> in 4.4 you finally had seperate encryption and screen unlock passwords
11:24 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
11:24 < hyper_ch> in L they seem to have improed the encryption mechanism
11:24 < hyper_ch> however you're back stuck to one password
11:24 <@krzee> no wayyyy
11:24 <@krzee> thats a huge step back
11:24 < hyper_ch> at least I couldn't figure out a way
11:25 < Manis> Android L is not supposed to make Android more secure.
11:25 <@krzee> did you try changing screen lock and seeing if the crypto pass stayed?
11:25 < hyper_ch> this guy did an analysis it seems.... however I think he misunderstood my question http://nelenkov.blogspot.ch/2014/10/revisiting-android-disk-encryption.html
11:25 <@vpnHelper> Title: Android Explorations: Revisiting Android disk encryption (at nelenkov.blogspot.ch)
11:25 <@krzee> Manis, is it supposed to make android *less* secure?
11:25 -!- Latrina [~Latrina@ppp-177-9.26-151.libero.it] has joined #openvpn
11:25 <@krzee> Manis, because what hyper_ch said is just that.
11:25 < Manis> krzee: Why not? Google doesn't make money by having a secure OS they can't get your data from
11:26 < hyper_ch> well, the encryption password seems to get padded to 16 chars and another 16 chars salt is added ot it
11:26 <@krzee> encryption would not stop them, they operate while your phone is in use and unencrypted
11:26 <@krzee> invalid point.
11:26 < Manis> krzee: also Android L seems to be a step to make everything more animated, colourful and n00b-friendly :(
11:26 <@krzee> oh god
11:26 <@krzee> why android why!
11:27 <@krzee> if i wanted a windows phone i would have one
11:27 < Manis> krzee: Yes, sure. But why should they be interested in having good disk encryption? As long as they can put it on a feature-list, that's fine
11:27 < hyper_ch> krzee: what do you think of this: http://shop.geeksphone.com/en/phones/9-revolution.html
11:27 <@vpnHelper> Title: Revolution - Geeksphone (at shop.geeksphone.com)
11:28 < hyper_ch> seems like they can run pure linux
11:28 <@krzee> Manis, allowing proper passphrases seperate from the screen lock code is not a crazy idea
11:28 <@krzee> im not asking for my choice of cipher, im just saying let us have proper passphrases
11:28 < Manis> krzee: Letting AOSP apps in AOSP and keep them updated is neither
11:29 < hyper_ch> because the root password is asked maybe once every few weeks
11:29 < Manis> *isn't either
11:29 < hyper_ch> while the screen unlock password is asked a few times every day
11:29 < hyper_ch> so have a strong root encryption password
11:29 < hyper_ch> and an "ok" password for screen unlcok
11:29 < Manis> hyper_ch: that might be the reason. people tend to forget stuff they don't have to use all the time
11:29 <@krzee> numeric is acceptable for screen lock, not for crypto
11:30 <@krzee> having them default to your screen lock was acceptable, and solves that ^ (also is how android nhandled it in the past)
11:31 <@krzee> then those who know and care would change one of them
11:31 <@krzee> i would set a strong screen lock passphrase then encrypt then change screenlock, hyper_ch would encrypt with screen lock then change his crypto passphrase… end result was the same
11:32 <@krzee> hyper_ch, did L at least bring privacy guard?
11:32 < hyper_ch> that's a CM thing
11:32 <@krzee> that was originally a google thing iirc
11:32 < hyper_ch> really?
11:32 <@krzee> CM kept it, google didnt
11:32 < hyper_ch> I only checked L to see how it is
11:33 < hyper_ch> have it on my N4 now
11:33 < hyper_ch> but I'll replaced it again with CM11
11:33 <@krzee> maybe theres a CM12 for it
11:33 < hyper_ch> no cm12 yet for the n4
11:33 <@krzee> werd
11:34 <@krzee> ill be interested to hear your thoughts on that sometime
11:34 <@krzee> cm usually gives less suck
11:34 < hyper_ch> I still don't like that CM did give an exclusive deal to some indian company when they knew OPO was going to ship to india
11:35 <@krzee> http://www.1mobile.com/appops-999442.html
11:36 <@krzee> hyper_ch, theres things i dont like about the cm business as well, i still like the project though
11:36 < hyper_ch> yes, same here
11:36 <@krzee> think of it like openvpn, theres a corp and a community… we're just lucky we like corp ;]
11:37 < hyper_ch> btw, you remember a while back, you had an idea for direct client-to-client communication....
11:37 < hyper_ch> did you ever follow up on it?
11:37 -!- Brutser [~Pete@d51A48718.access.telenet.be] has joined #openvpn
11:37 <@krzee> it recently got a post from a dev saying it sounds like a cool idea
11:37 <@krzee> cause after you mentioned it i decided to ask his opinion on it
11:37 <@krzee> https://forums.openvpn.net/topic141.html
11:37 <@vpnHelper> Title: OpenVPN Support Forum Idea for direct connections : Wishlist (at forums.openvpn.net)
11:37 < hyper_ch> there's a forum? oO
11:38 <@krzee> he says tinc uses a similar style to accomplish that
11:38 <@krzee> are you kidding?
11:38 < hyper_ch> (yes)
11:38 <@krzee> good :-p
11:38 < hyper_ch> well, asking the dev sound more like a wish on the bug tracker or something ;)
11:39 <@krzee> haha
11:39 < Brutser> for a client i want to setup openvpn connection, but if the connection would drop for whatever reason, i want to prevent it to fall back to default connection - so basically only allow traffic over the vpn tunnel. i have a limited (embedded) OS, so I cannot do anything fancy like firewall config - i could use proxy or something similar - any ideas?
11:39 <@krzee> wasnt asking him to do it, wrong dev for that request anyways
11:39 <@krzee> just wanted his opinion as hes a crypto guy
11:39 <@krzee> actually maybe not wrong dev for the request
11:40 <@krzee> but either way, its one of those things id need to do if i wanna see it, and i dont have the skills to impliment it tbh
11:40 < hyper_ch> don't underestimate your skills :)
11:40 <@krzee> Brutser, i guess you could break routes, but really its a job for a firewall.
11:41 < Brutser> Yes I know, but xp embedded and not really look forward to run some 3rd party firewall on it
11:41 <@krzee> then maybe you should choose something more suited to your goal?
11:42 <@krzee> or run the firewall you dont look forward to...
11:42 < hyper_ch> ecrist is so negative in that forum thread :(
11:42 < Brutser> :) ok
11:42 <@krzee> on osx i use "little snitch"
11:42 <@krzee> then if an app starts communicating with something i havnt allowed, it pops up and asks what to do
11:43 < Brutser> yes something like that would do just fine
11:43 < hyper_ch> (sounds like zone alarm)
11:43 <@krzee> so if my proxifiers (over openvpn) die and im naked, i get popups not traffic
11:43 <@krzee> ya zone alarm is probably a more popular windows version
11:43 <@krzee> basically we're just talking outbound firewall
11:43 < hyper_ch> back in the old windows days, I used zone alarm
11:43 < Brutser> ok
11:43 <@krzee> in this case with fancy popups
11:44 < hyper_ch> (you never replied to syzzer's question)
11:44 <@krzee> we talked a bit off the forum
11:45 < Brutser> and a local proxy that routes traffic through the vpn tunnel? - then i could set proxy rules for the apps i want and if the connection dies, no traffic
11:45 < Brutser> or will that not work?
11:45 <@krzee> hyper_ch, i think the fact i posted the idea 5 years ago and theres no code submitted answers the question
11:45 < hyper_ch> well, you didn't have dev approval before dec 28, 2014 ;)
11:45 <@krzee> lol
11:46 <@krzee> i could set myself to developer on the forum and approve myself :-p
11:46 <@krzee> in fact, i set him to developer on there ;]
11:47 <@krzee> at first it called him an openvpn noob, which i found funny
11:47 <@krzee> since dude is mad skilled
11:47 < hyper_ch> those are not mutually exlusive terms ;)
11:47 < hyper_ch> one can be a developer and still be a noop ;)
11:47 <@krzee> well hes quite far from noob
11:48 < hyper_ch> I don't know :)
11:48 <@krzee> northern lights is mmm mmm good
11:48 <@ecrist> what did I do?
11:48 <@krzee> ecrist, broke the internets
11:49 <@krzee> you filled the tubez
11:49 < hyper_ch> ecrist: you forgot your post on the forum on may 21, 2009?
11:49 <@krzee> lol
11:49 < hyper_ch> "I don't think it's a great idea in many scopes."
11:49 <@ecrist> heh, apparently.
11:54 < hyper_ch> krzee: but syzzle pointed out, you don't need extra routes and stuff... so it should be a piece of cake to implement that ;)
11:54 <@krzee> hyper_ch, sweet, let us know when you have progress
11:55 < hyper_ch> you know that I do php... do you REALLY want to let me work on openvpn code?
11:55 <@krzee> nothing gets included without others going over it
11:56 < hyper_ch> they might get a brain stroke when they go over my code
11:56 < hyper_ch> you really wanna risk that?
11:56 < hyper_ch> bra
11:56 <@krzee> they made it through automake i think they can handle anything
11:56 < hyper_ch> s/stroke/meltdown/
11:57 <@krzee> they survived alonb they can handle you :-p
11:59 < hyper_ch> there are some weird sports in Nippon
12:10 -!- elfixit1 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit1]
12:10 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:94c3:c835:4c38:5077] has quit [Read error: Connection reset by peer]
12:10 -!- abbe [having@badti.me] has quit [Read error: Connection reset by peer]
12:10 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has joined #openvpn
12:10 -!- abbe [having@badti.me] has joined #openvpn
12:11 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has quit [Ping timeout: 265 seconds]
12:12 -!- kokel [~quassel@kenneth.kokelnet.de] has quit [Remote host closed the connection]
12:12 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has quit [Remote host closed the connection]
12:13 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 265 seconds]
12:13 -!- Manis [~manis@gateway/tor-sasl/manis] has quit [Remote host closed the connection]
12:13 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has quit [Ping timeout: 265 seconds]
12:13 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has quit [Ping timeout: 265 seconds]
12:13 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 265 seconds]
12:13 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 265 seconds]
12:14 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 265 seconds]
12:14 -!- Yoderp [Yoda@unaffiliated/itsyoda] has quit [Ping timeout: 265 seconds]
12:14 -!- sireebob [sireebob@unaffiliated/sireebob] has quit [Ping timeout: 265 seconds]
12:14 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 265 seconds]
12:15 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has quit [Read error: Connection reset by peer]
12:15 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has joined #openvpn
12:15 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Read error: Connection reset by peer]
12:16 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
12:16 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has joined #openvpn
12:16 -!- Jeroen [~Jeroen@milkyway.jeroendeneef.com] has joined #openvpn
12:17 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
12:17 -!- kokel [~quassel@kenneth.kokelnet.de] has joined #openvpn
12:17 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
12:17 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
12:17 -!- MacGyver [~macgyver@sog.polvanaubel.com] has quit [Ping timeout: 244 seconds]
12:19 -!- sireebob [sireebob@unaffiliated/sireebob] has joined #openvpn
12:19 -!- `Yoda [Yoda@unaffiliated/itsyoda] has joined #openvpn
12:19 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
12:21 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has quit [Read error: Connection reset by peer]
12:21 -!- jefferai [sid1300@kde/mitchell] has quit [Read error: Connection reset by peer]
12:21 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
12:21 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has joined #openvpn
12:21 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
12:22 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Remote host closed the connection]
12:22 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
12:22 -!- mode/#openvpn [+o dazo] by ChanServ
12:26 -!- Brutser [~Pete@d51A48718.access.telenet.be] has quit []
12:26 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
12:27 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
12:29 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:30 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
12:31 -!- raeflondon [raeflondon@got.ourback.net] has quit [Ping timeout: 250 seconds]
12:37 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 245 seconds]
12:40 -!- mete [~mete@91.247.253.160] has joined #openvpn
12:45 -!- zune [~zune_free@188-180-61-96-dynamic.dk.customer.tdc.net] has joined #openvpn
12:45 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
12:47 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 240 seconds]
12:50 -!- mete [~mete@91.247.253.160] has joined #openvpn
12:50 -!- CivisUS [~CivisUS@208.80.0.1] has joined #openvpn
13:14 -!- `Yoda is now known as Yoderp
13:28 -!- hyper_ch [~hyper_ch@81.4.108.20] has left #openvpn ["Konversation terminated!"]
13:29 -!- hyper_ch [~hyper_ch@81.4.108.20] has joined #openvpn
13:29 < hyper_ch> damn, I hate it when znc messes up channel order
13:36 -!- CivisUS [~CivisUS@208.80.0.1] has quit [Ping timeout: 256 seconds]
13:38 -!- Mike-- [mad@mx.probie.nl] has quit []
13:44 < asper> kind okind of a noob question: i want one machine which generates client keys and deploys them on them via local lan, the clients are then shipped out into the world. i want a seperate vpn server. do i have to put the database of clients to the vpn server, or does it accept incoming connections plainly because they are signed by the ca?
13:46 -!- Manis [~manis@gateway/tor-sasl/manis] has joined #openvpn
13:46 -!- Manis [~manis@gateway/tor-sasl/manis] has quit [Remote host closed the connection]
13:50 < hyper_ch> signed by ca is fine... no need to keep the db on the vpn server
13:50 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
13:50 < hyper_ch> however if you revoke certs, that file has to be copied to the vpn server then$
13:51 < asper> ok, but thats one file per revoke then?
13:52 < hyper_ch> not with easy rsa
13:52 < hyper_ch> not sure if htere's another way
14:00 < asper> well, doesn't matter. the question is answered, thank you!
14:03 -!- Henryabcd [~Henryabcd@pD9E0B82D.dip0.t-ipconnect.de] has joined #openvpn
14:15 -!- Brutser [~Pete@d51A48718.access.telenet.be] has joined #openvpn
15:01 -!- Henryabcd [~Henryabcd@pD9E0B82D.dip0.t-ipconnect.de] has quit [Quit: Leaving]
15:02 -!- Manis [~Manis@gateway/tor-sasl/manis] has joined #openvpn
15:03 <@dazo> hyper_ch, asper: The CRL is a signed file with a list of serial numbers, basically ... CRLs usually expires and the content is replaced whenever it is renewed - with or without any additional revokes since last time
15:03 < hyper_ch> expires? how?
15:03 <@dazo> CRLs can have expiry dates ... however, openvpn/openssl doesn't necessarily stop using it if it has expired
15:04 < Manis> Hi. Can OpenVPN 2.3.6 use "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256" as a tls-cipher? Whenever I add that line to the servers conf, I can't connect anymore.
15:04 <@dazo> Manis: mostly depends on your SSL library ... check with openvpn --show-ciphers and --show-tls
15:04 < hyper_ch> dazo: I don't believe in expiration dates :)
15:04 <@dazo> :)
15:05 < Manis> dazo: I copied that line out from `openvpn --show-tls`
15:05 < hyper_ch> ok, I make the certs usually valid for 36500 days
15:05 < hyper_ch> I'll probably expire before the cert
15:05 <@dazo> Manis: then it should work with --tls-cipher ... but both server and client must support the same ciphers
15:07 <@dazo> --tls-cipher and --cipher options must be identical on both server and client configs, that is ... plus a few others as well, such as --comp-lzo, --{link,tun}-mtu, --fragment, --mssfix etc
15:07 * dazo need to run
15:07 < Manis> dazo: I have just checked again on the client. It's also supported there. I don't have the link anymore, but I read earlier that openvpn suggests ciphers that openssl supports but not openvpn itself.
15:08 <@dazo> Manis: if it did ... that's hopefully corrected in openvpn 2.3.x ;-)
15:08 <@dazo> but it's easy to check ... if it works, it works ;-)
15:08 < Manis> dazo: Don't wanna keep you from running, but both client and server are running 2.3.6
15:08 < Manis> dazo: It doesn't work. That's the problem ;-)
15:09 <@dazo> ahh ... okay, then we need log files with --verb 4 ... and try to grab syzzer or plaisthos ... they're quite into these code paths in openvpn :)
15:10 * dazo runs :)
15:10 * Manis hopes dazo doesn't fall over
15:10 -!- dazo is now known as dazo_afk
15:16 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
15:19 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
15:21 <@syzzer> Manis: that will only work if you enable TLS version negotiation
15:21 <@syzzer> so add 'tls-version-min 1.0' to your config
15:21 < hyper_ch> running increases the risk of accidents
15:22 <@syzzer> (at both ends)
15:22 < Manis> syzzer: What is it using without that line?
15:22 <@syzzer> fixed at TLS 1.0
15:22 <@syzzer> which has nog support for SHA256
15:22 <@syzzer> *no
15:23 < Manis> syzzer: So you actually mean to add "tls-version-min 1.2"?
15:23 <@syzzer> well, you could indeed do that, and then leave out the tls-cipher stuff
15:23 <@syzzer> the tls-cipher stuff is far too error-prone if you ask me
15:24 < Manis> syzzer: I'm confused. As TLS 1.0 doesn't support SHA256, and I set the minimum to 1.0 it still doesn't support SHA256?! Or does tls-version-min enable TLS 1.2?
15:24 <@syzzer> yes, that is quite confusing
15:25 < Manis> syzzer: Yes. Why isn't TLS 1.2 enabled by default?
15:25 <@syzzer> setting tls-version-min will enable negotiation
15:25 <@syzzer> we did that in 2.3.3, but then a lot of people came complaining with broken setups
15:26 < Manis> syzzer: Oh man :( So annoying that default settings have to be awful always simply to keep idiots quiet :(
15:26 <@syzzer> broken firewalls, external software, also broken pieces of our own code, so we decided not postpone default enabling it to 2.4
15:26 < esde> yeah tls 1.2 isnt compatible with a few of my ovpn clients
15:26 < esde> im stuck on 1.0 too atm
15:26 < Manis> esde: Which ones do you use?
15:26 <@syzzer> in the mean time we are fixing our own stuff, hoping for other to do the same and see if adoption is better by the time we release 2.4
15:27 < esde> hell if i know. i just know i got complaints when i set min to 1.2
15:27 < Brutser> trying to figure out what (free) firewall to use on windows xp embedded, i need to allow only vpn traffic, so if vpn server would go down, normal internet access is not allowed - but i want the firewall to use minimum resources - any suggestions?
15:27 < Manis> esde: Complaints from whom? Are you running commercial VPNs?
15:27 < esde> nuke windows and install pfsense
15:27 < esde> nunya :)
15:27 <@syzzer> Manis: but if you control both your servers and clients, there's not much reason to set you tls-version-min higher than 1.0, or specify --tls-cipher, as TLS will automatically pick the strongest available cipher for you
15:28 <@syzzer> and unlike browsers, openvpn is not vulnerable to TLS rollback
15:29 < Manis> syzzer: Hmm.
15:29 < Manis> syzzer: I definitely wanna use TLS 1.2. TLS 1.0 is just ancient and we have to move away from it imho.
15:30 -!- Brutser [~Pete@d51A48718.access.telenet.be] has quit []
15:30 <@syzzer> setting 'tls-version-min 1.0' will give you that :)
15:30 < Manis> syzzer: min 1.2 also :D
15:31 <@syzzer> true, until you visit that hotel with the crappy firewall which blocks 1.2...
15:31 <@syzzer> at that point you wish you has at least 1.0 at your disposal ;)
15:31 < esde> or at least ssh access to the openvpn server ;)
15:31 < Manis> syzzer: Wat? They block TLS versions?!
15:31 < Manis> esde: I can only access SSH through VPN :P
15:32 <@syzzer> I've never encountered it before, but there were reports about such things, yes
15:32 < esde> yuck
15:32 < Manis> ouch
15:32 <@syzzer> I don't even think it's on purpose, but just too-strict 'default deny'
15:33 < esde> i personally believe it's the goal of hotels to make complimentary internet as unusable as possible.
15:33 < Manis> esde: Is that a conspiracy?
15:34 < esde> hell if i know. nowadays i bring my own hardware and dont worry about it
15:34 < Manis> I have to say though that I never use their internet. I don't use public internet at all if I can.
15:34 < esde> o_0
15:34 * esde asks Manis for some private internet
15:35 < Manis> esde: I meant hotspots and all that kinda "here's some free internet, take it" services
15:35 < Manis> even my university's Wi-Fi is horrible
15:36 < esde> comcast just launched free Wi-Fi at universal in orlando, shit-tier
15:36 < Manis> I don't know what they did, but something with multicast is definitely broken. My mDNSResponder is logging like an idiot and my logs are going into the gigabytes
15:37 < Manis> are you guys using tun or tap? #justwonderin
15:37 < esde> !tun
15:38 < Manis> esde: is that a "not-tun"?
15:38 < esde> !tunortap
15:38 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
15:38 <@vpnHelper> rooted/jailbroken) support only tun
15:38 < esde> there we go
15:39 -!- mattock is now known as mattock_afk
15:39 < Manis> Yeah, I know, but I can't decide what to use. Somehow I like to transport Layer 2, but I don't have a specific case for which I would want to use it
15:40 < esde> >but I don't have a specific case for which I would want to use it + >remember layer2 has no security = why would you want to?
15:40 < Manis> does layer 3 have security?
15:41 < esde> https://en.wikipedia.org/wiki/OSI_model
15:41 <@vpnHelper> Title: OSI model - Wikipedia, the free encyclopedia (at en.wikipedia.org)
15:43 < Manis> esde: What do you want to tell me? That tun is Layer 4?
15:43 < esde> I'm not trying to tell you anything
15:43 < esde> im trying to give you the resources to learn for yourself
15:43 < Manis> that's nice but I'm still confused ;)
15:44 -!- Brutser [~Pete@d51A48718.access.telenet.be] has joined #openvpn
15:44 < esde> exactly
15:44 < esde> if i tell you something, and you dont understand it, whats the point
15:44 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 265 seconds]
15:44 < esde> lead a horse to something or another
15:44 < Manis> by telling I meant "what's your message"
15:44 < Brutser> really confused me, but when i install openvpn client (2.3.6-I001-i686) - why is the installer trying to connect to 2 different servers?
15:45 < esde> !configs
15:45 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
15:45 < Manis> Brutser: Are you using Windows?
15:45 < Brutser> yes
15:45 < Brutser> 205.234.175.175 and 93.184.220.29
15:45 < Brutser> strange that an installer would try connect anywhere no?
15:46 < Manis> Brutser: I think you have to ask the guy who's created the installer, but maybe someone else knows it
15:46 < Manis> Brutser: It seems to be a new trend to ship small installers and then download the payload/application at runtime.
15:46 < Brutser> That is not the case here
15:46 < esde> !crystal
15:46 <@vpnHelper> "crystal" is (#1) Our crystal ball is out of service. Try explaining your !goal, a description of your problem, and relevant !configs and !logs. See also: !welcome. or (#2) unless reiffert is here, his crystal ball is functional again
15:46 < Brutser> The installer installs perfectly well offline
15:47 < Brutser> Just I was testing some firewall settings and then I noticed when I click the executable, it try to connect to the IPs I mentioned
15:47 < Manis> Brutser: Have you run Wireshark and checked what it transferred?
15:47 < Brutser> No, not yet
15:48 < Brutser> I was confused and came here :)
15:48 < esde> Brutser, if you're seeking help, heed the advice given by vpnHelper. Else, you're wasting your time really.
15:49 < Manis> Brutser: I'm not using Windows and I don't think esde is, so we can't tell you what's the installer is trying to do.
15:49 < Brutser> esde: vpnHelper? I just think it is strange that a security product just contact different servers without telling the user
15:49 < esde> ...
15:49 < Manis> Brutser: the first IP you mentionned is cachefly and the second seems to be edgecast.
15:50 < Manis> Brutser: If you don't like that behavior you should probably stop using Windows.
15:50 < Brutser> Yes, i searched it immediately of course
15:50 < Brutser> What does Windows have to do with openvpn installer??
15:50 < esde> Brutser, in the time you've been here, we still have yet to receive any logs, configs, are really anything relevant from which we could help you
15:50 < Manis> Brutser: You misunderstood me. I wanted to say that most installers are phoning home these days. You're lucky if they don't install Ask toolbar :P
15:51 < Brutser> :) well that is true, but for a security product such as openvpn, i still think it is strange
15:51 < Manis> esde: Do you know what his problem is? What logs do you think he should provide?
15:51 < esde> Brutser, did you download the installer from http://openvpn.net/index.php/open-source/downloads.html?
15:51 <@vpnHelper> Title: Downloads (at openvpn.net)
15:51 < Manis> Brutser: For a VM such as JVM it's also quite embarassing ;-)
15:52 < Brutser> yes downloaded from official site openvpn.net
15:52 < Brutser> anyway, i think it is strange
15:52 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
15:52 -!- mode/#openvpn [+v RBecker] by ChanServ
15:52 < esde> then maybe you've got some hostile party intercepting your downloads, have you checked the signature?
15:52 < esde> http://openvpn.net/index.php/open-source/documentation/sig.html
15:52 <@vpnHelper> Title: File Signatures (at openvpn.net)
15:54 * esde gotta run, good luck!
15:54 < Manis> esde: bye
16:02 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.91.1 [Firefox 34.0.5/20141126041045]]
16:05 < Brutser> Manis: you still here?
16:08 <@syzzer> Brutser: I think it's strange too. But without more information I can't help you either. I've seen a bit of the installers, and afaik there's nothing in there that should call home.
16:08 <@syzzer> only thing I can come up with is that the installer and drivers are signed, perhaps windows is looking for CRLs?
16:09 <@syzzer> those could be distributed over something like cachefly
16:09 < Manis> Brutser: yes
16:09 < Brutser> syzzer: i got confirm that the download from 2 days ago was not showing this behaviour!
16:09 < Brutser> i don't want to think this is something big, but it can be...
16:10 <@syzzer> did you check signatures?
16:10 < Brutser> i want to, but i dont know how exactly
16:10 < Manis> Brutser: I think it would really help if you could run Wireshark and filter by those two IPs.
16:11 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:11 < Brutser> Manis: I will also setup virtualbox to do this, but it would be nice if at least someone download the installer too and check
16:11 <@syzzer> Brutser: do you have any *nix hosts at your disposal? in that case just run shasum on both
16:12 < Brutser> i got some centos server running
16:12 < Manis> Brutser: I can download it and check the signatures, but I can't tell you if the installer has that behavior
16:13 <@syzzer> same here, no windows host available atm
16:13 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:18 < Manis> syzzer: Should I add "client" to the client's conf? I can't find out what it is supposed to do
16:19 <@syzzer> Manis: yes. Client is basically a 'macro' that expands to 'pull' and 'tls-client'
16:19 <@syzzer> see the man-page :)
16:20 < Manis> So I can remove pull and tls-client when I have client?
16:20 <@syzzer> correct
16:20 < Manis> OK. Cool
16:20 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has quit [Remote host closed the connection]
16:21 < Manis> so annoying I don't have the man page installed.
16:22 < Manis> oh. i found it online \o/
16:23 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has joined #openvpn
16:31 < Brutser> Manis and syzzer: sorry for the time, but it seems my IE has been hijacked and is injecting code into each executable I download
16:31 < Manis> Brutser: Ouch. Now, why exactly are you using IE?
16:31 <@syzzer> oh, wow...
16:31 < Manis> Brutser: Are you using Tor by chance?
16:31 < Brutser> I am actually using Firefox - but in the virtualbox I was using IE for download
16:32 < Brutser> No, not using TOR
16:32 < Manis> It's "Tor"
16:32 < Manis> I was asking because recently there was a similar behavior of some exit nodes
16:32 < Brutser> Oh, I am using Tor yes
16:32 < Brutser> :)
16:32 < Brutser> No, just kidding
16:32 <@syzzer> Brutser: can you check whether windows still accepts the installer signature? (right click > properties > digital signatures)
16:33 <@syzzer> (because that mechanisms is supposed to protect your from exactly this stuf...)
16:34 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Max SendQ exceeded]
16:34 < Brutser> yes it is pretty clever virus it seems
16:35 < Manis> for windows to accept a signature, don't you just have to have a valid certificate from some corrupt CA?
16:35 < Manis> Windows is known to have such clean Root CA lists :D
16:36 <@syzzer> well, the CA system is pretty broken, yes, but it should still succeed in detecting this ;)
16:36 < Brutser> well i started to think about this, then download some simple freeware executable and yes, after start, explorer.exe try to communicate with 178.255.83.2 now
16:37 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
16:37 < Manis> syzzer: Did Brutser verify who was written to be the author/publisher?
16:38 <@syzzer> !crystal
16:38 <@vpnHelper> "crystal" is (#1) Our crystal ball is out of service. Try explaining your !goal, a description of your problem, and relevant !configs and !logs. See also: !welcome. or (#2) unless reiffert is here, his crystal ball is functional again
16:38 <@syzzer> :p
16:39 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
16:40 < Manis> It was more like a question to Brutser
16:40 < Manis> Also it would be interesting to know which CA signed the certificate.
16:42 < Brutser> I am now first scanning the virtualbox with some AV
16:43 <@syzzer> I don't think it is something in the binaries actually, since it is explorer.exe which is making the connections (but, I have to dig deep into my windows memories, it's been a while...)
16:43 < Manis> As if AV's would help :P
16:44 < Brutser> they will not help, but at least i can see if they find anything
16:44 < Manis> syzzer: It might be anything.
16:44 <@syzzer> so could be some AV-like service, checking fingerprints or signatures
16:44 <@syzzer> and actually, yes, Manis is correct, for now it could be almost anything...
16:44 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 256 seconds]
16:45 < Brutser> well if i download same executable on my host system, executing this file not give any external connection
16:45 < Manis> Brutser: If I were you I'd go and get Debian ;-)
16:45 < Brutser> only if I download from the virtualbox IE
16:46 < Brutser> yes, but still need IE for testing in virtual environment anyway, so yea
16:46 < Manis> Brutser: Does your IE have a Proxy set?
16:47 < Brutser> no
16:47 < Brutser> :) hehe, so many other things planned, but i know already now this will keep me awake :)
16:48 < Manis> Brutser: I know that feeling ;-) I'm hardening my OpenVPN :P
16:48 < Brutser> That is on my list too
16:48 < Manis> Oh good luck trying to make it NSA safe :P
16:49 < Brutser> I wanted to make windows xp embedded to be forced to only use VPN tunnel, so was testing some firewalls, then saw the connections and bam, another ' problem ' :)
16:50 < Manis> Brutser: Doesn't --redirect-gateway route all the traffic through the VPN on Windows?
16:53 < Brutser> yes, but windows have this tendency that when the connection times out, it will use the isp gateway again
16:53 < Manis> use keepalive?
16:54 < Manis> Or set a system-wide proxy. Tor e.g.
16:55 < Brutser> yea
16:55 < Manis> Then most applications will only use Tor. So you only have to run a Tor relay on your VPN server and most applications will only go online through VPN :P
16:55 < Brutser> well it all has to do wiht windows, it have some strange behaviour now and then
16:55 < Manis> now and then? hmm, well
16:55 < Brutser> :)
16:56 < Brutser> vpn icon show connection is alive to user, but it is using the isp connection all the time
16:56 < Brutser> things like that happen
16:56 < Brutser> unless you set rules on outgoing connection
16:56 <@syzzer> Brutser, you are aware of def1?
16:56 <@syzzer> !def1
16:56 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
16:56 < Manis> hmm. Well, they can happen on any system, but I haven't had that so far
16:57 < Manis> syzzer: But syzzer wants to wipe out the default gateway
16:57 <@syzzer> that was added specifically because windows will override your default gateway after a new dhcp response
16:57 < Brutser> exactly what manis says
16:58 < Brutser> i am using def1
16:58 < Brutser> but it will still go back to original gateway
16:58 < Brutser> outgoing fw rule will help
16:58 < Manis> isn't the point of def1 to keep the default gateway? Or am I misunderstanding vpnHelper
16:58 < Manis> ?
16:58 < Brutser> but winxp embedded not have outgoing firewall
16:59 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 240 seconds]
16:59 <@syzzer> the point is that it will overrule the default gateway, so windows can reinstate its default gateway, but traffic will still go over the vpn
17:00 < Brutser> well in some circumstances it will fall back to the original gw
17:00 <@syzzer> before 0.0.0.0/1 is preferred over 0.0.0.0/0 (or 'default gateway')
17:00 < Brutser> dont ask me why
17:00 < Manis> that might work if you make sure that the routes stay when disconnecting
17:00 < Brutser> yes but then i need to trigger the disconnect event
17:00 < Brutser> dont know how
17:01 < Manis> it seems btw that Tunnelblick does def1 by itself. I haven't set it in my conf but it still creates a 0/1 route
17:01 <@syzzer> ah, right, you want to block any connections, also when vpn is shut down. firewall it is then.
17:01 < Manis> syzzer: That's what he wants.
17:01 < Brutser> yes, system should not work if vpn tunnel not active
17:01 < Manis> Brutser: I think you will have to use a 3rd party firewall
17:01 < Brutser> manis: yes i am afraid i have to
17:02 < Brutser> so taht is what i was testing when i found the malware on my virtualbox
17:02 < Manis> actually this just brought a new idea to my mind
17:02 < Manis> I will have to keep an eye on my routing table and check when the routes are being removes
17:03 <@syzzer> Manis: did the tls-version-min work for you btw?
17:03 < Manis> syzzer: Yes, it worked :)
17:03 <@syzzer> ok, cool!
17:03 < Manis> Next will be client certs :)
17:04 < Manis> but not today. too late already
17:04 < Manis> cya
17:04 <@syzzer> yep, same here. time for bed!
17:04 <@syzzer> cya
17:05 -!- Manis [~Manis@gateway/tor-sasl/manis] has quit [Remote host closed the connection]
17:05 < Brutser> good night all
17:09 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
17:33 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
17:51 -!- tobinski [~tobinski@x2f58ee7.dyn.telefonica.de] has quit [Quit: Leaving]
18:10 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
18:19 -!- esde [~esde@unaffiliated/esde] has quit [Quit: .]
18:55 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
19:48 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has quit [Quit: Leaving]
19:57 -!- Brutser [~Pete@d51A48718.access.telenet.be] has quit []
20:00 -!- pipi- [~pipi-@unaffiliated/pipi-] has quit [Read error: Connection reset by peer]
20:01 -!- pipi- [~pipi-@unaffiliated/pipi-] has joined #openvpn
20:14 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
20:15 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has joined #openvpn
20:41 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
20:43 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
21:06 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has quit [Ping timeout: 264 seconds]
21:08 -!- xTz [~xTz@DeathStar.Techn0.eu] has quit [Quit: bbl]
21:10 -!- xTz [~xTz@DeathStar.Techn0.eu] has joined #openvpn
21:58 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:01 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
22:23 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Ping timeout: 250 seconds]
22:50 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:08 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
23:32 -!- ShadniX [dagger@p5481D560.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:33 -!- ShadniX [dagger@p5DDFDCA5.dip0.t-ipconnect.de] has joined #openvpn
23:35 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Remote host closed the connection]
23:41 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
--- Day changed Tue Jan 06 2015
00:32 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
00:46 -!- svm_invictvs [~svm_invic@unaffiliated/svminvictvs/x-938456] has joined #openvpn
00:46 < svm_invictvs> Hello
01:20 -!- master_of_master [~master_of@p4FD7BB4A.dip0.t-ipconnect.de] has joined #openvpn
01:23 -!- master_o1_master [~master_of@p4FF24AC0.dip0.t-ipconnect.de] has quit [Ping timeout: 256 seconds]
01:31 -!- mattock_afk is now known as mattock
01:48 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
01:48 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
01:48 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
02:01 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
02:01 -!- le0 [~le0@unaffiliated/le0] has joined #openvpn
02:10 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
02:28 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Read error: Connection reset by peer]
02:28 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
02:49 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
02:50 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
02:51 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
04:10 -!- JackWinter [~jack@vodsl-4724.vo.lu] has quit [Ping timeout: 250 seconds]
04:15 <@plaisthos> dazo_afk, Manis: iirc, with the SHA256 in that cipher it is a tls 1.1 or tls 1.2 cipher
04:16 <@plaisthos> which menas both cient and server need to have tls 1.1 and 1.2 support
04:16 <@plaisthos> which is a recent 2.3.6 client
04:16 <@plaisthos> or -master
04:19 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: leaving]
04:20 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
04:20 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Client Quit]
04:21 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
04:37 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
04:45 -!- JackWinter [~jack@vodsl-9585.vo.lu] has joined #openvpn
05:10 -!- svm_invictvs [~svm_invic@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
05:12 -!- JackWinter [~jack@vodsl-9585.vo.lu] has quit [Ping timeout: 244 seconds]
05:22 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has quit [Ping timeout: 244 seconds]
05:28 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has joined #openvpn
05:38 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Remote host closed the connection]
05:39 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
05:44 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
05:53 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
05:56 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:11 -!- dazo_afk is now known as dazo
06:21 -!- sheepman [~sheepman@unaffiliated/sheepman] has joined #openvpn
06:22 < sheepman> hi all, are comments permitted in ccd files?
06:30 -!- JackWinter [~jack@vodsl-9520.vo.lu] has joined #openvpn
06:32 < sheepman> they are :)
06:32 < sheepman> i'll stop being lazy kthxbai
06:32 -!- sheepman [~sheepman@unaffiliated/sheepman] has left #openvpn []
06:38 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
06:40 -!- ccha [~ccha@unaffiliated/ccha] has joined #openvpn
06:40 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:42 < ccha> hello I configured my openvpn with dev tap. Client side got the tap ip, but client can't ping openvpn's local ip address, neither others lan addresses
06:43 < ccha> hwo can I check what is wrong with my configuration ?
06:43 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
06:46 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has quit [Read error: Connection reset by peer]
06:53 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has quit [Ping timeout: 244 seconds]
06:55 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has joined #openvpn
06:57 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has joined #openvpn
06:59 < ccha> my openvpn server is inside the LAN
07:00 < ccha> does server_bridge_ip is my LAN gateway ip? or my openvpn server LAN ip ? both are differents servers
07:06 < hyper_ch> why do you want to use tap?
07:06 < hyper_ch> !tap
07:06 <@vpnHelper> "tap" is (#1) "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming,
07:06 <@vpnHelper> anything where the protocol uses MAC addresses instead of IP addresses. or (#2) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
07:14 < ccha> hyper_ch: because I don't want my openvpn server with alot routings rules, and I want to install openvpn on my router.
07:19 < esde> !bridging
07:19 <@vpnHelper> "bridging" is (#1) Using bridges is either completely stupid or clever. It is stupid if you do it because you think it is easier. It is clever if you're a network knowledgeable person who understands networking very well and knows why routing won't fit for you or (#2) See also https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
07:20 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 250 seconds]
07:20 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
07:25 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
07:27 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
07:34 -!- cwillu_at_work [~cwillu@cwillu.com] has quit [Ping timeout: 252 seconds]
07:35 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
08:01 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Quit: Konversation terminated!]
08:12 -!- jl- [~lao@c-174-60-71-232.hsd1.pa.comcast.net] has joined #openvpn
08:13 < jl-> is it problematic if my subnet mask is 255.255.255.x at both the local (work) and the remote (vpn-server) network?
08:18 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
08:19 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
08:33 -!- jdmf [~jdmf@78.156.100.202] has joined #openvpn
08:41 -!- tobinski [~tobinski@x2f583d9.dyn.telefonica.de] has joined #openvpn
08:49 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
08:56 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
08:59 -!- dazo is now known as dazo_afk
09:00 -!- dazo_afk is now known as dazo
09:04 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:07 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
09:08 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
09:31 -!- ratsupremacy [~antihero@37.139.5.204] has quit [Remote host closed the connection]
09:32 -!- ratsupremacy [~antihero@37.139.5.204] has joined #openvpn
09:59 <@dazo> jl-: no, subnet shouldn't normally cause any issues .... it's the network range (where the size of the range is defined by the subnet mask) which can cause troubles if they overlap
10:01 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
10:01 <@dazo> so: 192.168.0.0/24 and 192.168.1.0/24 would be no problem. (/24 == 255.255.255.0)
10:02 <@dazo> however: 192.168.0.0/23 and 192.168.1.0/23 will cause issues ... as they will be the same network
10:02 <@dazo> (/23 == 255.255.254.0)
10:21 < hyper_ch> subnets, masks, networks..... all super complicated :)
10:22 < hyper_ch> maybe when I grow old I'll finally get the hang of it
10:52 -!- Arr0way [~Arr0way@unaffiliated/arr0way] has joined #openvpn
10:54 < Arr0way> Guys, I'm getting constant stalls when trying to transfer files using multiple protocols. WAN Router => Switch => pfsense => OpenVPN Servers I've tried tweaking MTU's etc no effect.
10:54 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has joined #openvpn
10:54 < hyper_ch> iperf or I don't believe it
10:54 < Arr0way> so iperf through the tunnel ?
10:54 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 250 seconds]
10:55 -!- ShotokanZH [~ShotokanZ@unaffiliated/shotokanzh] has joined #openvpn
10:55 < ShotokanZH> hi guys :)
10:56 < ShotokanZH> i'd love an help in configuring a fresh install with openvpn
10:56 < hyper_ch> !howto
10:56 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
10:56 < Arr0way> ill set that up now.
10:56 < ShotokanZH> hyper_ch, thx
10:56 < ShotokanZH> hyper_ch, what i ask btw is:
10:57 < ShotokanZH> is it compatible with ksplice/oracle uptrack?
10:57 < ShotokanZH> as openvpn-as isn't
10:57 < hyper_ch> !as
10:57 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
10:57 < ShotokanZH> hyper_ch, oh please i'm not talking about openvpn-as
10:57 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
10:57 < hyper_ch> reflex :)
10:58 < hyper_ch> isn't ksplice real-time kernel patching?
10:58 < esde> yes
10:58 < ShotokanZH> hyper_ch, yep
10:58 < hyper_ch> I fail to see how that's related to openvpn
10:58 < esde> same here
10:58 < ShotokanZH> hyper_ch, openvpn-as fails to start (or re-start) if uptrack version is != than kernel version
10:59 < ShotokanZH> hyper_ch, so i don't know if this happens on openvpn too
10:59 < esde> != does not equal less than or greater than.
10:59 < jl-> dazo: thx
10:59 < ShotokanZH> esde, uptrack version can be only greater obv..
11:01 < hyper_ch> I still fail to see how that's related to openvpn
11:01 < hyper_ch> but maybe that's just me
11:01 < ShotokanZH> hyper_ch, i'm just asking if anyone here does use openvpn with ksplice so it can confirm that after a openvpn service restart everything goes well
11:01 < ShotokanZH> :)
11:01 < esde> obviously? you wrote an illogical statement. How exactly would an uninformed user be able to know you (obviously) meant greater than if that's not what you wrote.
11:01 * esde shrugs
11:02 < hyper_ch> krzee: https://twitter.com/__apf__/status/551083956326920192
11:02 <@vpnHelper> Title: Adrienne Porter Felt on Twitter: "hey @Gogo, why are you issuing *.google.com certificates on your planes? http://t.co/UmpIQ2pDaU" (at twitter.com)
11:02 < esde> it's sad people have to ask
11:02 < hyper_ch> or rather: http://arstechnica.com/security/2015/01/gogo-issues-fake-https-certificate-to-users-visiting-youtube/
11:02 <@vpnHelper> Title: Gogo issues fake HTTPS certificate to users visiting YouTube | Ars Technica (at arstechnica.com)
11:02 < esde> public reason: load balancing
11:02 < esde> real reason: ?????
11:03 < hyper_ch> ShotokanZH: it's simple to try it :)
11:03 -!- le0 [~le0@unaffiliated/le0] has quit [Quit: Leaving]
11:03 < jl-> so after connecting successfully, I now have 2 active Local Area Connections. the TAP-Adapter and the regular one. does the TAP adapter take over the regular one?
11:03 < jl-> or how do they interact?
11:03 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:04 <@dazo> ShotokanZH: openvpn-as and the community version of openvpn are two very different products ... ask in #openvpn-as for ksplice on openvpn-as ....
11:04 <@dazo> ShotokanZH: but the core openvpn component (which the community edition is all about) doesn't care about kernel versions
11:04 < ShotokanZH> esde, uptrack downloads updates of the currently running kernel so how can it be older?
11:05 * esde whoooooooosh
11:05 < ShotokanZH> dazo, in #openvpn-as replied that they just don't know why it does that, so i'm trying to switch to basic openvpn
11:06 <@dazo> ShotokanZH: you'll loose a lot of functionality (like the web admin) by doing that ... openvpn-as uses the core openvpn we have here, but adds a lot of additional stuff around it
11:07 <@dazo> jl-: it depends on your routing table .... you can tell your OS to route everything via the tunnel, or just some subnets
11:07 < ShotokanZH> dazo, i don't really care i'd just love to see it working with my pcs :) (1 user)
11:07 < ShotokanZH> also, does it fill the iptables table with a lot of rules like openvpn-as i suppose?
11:07 <@dazo> (openvpn can assist setting up these routes, using --route)
11:07 <@dazo> ShotokanZH: nope
11:08 < ShotokanZH> dazo, good, great.
11:09 <@dazo> The core OpenVPN piece does only one thing ... allow users to connect, authenticate users and tunnel data ... nothing more. But it can be extended by using script hooks or --plugins
11:10 <@dazo> jl-: If you're new to VPN and/or networking .... please read !tcpip ... to do VPN, you do need to understand networking quite well, no matter what ... otherwise, it'll just mess up your life badly ;-)
11:10 <@dazo> !tcpip
11:10 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
11:10 * dazo need to run
11:10 < hyper_ch> "to do VPN, you do need to understand networking quite well" -> I still fail pretty badly on this point
11:11 -!- dazo is now known as dazo_afk
11:11 < hyper_ch> dazo: running heightens your risk of having an accident
11:13 < esde> especially with scissors
11:16 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has quit [Read error: Connection reset by peer]
11:19 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
11:24 -!- hmmhesays [~hmmhesays@64.135.116.184] has joined #openvpn
11:25 < Arr0way> hyper_ch: iperf looks alright :s
11:25 < Arr0way> any suggestions
11:27 < hyper_ch> all is well then :)
11:27 < Arr0way> hyper_ch: well all is not well, connections are stalling.
11:28 < hyper_ch> that's just what they want to make you believe
11:28 < Arr0way> haha
11:28 < Arr0way> if i scp a file it stalls :P
11:28 < hyper_ch> then rsync it
11:28 < hyper_ch> rsync --stats --progress
11:29 < Arr0way> its not just scp
11:29 < Arr0way> its all protocols
11:29 < ShotokanZH> hyper_ch, how much time do i have to wait for the ./build-dh script? lol
11:29 < ShotokanZH> it's like 5 minutes as of now
11:30 < ShotokanZH> on an octacore 2.4GHz server
11:30 < hyper_ch> 4096 bit?
11:30 < ShotokanZH> 2048
11:30 < hyper_ch> you don't have to wait nearly as long as for 4096 bit
11:30 < ShotokanZH> it's a huge lot as of now :/
11:31 * hyper_ch heard that empires raise to power and vanish into nothingness while it's generating a 4096bit dh file
11:31 < hyper_ch> rise
11:31 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
11:33 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
11:35 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 240 seconds]
11:37 < hyper_ch> krzee: https://stribika.github.io/2015/01/04/secure-secure-shell.html
11:37 <@vpnHelper> Title: Secure Secure Shell (at stribika.github.io)
11:38 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
11:44 < ShotokanZH> hyper_ch, does openvpn use multiple threads like openvpn-as, one for every core?
11:45 < hyper_ch> I have no idea
11:45 < hyper_ch> and I have plenty of that
11:45 < ShotokanZH> ok :)
11:45 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
11:46 < ShotokanZH> hyper_ch, and can i put as cipher something like AES256+EECDH ?
11:47 < ShotokanZH> or it does support a single one only
11:47 < hyper_ch> I've heard of AES and ECHR before
11:48 < ShotokanZH> hyper_ch, try running openssl ciphers AES256+EECDH;
11:48 < hyper_ch> I've heard rumors that if you do that you could make the universe implode
11:49 < ShotokanZH> hyper_ch, it's actually the most secure & retro-compatible configuration for https web servers
11:49 < ShotokanZH> valued 100/95/100/100 on qualys
11:49 < ShotokanZH> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA
11:49 < ShotokanZH> :)
11:57 < ShotokanZH> hyper_ch, what about a nice openvpn client for windows?
11:57 < ShotokanZH> gui is preferred
11:57 < ShotokanZH> :)
11:57 < hyper_ch> the one provided on the openvpn page
11:57 < hyper_ch> maybe
11:57 < ShotokanZH> hyper_ch, sucks a lot :<
11:58 < ShotokanZH> i'm gonna try tunxten
11:58 < hyper_ch> which is strange that you say that since it runs perfectly well
11:58 < ShotokanZH> hyper_ch, it does run well
11:58 < ShotokanZH> but it's completely guiless
11:59 < hyper_ch> it's strange, I see a gui with buttons and stuff
11:59 < ShotokanZH> o.o
11:59 < ShotokanZH> can you link it?
11:59 < hyper_ch> link what?
12:13 -!- scyld [~scyld@gateway/tor-sasl/wasyl] has joined #openvpn
12:14 -!- Uber-Ich [~qi@unaffiliated/uber-ich] has joined #openvpn
12:15 < Uber-Ich> Out of curiosity, is OpenVPN often blocked by Comcast? I am unable to connect to my VPN from a vacation rental, which uses Comcast wifi.
12:19 < hyper_ch> let me fetch my magic crystal ball and do mind-read over the internet to the comcast execs
12:19 < Uber-Ich> hyper_ch: That would be fantastic :P I am from Europe, and therefore am unfamiliar with the state of VPN usage in the United States.
12:20 < hyper_ch> isn't everybody from Yrope?
12:20 < Uber-Ich> Ebola-chan is mai waifu, and she is from Africa :3
12:21 < esde> !crystal
12:21 <@vpnHelper> "crystal" is (#1) Our crystal ball is out of service. Try explaining your !goal, a description of your problem, and relevant !configs and !logs. See also: !welcome. or (#2) unless reiffert is here, his crystal ball is functional again
12:22 < hyper_ch> how comes I don't recall ahving seen that factoid before?
12:24 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has quit [Remote host closed the connection]
12:24 < esde> !download
12:25 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) in the community version of openvpn (only thing supported here) there is no separate download for client/server, it is the same install with different configs
12:25 < esde> ShotokanZH, you can download the windows client (gui) at the link above
12:25 < ShotokanZH> esde, ty
12:25 < esde> np
12:26 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has joined #openvpn
12:30 < ShotokanZH> esde, so.. what if openvpn connects (green icon) and i still reach internet using the main adapter?
12:30 < ShotokanZH> i mean, i still see my own ip address instead of my server's
12:33 < esde> ShotokanZH, I have zero experience with configuring openvpn server on windows.
12:33 <@ecrist> !def1
12:33 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
12:33 <@ecrist> see that, ShotokanZH
12:33 < ShotokanZH> ecrist, o.o where da hell do i have to type that
12:33 < esde> o_0
12:34 < ShotokanZH> i mean, with other vpn clients i had not to do that thing :/
12:35 < ShotokanZH> push "redirect-gateway def1" in the config?
12:43 < esde> !man
12:43 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
12:43 < esde> give that a read
12:44 < hyper_ch> ShotokanZH: shall all clients only go throught the vpn? then put it into the server config
12:44 < hyper_ch> shall only certain clients use that, put it into
12:44 < hyper_ch> !ccd
12:44 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir
to enable it, then put the config options for the client in /common-name or (#2) the ccd file is parsed each time the client connects.
12:44 < ShotokanZH> hyper_ch, ok thank you
12:52 < ShotokanZH> hyper_ch, it seems like it now forces everything to pass thru the vpn, but i can't really contact enything thru that
12:52 < hyper_ch> !ipforward
12:52 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
12:53 < ShotokanZH> hyper_ch, i've already done that iptables -w -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
12:53 < ShotokanZH> isn't that correct?
12:53 < hyper_ch> !linipforward
12:53 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
12:54 < hyper_ch> not the same
12:54 < ShotokanZH> hyper_ch, mine is not necessary or both has to be running?
12:55 < hyper_ch> what does it say? it has three different factoids for it, all giving you information
12:55 < ShotokanZH> oh yeah sorry
12:56 < hyper_ch> an I use: iptables -t nat -A POSTROUTING -s ${vpnSub}.0/24 -o eth0 -j MASQUERADE
12:56 < hyper_ch> you have a -w in it.. no idea what that does though
12:56 < ShotokanZH> hyper_ch, it does wait for other iptables to end
12:57 < hyper_ch> all the smart people that I know use it without the -w
12:57 < hyper_ch> not sure if that could lead to any complications
12:57 < ShotokanZH> hyper_ch, i've a complex firewall script
12:57 < ShotokanZH> using it without the -w results in the command not running
12:58 < hyper_ch> do you also push dns servers?
12:58 < ShotokanZH> hyper_ch, yep, enabled googles dns & the default ones
12:58 < hyper_ch> then the ipforward is the only thing that I still can collect... also
12:58 < esde> and I use iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to (eth0 ip)
12:58 < hyper_ch> !configs
12:58 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
12:58 < esde> :D
13:00 < hyper_ch> no idea what it does :) but if it works for your, all is well
13:00 < ShotokanZH> hyper_ch, yeahh it does now work :D
13:00 < ShotokanZH> thank you ^^
13:02 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
13:05 < esde> https://unix.stackexchange.com/questions/21967/difference-between-snat-and-masquerade "The SNAT target requires you to give it an IP address to apply to all the outgoing packets. The MASQUERADE target lets you give it an interface, and whatever address is on that interface is the address that is applied to all the outgoing packets. In addition, with SNAT, the kernel's connection tracking keeps track of all the connections when the interface is taken down a
13:05 < esde> nd brought back up; the same is not true for the MASQUERADE target."
13:06 <@vpnHelper> Title: iptables - Difference between SNAT and Masquerade - Unix & Linux Stack Exchange (at unix.stackexchange.com)
13:06 < esde> oops, sorry for multi-line paste.
13:06 < hyper_ch> you should be quartered for multi-line pasting....
13:06 < hyper_ch> :)
13:07 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:10 -!- ShotokanZH [~ShotokanZ@unaffiliated/shotokanzh] has left #openvpn ["Leaving"]
13:12 -!- Uber-Ich [~qi@unaffiliated/uber-ich] has quit [Quit: WeeChat 1.0.1]
13:45 -!- hoople [~hoople@tengo.link] has joined #openvpn
13:47 -!- hoople [~hoople@tengo.link] has quit []
13:49 -!- hoople [~hoople@tengo.link] has joined #openvpn
13:53 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
13:57 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has quit [Quit: Gone...]
14:19 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
14:46 < jl-> when I have my browser open, then connect to the vpn, and google "what's my ip", google will display my local ip. however, when I open an incognito window, it will show the ip of the vpn server. is this normal?
14:56 <@ecrist> that's weird
14:58 < jl-> is my IP cached? :P
14:58 < jl-> when I go to any real website (non-google) it'll show the vpn ip
14:59 < jl-> it also seems like after some time, when I refresh that page, it will show the vpn ip
14:59 < jl-> so it almost seems like there's an old "session" that's causing google to show that ip
14:59 < jl-> not sure
14:59 <@ecrist> https://secure-computing.net/ip.php
15:00 < jl-> yup, vpn IP
15:00 < jl-> same with all those "what's my ip" websites
15:01 <@ecrist> there you go
15:02 <@ecrist> that web page doesn't cache IPs, fwiw
15:15 < hoople> i haven't experienced that caching behaviour with google
15:19 -!- hoople [~hoople@tengo.link] has quit [Read error: Connection reset by peer]
15:30 <@novaflash> you are all awesome
15:30 <@novaflash> except for.. *points to esde*
15:30 <@novaflash> he's super awesome
15:30 * esde hides
15:42 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 264 seconds]
15:46 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:49 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
15:52 < hyper_ch> how comes that generating the dh takes like forever?
15:52 < esde> depends on how large
15:53 < hyper_ch> 4096bit
15:53 < esde> 1024 is much quicker than 2048, and 2048 is much quicker than 4096, and 4096 is much quicker than 8196
15:53 < hyper_ch> one cup of coffee just isn't good enough for it
15:53 < esde> etc
15:53 < hyper_ch> you can generate 8196 ?
15:53 < esde> yes
15:54 < hyper_ch> interesting
15:54 < hyper_ch> and for 16xxx you'll just sleep through the night?
15:54 < jl-> pretty much
15:54 < esde> as the bitsize increases the resources (cpu time) also increase to a larger degree
15:55 < jl-> just 1 bit increases the number significantly
15:55 < jl-> now imagine 200 bit more
15:55 < jl-> *2000
15:55 < hyper_ch> but what is the process behind it?
15:56 < esde> math problem
15:56 < esde> that's about it
15:56 < jl-> it generates random bits
15:57 < esde> https://security.stackexchange.com/questions/42415/openvpn-dhparam
15:57 <@vpnHelper> Title: openssl - OpenVPN dhparam - Information Security Stack Exchange (at security.stackexchange.com)
15:57 < hyper_ch> still doesn't explain why it's taking that long
15:57 < esde> you have to learn how it works at a lower level
15:57 < esde> the larger the resulting file, the longer it takes to generate it
15:58 < esde> it also depends on how much entropy is available
15:58 < esde> haveged can help increase entropy
15:59 < hyper_ch> haveged?
15:59 < esde> look it up
15:59 < esde> i gotta run
16:07 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
16:21 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
16:22 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
16:23 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Client Quit]
16:24 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
16:35 < esde> hyper_ch, here's the link for haveged http://www.issihosts.com/haveged/
16:35 <@vpnHelper> Title: haveged - a simple entropy daemon (at www.issihosts.com)
16:36 < hyper_ch> can things that operate on logic only, like computer, actually achieve true randomness?
16:39 < esde> i've run some random tests on the data and not yet recorded any anomalous results
16:49 < esde> http://pastebin.com/xCgFsPXd
16:52 -!- aeny [631058e1@gateway/web/freenode/ip.99.16.88.225] has joined #openvpn
16:54 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:58 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Ping timeout: 245 seconds]
17:06 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
17:06 -!- tobinski [~tobinski@x2f583d9.dyn.telefonica.de] has quit [Quit: Leaving]
17:07 -!- mattock is now known as mattock_afk
17:10 -!- adaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
17:10 -!- diranged [~Adium@162.245.21.10] has joined #openvpn
17:11 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
17:11 < diranged> Hey.. I'm trying to setup an OpenVPN server using a wildcard godaddy SSL cert for our vpn endpoint (we already have it, and its already installed on all ofo ur employee laptops). I'm running into a problem though with the OpenVPN client (tunnelblick in this case) saying "self signed certificate in chain", even though i've supplied the client with a copy of the godaddy intermediate certs.
17:11 < diranged> Can anyone offer a pointer her?
17:15 -!- adaptr [~jgeilman@unaffiliated/adaptr] has quit [Quit: WeeChat 1.0]
17:16 -!- adaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
--- Log closed Tue Jan 06 17:20:54 2015
--- Log opened Tue Jan 06 21:00:42 2015
21:00 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
21:00 -!- Irssi: #openvpn: Total of 196 nicks [9 ops, 0 halfops, 2 voices, 185 normal]
21:00 -!- mode/#openvpn [+o ecrist] by ChanServ
21:00 -!- Irssi: Join to #openvpn was synced in 1 secs
21:17 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Read error: Connection reset by peer]
21:51 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
21:55 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
21:56 -!- novaflash is now known as novaflash_away
22:08 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
22:14 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:21 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has quit [Quit: Leaving]
22:21 -!- novaflash_away is now known as novaflash
22:37 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
22:41 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Quit: Leaving]
22:46 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 265 seconds]
23:24 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
23:25 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
23:25 -!- zalami is now known as ZiconiumNitrate
23:25 -!- ZiconiumNitrate is now known as ZirconiumNitrate
23:26 -!- ZirconiumNitrate is now known as offended
23:26 -!- offended is now known as zimbobwe
23:28 -!- zimbobwe is now known as zalami[slp]
23:33 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 265 seconds]
23:34 -!- ShadniX [dagger@p5DDFDCA5.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
23:34 -!- ShadniX [dagger@p5DDFF120.dip0.t-ipconnect.de] has joined #openvpn
23:42 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
23:47 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
23:54 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Ping timeout: 245 seconds]
23:57 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
--- Day changed Wed Jan 07 2015
00:32 -!- heraclitus [~phobos@unaffiliated/heraclitis] has joined #openvpn
01:09 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
01:11 -!- mattock_afk is now known as mattock
01:15 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
01:20 -!- master_o1_master [~master_of@p4FF24564.dip0.t-ipconnect.de] has joined #openvpn
01:23 -!- master_of_master [~master_of@p4FD7BB4A.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds]
01:30 -!- aeny [631058e1@gateway/web/freenode/ip.99.16.88.225] has quit [Quit: Page closed]
01:35 -!- novae [~novae@unaffiliated/novae] has quit [Remote host closed the connection]
01:47 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
01:48 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
02:00 -!- Rambozo [~Rambozo@ns503798.ip-192-99-11.net] has joined #openvpn
02:08 -!- le0 [~le0@unaffiliated/le0] has joined #openvpn
02:15 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
02:18 < Arr0way> hi
02:19 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
02:20 -!- ljvb [~jason@us.vps.vanbrecht.com] has quit [Quit: brb reboot (hopefully back)]
02:37 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 272 seconds]
02:39 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
02:47 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
02:50 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
03:12 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has joined #openvpn
03:19 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
03:33 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
03:45 -!- ShotokanZH [~ShotokanZ@unaffiliated/shotokanzh] has joined #openvpn
03:46 < ShotokanZH> hi guys
03:46 < ShotokanZH> is there out any "official/unofficial but trustworthy" repository for ubuntu 14.04 LTS?
03:55 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:58 -!- i336_ [~i336_@CPE-58-164-17-215.lnse5.ken.bigpond.net.au] has joined #openvpn
04:00 < i336_> Hey everyone. I'd like to configure OpenVPN on Linux to handle all network I/O for a specific set of processes, as opposed to the whole system. Where do I start with that sort of thing, or should I be asking ##Linux for help with process isolation?
04:00 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
04:01 < i336_> I'm not sure if it changes anything, but some of the processes will be being run in WINE. (Not all of them though.)
04:03 -!- kexmex [~kexmex@178.136.234.6] has quit [Client Quit]
04:20 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has quit [Quit: Contact: http://hallowe.lt/]
04:24 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has joined #openvpn
04:28 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
04:28 -!- ikke-t [~ikke@62.237.43.150] has left #openvpn ["Leaving"]
04:29 < ShotokanZH> i336_, tha hell are you doing dude :D
04:30 -!- i336_ [~i336_@CPE-58-164-17-215.lnse5.ken.bigpond.net.au] has quit [Ping timeout: 264 seconds]
05:01 -!- elfixit [~Icedove@2001:1620:2018:11:863a:4bff:fe93:6310] has joined #openvpn
05:04 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:13 < esde> ShotokanZH, still about?
05:14 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
05:22 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
05:27 -!- dazo_afk is now known as dazo
05:40 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
05:48 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 256 seconds]
06:10 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Remote host closed the connection]
06:13 -!- stewi [~quassel@2400:6800:ffff:2:d12d:c01a:e607:1b94] has joined #openvpn
06:14 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 244 seconds]
06:19 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
06:20 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
06:21 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
06:21 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Read error: Connection reset by peer]
06:22 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
06:23 -!- Tracker [~tracker@m88.ip1.anvianet.fi] has joined #openvpn
06:24 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Read error: Connection reset by peer]
06:24 -!- MrsSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
06:26 < Tracker> I have a problem with windows 7 openvpn ip routing.. I have 2 openvpn instances connected and both servers can ping ok to the client and when just one client connected I can ping the client from lan behind both servers. but when both connected openvpn tryes to route connecting trought the first connecting because client has both routes to lan behind servers trounght server one and two. but in
06:26 < Tracker> windows xp this same setup works correctly ,.. using newest openvpn client and tap .. tun openvpn used for a long time with one server...
06:28 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
06:30 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:32 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
06:36 -!- MrsSavage [~MrSavage@unaffiliated/mrsavage] has quit [Read error: Connection reset by peer]
06:36 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 245 seconds]
06:36 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
06:54 <@ecrist> Tracker: we're going to need more information in order to help you
06:55 <@ecrist> configs for both servers, both client configuration files, logs, etc
06:55 <@ecrist> !configs
06:55 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
06:55 <@ecrist> !logs
06:55 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
06:55 <@ecrist> don't paste in-channel, make sure to use pastebin or something similar
06:55 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
07:03 < esde> ShotokanZH, I havent come across any repos for ubuntu 14.04, yet. your best bet is to download the source and install from scratch. there's only a few dependencies and the process is simple
07:08 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 245 seconds]
07:09 -!- toli_ [~toli@d51A4CC08.access.telenet.be] has joined #openvpn
07:10 < toli_> hello, I use openvpn comunity in p2p mode, but when I include my secret key for android client it is asking for the CA, and I normally not using this!
07:10 < toli_> any workaround?
07:12 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Read error: Connection reset by peer]
07:13 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
07:15 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
07:24 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has joined #openvpn
07:28 < esde> !inline
07:28 <@vpnHelper> "inline" is (#1) Inline files (e.g. ... are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
07:28 < esde> toli_, ^
07:29 < toli_> esde, thanks, but I don't use CA certificate for the other p2p connections, only openvpn secret key
07:30 < esde> s/certs/keys
07:30 < toli_> thank you
07:36 -!- glosoli [~textual@unaffiliated/glosoli] has joined #openvpn
07:37 < glosoli> Hey is there some way to easily connect to VPN using only username and password. I get an error like this from Tunnelblick "OpenVPN Options error: You must define CA file"
07:38 < esde> !authpass
07:38 <@vpnHelper> "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
07:39 < esde> >highly NOT recommended
07:43 -!- glosoli [~textual@unaffiliated/glosoli] has quit [Quit: Textual IRC Client: www.textualapp.com]
07:44 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
08:04 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
08:09 -!- kexmex [~kexmex@178.136.234.6] has quit [Ping timeout: 264 seconds]
08:55 -!- cwillu_at_work [~cwillu@cwillu.com] has joined #openvpn
09:05 <@dazo> esde: Using username/password auth without client certificates is no worse than what most users do with webmail or imap/pop3 over SSL. Clients still need the CA the server uses, so clients will always authenticate the server. Client certificates is just another way of client authentication .... not using user/pass auth and not using client certs is "highly not recommended"
09:23 < esde> http://pastebin.com/zihCLJmR I hope with the same factoid formatted differently, you can understand my misconception
09:30 -!- diranged [~Adium@162.245.21.10] has joined #openvpn
09:31 < diranged> Hey.. I'm seeing some performance and reliability issues between an openvpn server and its client. The two machines are not that far away to explain the issues. We're seeing ping times through the openvpn server (to some backend servers that are close) bounce from 90ms (good) -> 1700ms(bad).
09:31 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has quit [Ping timeout: 250 seconds]
09:32 < diranged> 3-4 will go through at 90ms, then 2 will take nearly 2s..
09:32 < diranged> We're running OpenVPN on port 443 in TCP mode. I'm curious it TCP mode could have anything to do with this?
09:32 < diranged> (we aer simultaneously running a strongswan ipsec service.. and when we use that, we see consistent 90ms pings)
09:32 < esde> UDP is a good option when you notice performance issues on TCP
09:34 < diranged> Is it really likely that TCP is causing the issue here though?
09:38 < diranged> I'm trying UDP now just to see how it behaves
09:40 < diranged> Indeed.. it seems with UDP the performance is about right (90-91ms).. but i've seen 2 packets fail to make it so far.
09:41 < esde> "UDP can be less reliable that TCP VPN connections as UDP does not guarantee the delivery of packets."
09:41 < esde> s/that/than
09:41 < diranged> Yes .. I understand that technically. Its just rare to see that in practice today..
09:41 < diranged> at least, in my experience..
09:41 < diranged> but.. hey .. i havn't setup VPNs in a long time, so maybe at that layer, its still common enough
09:46 < diranged> ok another question.. can someone help me get openvpn to bind to a management socket rather than a local tcp port?
09:46 < diranged> i tried 'management /tmp/some_socket_file'.. and that failed
09:50 -!- toli_ [~toli@d51A4CC08.access.telenet.be] has quit [Quit: Leaving]
09:55 < esde> from the managament man page https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage "The management interface can also listen on a unix domain socket, for those platforms that support it. To use a unix domain socket, specify the unix socket pathname in place of IP and set port to 'unix'. While the default behavior is to create a unix domain socket that may be connected to by any process, the --management-client-user and --management-client-group direc
09:55 < esde> tives can be used to restrict access."
09:55 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net)
09:55 < esde> *management
09:55 < diranged> bah.. thanks
09:56 < diranged> hrmm of course.. it sets the permissions to 777..
10:01 -!- Voyage [~Voyage@182.189.236.89] has joined #openvpn
10:01 < Voyage> HI
10:02 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has joined #openvpn
10:03 < Voyage> I can see this directory. I am following a guide to install openvpn server on ubuntu. /usr/share/doc/openvpn/examples/easy-rsa/2.0/* Guide https://help.ubuntu.com/community/OpenVPN
10:03 <@vpnHelper> Title: OpenVPN - Community Help Wiki (at help.ubuntu.com)
10:07 < Voyage> cant*
10:10 < esde> !goal
10:10 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:12 < Voyage> I would like to access the internet over my vpn
10:15 < esde> !howto
10:15 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
10:16 < Voyage> esde http://nerdanswer.com/answer.php?q=737345
10:16 <@vpnHelper> Title: Extreme difficulty setting up VPN (at nerdanswer.com)
10:16 < esde> also i doubt you need bridged
10:16 < Voyage> ok. what do I need?
10:16 < esde> !bridging
10:16 <@vpnHelper> "bridging" is (#1) Using bridges is either completely stupid or clever. It is stupid if you do it because you think it is easier. It is clever if you're a network knowledgeable person who understands networking very well and knows why routing won't fit for you or (#2) See also https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
10:17 < esde> you want to use tun, more than likely
10:17 < esde> !tunortap
10:17 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
10:17 <@vpnHelper> rooted/jailbroken) support only tun
10:17 < Voyage> ok. esde is there a tutorial?
10:17 < esde> yes, the howto i linked
10:17 < Voyage> k'
10:18 < Voyage> esde this link does not says "howto for tunnel" http://openvpn.net/index.php/open-source/documentation/howto.html
10:18 <@vpnHelper> Title: HOWTO (at openvpn.net)
10:19 < Voyage> esde which part should I follow?
10:22 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
10:28 < esde> installing OpenVPN, Numbereing Private Subnets, Setting up your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients, Creating configuration files for server and clients, Starting up the VPN and testing for initial connectivity. Are the first areas of interest
10:29 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
10:32 -!- Voyage [~Voyage@182.189.236.89] has left #openvpn []
10:33 < esde> pekster, you about?
10:38 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
10:44 -!- le0 [~le0@unaffiliated/le0] has quit [Quit: Leaving]
10:45 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has quit [Read error: Connection reset by peer]
10:50 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:54 -!- Voyage [~Voyage@182.189.236.89] has joined #openvpn
10:54 < Voyage> I am trying to connect skype through ssh -D 1080 user@hostVPS I put socks5 and port 1080 in skype network settings. But still I cannot bypass restrictions set by my ISP. any reasons you may think of?
10:55 < esde> this isn't the place for openssh support. but what is the host set to?
10:57 < Voyage> host?
10:57 < esde> should be 127.0.0.1 or localhost
10:57 < Voyage> yes.
10:57 < Voyage> it is
10:58 < esde> try #openssh for openssh support
10:58 < Voyage> k
10:58 < Voyage> esde, setting openvpn instead would do better?
10:59 < Voyage> skype says "proxy to use for incomming connections" but I need proxy for out going calls. Am I on valid options?
10:59 < esde> depends on your needs. i generally prefer openvpn to ssh tunneling. but ssh tunneling is a neat thing too
10:59 < Voyage> k
10:59 < Voyage> skype says "proxy to use for incomming connections" but I need proxy for out going calls. Am I on valid options?
10:59 < esde> please don't spam
11:00 < Voyage> sory for double type
11:03 -!- elfixit1 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
11:03 -!- elfixit [~Icedove@2001:1620:2018:11:863a:4bff:fe93:6310] has quit [Ping timeout: 265 seconds]
11:12 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has quit [Read error: Connection reset by peer]
11:12 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
11:12 < esde> Voyage, here's an extremely basic (and possible incomplete) "to-do" list for accomplishing your goal http://pastebin.com/raw.php?i=Ukfp4ATq
11:13 < esde> *possibly
11:13 < Voyage> esde, ya, but I am not a master. need step by step guide
11:14 < esde> !effort
11:14 <@vpnHelper> "effort" is If you are not willing to put the effort into gathering information and trying to figure out your problem we are not willing to help you with it
11:15 < esde> If you ask questions, I/we will try to answer them :)
11:17 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
11:19 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
11:21 < Voyage> esde, ok
11:26 -!- elfixit1 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit1]
11:31 -!- quup [~ppp@unaffiliated/quup] has joined #openvpn
11:36 -!- Voyage [~Voyage@182.189.236.89] has quit [Read error: No route to host]
11:36 <@ecrist> securing SSH. good read: https://stribika.github.io/2015/01/04/secure-secure-shell.html
11:36 <@vpnHelper> Title: Secure Secure Shell (at stribika.github.io)
11:37 <@ecrist> This post will still be here when you finish. My goal with this post here is to make NSA analysts sad.
11:38 * esde gives ecrist the talles, coldest, of beers
11:38 < esde> *tallest
11:39 <@ecrist> :)
11:43 < esde> are these warnings tongue-in-cheek? "You attempted to reach stribika.github.io, but instead you actually reached a server identifying itself as a shape shifter humanoid reptile alien. This may be caused by a misconfiguration on the server or something more serious. An attacker on your network could be trying to get you to visit a fake (and definitely harmful) version of stribika.github.io. You should not proceed."
11:44 <@krzee> yep that is a good read
11:45 <@krzee> i believe hyper_ch posted it here the other day
11:45 <@krzee> yep, twas him
11:46 <@krzee> he's my personal rss, better configured than any rss reader i had in the past! he only pings me on articles i am interested in
11:46 <@krzee> hyper_ch, :D
11:47 < esde> haha
12:08 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:09 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
12:22 < hyper_ch> krzee: what?
12:22 < hyper_ch> secure shell?
12:22 <@krzee> yep, good link
12:22 < hyper_ch> why can't the distros make that by default?
12:24 <@krzee> ++
12:24 <@krzee> hyper_ch++
12:24 < hyper_ch> (well, except the part with the hidden tor service...)
12:25 <@krzee> right that was another topic all together
12:37 -!- hmmhesays is now known as hmmhesegs
12:51 < hyper_ch> krzee: I'll try that on my servers on the weekend :)
12:51 < hyper_ch> what could possibly more fun than hardening ssh on servers on the weekend, right?
12:52 -!- masterkorp [~masterkor@static.85-10-196-211.clients.your-server.de] has joined #openvpn
12:53 < masterkorp> hello
12:53 < masterkorp> socks_handshake: TCP port read timeout expired:
12:53 < masterkorp> i am getting this using openvpn trough a socks server in obsfropxy
13:00 < masterkorp> does openvpn support socks 4 ??
13:05 -!- Voyage [~Voyage@182.189.236.89] has joined #openvpn
13:05 < Voyage> Hi,
13:05 < Voyage> What command to use to connect to a openvpn server from a client?
13:06 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has joined #openvpn
13:07 <@krzee> hyper_ch, i recommend making a second config and a seperate port for testing so you dont risk locking yourself out =]
13:07 < Voyage> esde, ?
13:07 <@krzee> Voyage, start openvpn on the client, it does what its instructed, --remote will let you specify the server
13:07 < hyper_ch> on hetzner I have lara consoles if I need :)
13:07 < hyper_ch> ramnode gives web-based kvms
13:08 < Voyage> krzee, so sudo service openvpn start --remote server.com ?
13:08 <@krzee> no
13:09 < Voyage> krzee, then?
13:09 <@krzee> the config which is started when you run 'service openvpn start' should already have remote entries in it
13:09 <@krzee> !howto
13:09 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
13:11 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 264 seconds]
13:11 < Voyage> krzee, its Autostarting VPN 'client' but my ip has not changed
13:11 <@krzee> do you run your server?
13:11 < Voyage> I am at client. The server is up though
13:12 <@krzee> you need to control the server as well for us to rebug it...
13:12 <@krzee> !redirect
13:12 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
13:12 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
13:12 <@krzee> see flowchart at #4
13:12 <@krzee> the sdf link
13:14 < Voyage> krzee, I followed this http://grantcurell.com/2014/07/22/setting-up-a-vpn-server-on-ubuntu-14-04/
13:14 <@vpnHelper> Title: How to Setup OpenVPN on Ubuntu 14.04 » Grant Curell (at grantcurell.com)
13:14 <@krzee> !walkthrough
13:14 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
13:14 < hyper_ch> !howto > Voyage
13:15 < hyper_ch> bot can't highlight users? :(
13:15 <@krzee> nope
13:15 < hyper_ch> bot must become smarter
13:15 < hyper_ch> !howto
13:15 <@krzee> if you find a supybot plugin for it, lemme know
13:15 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
13:16 < hyper_ch> krzee: plenty of bots can do that
13:16 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
13:16 < Voyage> hyper_ch, very difficult to understand tutorial
13:17 <@krzee> i gave you a flowchart for troubleshooting your problem
13:17 < hyper_ch> but once you understand it, you're ready to go
13:17 -!- ShotokanZH [~ShotokanZ@unaffiliated/shotokanzh] has left #openvpn ["Leaving"]
13:17 <@krzee> im betting you have not clicked it
13:17 < hyper_ch> we used flowcharts back at university
13:19 < Voyage> krzee, I followed this http://grantcurell.com/2014/07/22/setting-up-a-vpn-server-on-ubuntu-14-04/ I think I need to NAT through it. How do I do that?
13:19 <@vpnHelper> Title: How to Setup OpenVPN on Ubuntu 14.04 » Grant Curell (at grantcurell.com)
13:19 <@krzee> im not going to read their walkthrough
13:19 <@krzee> !linnat
13:19 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
13:19 <@krzee> !iptables
13:19 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you started
13:19 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter
13:19 <@krzee> !factoids search --values iptables-save
13:20 <@vpnHelper> 'iptables-rules' and 'netfilter'
13:20 <@krzee> !iptables-rules
13:20 <@vpnHelper> "iptables-rules" is When posting iptables rules, please use the `iptables-save` syntax as it is easiest to read. While we try to be helpful, #netfilter may be more appropriate for complex netfilter issues
13:23 <@krzee> !iptables-rules | hyper_ch
13:24 < esde> Maybe it's hungry
13:24 < esde> !botsnack
13:24 <@vpnHelper> "botsnack" is Om nom nom!
13:24 <@krzee> lol
13:25 < hyper_ch> isn't ! > better than ! | ?
13:25 < esde> | is less likely to cause confusion
13:26 < hyper_ch> well, from a bash point of view I think > is better....
13:29 <@krzee> depends what you view people as
13:29 <@krzee> if they are flat files >
13:30 <@krzee> if they are more like executables |
13:30 <@krzee> ;]
13:30 < Voyage> my vpn server is not starting
13:30 < Voyage> how to debug
13:30 < Voyage> * Starting virtual private network daemon(s)... * Autostarting VPN 'server' root@cqtechnologies:/var/www/html# service openvpn status
13:30 < Voyage> * VPN 'server' is not running
13:30 < esde> !paste
13:30 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
13:31 < esde> check the log sudo tail -f /path/to/openvpn.log
13:31 <@krzee> when using > the bash analogy would be flat files which you are clobbering and overwriting with the factoid
13:31 <@krzee> Voyage,
13:31 <@krzee> !logfile
13:31 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
13:31 <@krzee> !man
13:31 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
13:32 < hyper_ch> krzee: in unix, everything's a file :)
13:32 < hyper_ch> or so I was told
13:32 < Voyage> esde, logs are not in /var/log. where might they be?
13:32 <@krzee> of course
13:32 <@krzee> but what kind of file and how is it used
13:32 < Voyage> krzee, esde oh . syslog
13:32 < Voyage> ok
13:32 < esde> Voyage, are you absorbing anything we're telling you?
13:32 <@krzee> you would never > to a binary, for example
13:32 < Voyage> esde, yes. just read late
13:32 < hyper_ch> echo "some smart text" > /dev/user/brain
13:33 < esde> Check your openvpn server config, look for the log directive
13:33 < esde> it will show the path, if logging is enabled in the config, that is
13:33 <@krzee> esde, he has his heart set on doing this without reading the manual
13:33 < esde> apparently
13:33 <@krzee> if you do not want to learn i recommend openvpn-as
13:33 < Voyage> Options error: --dh fails with 'dh1024.pem': No such file or directory
13:33 <@krzee> they made something for you
13:33 < esde> you have to create the certs and keys yourself
13:34 < esde> it's all in the
13:34 < esde> !howto
13:34 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
13:34 <@krzee> !as
13:34 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
13:34 <@krzee> i recommend you change to openvpn-as
13:35 <@krzee> you will not be required to read documentation or learn about networking or cert management
13:35 < Voyage> esde, krzee I see that dh2048.pem in dir and not dh1024
13:35 <@krzee> if you choose to use the version you are using, you will be expected to read the docs we point you to
13:35 <@krzee> Voyage, and the fix isnt obvious?
13:35 < esde> change the server config to reflect that, then
13:35 < hyper_ch> krzee: but you did spoon-feed me...
13:35 < Voyage> esde, krzee yes. should I rename the file or change configs?
13:36 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
13:36 < esde> change config
13:36 <@krzee> hyper_ch, you read what told to read
13:36 < Voyage> k
13:36 < esde> the numbers is the bitsize of the file
13:36 < hyper_ch> krzee: impossible... real men don't need to read :)
13:36 <@krzee> hey didnt you run my config generator actually?
13:36 < esde> renaming dh2048.pem to dh1024.pem will only cause further confusion
13:37 * hyper_ch wonders who in here has a Stallmann-beard
13:37 <@krzee> esde, lol
13:37 < hyper_ch> krzee: I used your config generator a few times
13:37 <@krzee> ya i think you did get spoonfed
13:37 <@krzee> cause you were testing my config generator
13:37 <@krzee> lol
13:37 <@krzee> !spoonfeeding
13:37 <@vpnHelper> "spoonfeeding" is http://www.mp3car.com/the-faq-emporium/53368-faq-what-is-spoon-feeding.html
13:38 < Voyage> http://pastie.org/9818799
13:38 < esde> Okay now you're cooking
13:38 < esde> you need to get tun enabled
13:38 < Voyage> :)
13:38 <@krzee> looks like your kernel doesnt have tun compiled in
13:38 <@krzee> maybe you have the module
13:39 < Voyage> :(
13:39 < esde> is this your hardware, or a VPS?
13:39 <@krzee> i think openvpn tries to load it but couldnt hurt to 'modprobe tun'
13:39 <@krzee> esde, good question! ^
13:40 < Voyage> vps
13:40 < esde> if it's a vps open a ticket and ask them to enable tun
13:40 < Voyage> esde, cant i enable it myself?
13:40 < esde> maybe, but possibly no
13:40 < Voyage> whys that. iam the root
13:40 < esde> because it's not your machine
13:41 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has quit [Ping timeout: 250 seconds]
13:41 < esde> the feature needs to be enabled at a higher (lower?) level than your container
13:41 < hyper_ch> is it kvm or openvz?
13:41 < Voyage> openvz
13:42 < Voyage> hyper_ch, will do?
13:42 < hyper_ch> well, in kvm you'd run a realy vm
13:42 < esde> the time you spend not opening a ticket and asking for tun to be enabled, is being wasted
13:42 < Voyage> hyper_ch, sorry?
13:43 < Voyage> esde, hm
13:43 < hyper_ch> Voyage: don't worry about it
13:43 < esde> especially since openvz is weird with un sometimes. you may need to reboot a couple of times for it to take effect, once your provider enables it
13:43 < Voyage> hyper_ch, ok. in short, I can do what ever I want in kvm and not in openvz?
13:43 < esde> s/un/tun
13:44 < hyper_ch> Voyage: yes.... someone described openvz a little while ago as glorified chroot
13:44 < esde> KVM and OpenVZ both have their own benefits and pitfalls
13:44 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has joined #openvpn
13:44 < Voyage> which one gives more control?
13:44 < hyper_ch> yes, I use openvz on some stuff and kvm on others
13:45 < hyper_ch> e.g. freeswitch I run on openvz for better performance
13:45 < esde> KVM
13:45 < Voyage> like tune, etc
13:45 < hyper_ch> with kvm you run your own kernel
13:46 < hyper_ch> with openvz you run the host node's kernel
13:46 < esde> especially since openvz shares the host kernel with the containers running on it
13:46 < esde> but this is all getting away from the point at hand
13:46 < esde> you need to conact your provider and request they enable tun.
13:47 < esde> s/conact/contact
13:47 < Voyage> apt-get install linux-headers-`uname -r`
13:47 < Voyage> Unable to locate package linux-headers-2.6.32-042stab093.5
13:47 < esde> what?????
13:48 < Voyage> http://serverfault.com/questions/91340/how-to-install-tun-tap-driver-for-openvpn-on-centos-linux second answer
13:48 <@vpnHelper> Title: How to install tun/tap driver for openvpn on centos linux? - Server Fault (at serverfault.com)
13:48 < esde> you cant change the kernel on openvz
13:48 < esde> >you need to contact your provider and request they enable tun.
13:48 < Voyage> hm
13:48 < Voyage> ok. support ticket then
13:48 < esde> look at all that wasted time
13:49 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 264 seconds]
13:49 < Voyage> If, in case, I lay down weapons; anyone knows an openvpn provider ?
13:50 < hyper_ch> what do you need?
13:50 < esde> check openvpn.com
13:50 < hyper_ch> or rather how much you're willing to pay
13:50 < esde> .net that is
13:50 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
13:51 < Voyage> how much would I have to pay for a normal openvpn server?
13:52 < hyper_ch> depends on what you want to do with it
13:52 < esde> there are some for free
13:52 < Voyage> I just need my skype trafic to be routed through it
13:52 < Voyage> as my ISP blocks calls on landline numbers via skype
13:53 < hyper_ch> what country should the server be in?
13:53 < Voyage> esde, are those free onese reliable?
13:53 < Voyage> hyper_ch, US maybe?
13:53 < hyper_ch> http://www.ramnode.com/vps.php
13:53 <@vpnHelper> Title: RamNode | VPS Plans (at www.ramnode.com)
13:53 < hyper_ch> maybe one of the $3.50 / M
13:53 < esde> depends on your geographical location and the load on the server in question
13:53 < hyper_ch> the provide browser based vnc so you can run the complete OS installation in the browser
13:54 < esde> skype over VNC on a headless VPS?
13:54 < hyper_ch> (switch to kvm)
13:54 < esde> sounds awful
13:54 < hyper_ch> esde: he wants vpn server
13:54 < esde> ....you provided a link to a vps provider
13:55 < esde> methinks he's asking about paid vpn service
13:55 < hyper_ch> yes, in which he can setup a server and deploy openvpn
13:55 < esde> but i could be wrong
13:55 < hyper_ch> maybe I'm wrong
13:55 < Voyage> esde, I have skype on my pc. just need a ssh tunnel
13:55 < hyper_ch> I thought he was looking for a kvm solution
13:55 < esde> to be fair, he's not being extremely clear about anything
13:56 < Voyage> hyper_ch, do you like ramnode? they get DDOSed so often
13:56 < hyper_ch> Voyage: haven't had issues with them this far
13:56 < Voyage> ok
13:56 < hyper_ch> but there's others
13:56 < Voyage> esde, so its headless I gues
13:57 < hyper_ch> and there's openvpn providers that just provide the vpn tunnel
13:57 < hyper_ch> a free one would be hide.me
13:57 < Voyage> esde, well, I could use more apps with skype. like browser if I have a vpn...
13:57 < esde> if you'd just wait for your provider to enable tun.....
13:57 < hyper_ch> but only free for 2GB
13:57 < Voyage> hyper_ch, so http://www.ramnode.com/vps.php is = openvpn providers that just provide the vpn tunnel /
13:57 <@vpnHelper> Title: RamNode | VPS Plans (at www.ramnode.com)
13:57 < Voyage> ?\
13:57 < esde> no that's vps
13:57 < esde> not vpn
13:58 < hyper_ch> Voyage: no, thats a virtual private server
13:58 < hyper_ch> that provides either kvm or openvz... kvm starts at $ 3.50 per month
13:58 < hyper_ch> you can install your own OS there
13:58 < hyper_ch> and then deploy openvpn if you use kvm
13:59 < Voyage> as a matter of fact, the server I was configuring is already on ramnode
13:59 < Voyage> but an openvz.
13:59 < hyper_ch> if you just wanna use it as vpn gateway, the $3.50 is ok.... and you get 1 TB
13:59 < Voyage> I really wonder if I could get it right, up and running.
13:59 < hyper_ch> Voyage: maybe contact them if you could switch over to kvm instead
13:59 < Voyage> iam not a guru
13:59 < hyper_ch> !confgen
13:59 < esde> Voyage, it'd be running now if it were KVM
13:59 <@vpnHelper> "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/ or (#3) you must run this in bash
13:59 < esde> you wouldn't have to wait to enable tun
13:59 < Voyage> esde, hm ok
14:02 < Voyage> If, in case, I lay down weapons; anyone knows an openvpn provider that just gives me a tunnel ?
14:03 < hyper_ch> why give up now?
14:04 < Voyage> hm
14:04 < esde> because he doesn't want to read
14:04 < esde> he should go paid vpn or AS
14:04 < Voyage> I fear that I might not mess my server that has a lot of things in it already
14:04 < hyper_ch> I don't want to read either, but I get paid for that
14:05 < Voyage> and.. if i can find a ready made tunnel for cheap. why configure a server
14:05 < esde> huh
14:05 < esde> !effort
14:05 <@vpnHelper> "effort" is If you are not willing to put the effort into gathering information and trying to figure out your problem we are not willing to help you with it
14:05 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Quit: brb]
14:05 < esde> s/your problem/how openvpn works/
14:05 < hyper_ch> !krzee
14:06 < esde> * vpnHelper has quit (Quit: brb)
14:06 < hyper_ch> dang :)
14:06 < hyper_ch> the bot anticipated that I was trying to get info on krzee
14:06 < hyper_ch> and quit before I could query
14:07 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
14:07 -!- mode/#openvpn [+o vpnHelper] by ChanServ
14:08 < esde> !kiss | esde
14:08 < Voyage> I am going for [Standard] KVM SSD
14:08 < esde> So much for that
14:08 <@krzee> !krzee | esde
14:08 < Voyage> 512MB SKVMS 512 MB 1 Core 1 /64 10 GB 1000 GB $5 / mo
14:08 < Voyage> good?
14:08 < esde> it can run on less
14:08 <@krzee> !krzee > esde
14:08 < esde> but that looks sufficient
14:08 < esde> !keys < krzee
14:09 < hyper_ch> Voyage: it all depends what you want to do on it
14:09 < esde> my openvpn instance is using about 75MB of memory right now
14:09 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
14:09 < esde> and i doubt that's all being used by the openvpn process itself
14:10 < hyper_ch> you probably could go for premium kvm ssd - 256MB SKVM 256 MB 1 Core 1 /64 8 GB 1000 GB $3.50 / mo NYC / ATL / SEA / NL
14:10 < hyper_ch> half ram and 2 GB less disk space
14:11 < hyper_ch> but if you want to run webserver on it and database server and what else... then go for more ram... it's up to you what you want to use it for
14:11 < Voyage> I have a website of 5 pages, a demo site of x2engine.com that also requires a mysql database. a redmine project management software in ruby and rails that also runson mysql. I would add openvpn on those. so the server is ok?
14:11 < Voyage> 512MB SKVMS 512 MB 1 Core 1 /64 10 GB 1000 GB $5 / mo
14:11 < hyper_ch> no idea how much redmine requires
14:12 < Voyage> know about x2?
14:12 < Voyage> am any ways. whats KVM SSD-Cached
14:13 < hyper_ch> uses ssd for chaching and has normal harddrives for actual storage of data
14:13 < hyper_ch> no idea what x2 is
14:14 < esde> CRM
14:14 < Voyage> esde, hyper_ch ramnode replied that I can enable tun on openvz. just giving a link
14:15 -!- diranged [~Adium@162.245.21.10] has left #openvpn []
14:16 < hyper_ch> Voyage: then you don't need to change :)
14:17 -!- zalami[slp] is now known as zalami
14:20 < Voyage> ya.
14:20 < Voyage> How do i find my username?
14:21 < esde> ?
14:21 < esde> whoami
14:21 <@krzee> !101
14:21 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
14:21 < Voyage> on ramnod
14:21 < Voyage> :)
14:23 < Voyage> https://vpscp.ramnode.com/login.php is something different . hyper_ch would know
14:23 <@vpnHelper> Title: Control Panel (at vpscp.ramnode.com)
14:23 < hyper_ch> ?
14:23 < esde> It's not a matter of who knows. It's a matter of, this discussion is not appropriate for this channel.
14:23 < Voyage> nevermind. I would figure
14:23 < Voyage> esde, ok
14:24 < hyper_ch> RNuser...... for me
14:24 < esde> taking hand holding to a whole new level
14:31 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 252 seconds]
14:31 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has quit [Ping timeout: 252 seconds]
14:33 < Voyage> hyper_ch, esde do I need to enable PPP?
14:33 < esde> no
14:33 < hyper_ch> only if ou want to use ppp
14:34 < Voyage> # cat /dev/net/tun
14:34 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has joined #openvpn
14:34 < Voyage> cat: /dev/net/tun: File descriptor in bad state
14:34 < esde> it's enabled
14:35 < Voyage> # service openvpn status
14:35 < Voyage> * VPN 'server' is running
14:35 < esde> how bout that
14:35 < hyper_ch> openvpn could be lying to you
14:36 < Voyage> am. so how do I make sure of things?
14:36 < esde> tail -f /path/to/openvpn.log
14:36 < hyper_ch> try to connect with a client
14:36 < hyper_ch> or what esde said
14:36 < esde> last line should read Initialization Sequence Completed
14:36 < Voyage> hyper_ch, client is already connected
14:37 < Voyage> * VPN 'client' is running
14:37 < esde> when the client browses, does it show the VPS's WAN IP?
14:37 < Voyage> no
14:37 < hyper_ch> esde: that depends on how it's configured
14:37 < hyper_ch> !def1
14:37 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
14:37 < esde> his goal is to forward traffic through openvpn
14:37 < Voyage> because I guess no firewall rules were made
14:37 < esde> yup, been through all this earlier
14:38 < esde> i posted a rule in #openssh earlier
14:38 < hyper_ch> Voyage: use redirect-gateway def1
14:38 < esde> try this Voyage iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to (eth0 ip)
14:38 < esde> hyper_ch, he doesnt have iptables even set yet
14:39 < hyper_ch> that doesn't need to be set for redirect gateway, does it?
14:39 < esde> it does
14:39 < hyper_ch> really?
14:39 < Voyage> hyper_ch, esde what do I need to do from : http://pastie.org/9818913
14:40 < hyper_ch> is your interface even eth0?
14:40 < Voyage> dont know.
14:40 < hyper_ch> then you should check
14:40 < Voyage> ip route ls ?
14:40 < esde> what do you mean what do you need to do from? those are three iptables commands
14:41 < esde> the first one, is to forward all traffic from openvpn clients through the WAN IP, dunno what the other two are for
14:41 < Voyage> http://pastie.org/9818919
14:42 < Voyage> esde, I meant, which ip tables command do I need. the only one you gave or anything else?
14:42 < esde> ok this is getting far too convoluted
14:43 < esde> you need the rule i provided and `push "redirect-gateway def1"` in the conf
14:43 < Voyage> hm. ok.
14:44 < Voyage> for a first step, what should I type
14:44 < esde> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to (eth0 ip)
14:44 < Voyage> whats (eth0 ip)
14:44 < esde> the wan ip of the vps
14:44 < Voyage> can it be a domain name ?
14:45 < esde> i dont think so
14:45 < Voyage> ok
14:45 < esde> you need the push directive in the client conf too
14:45 < esde> that is
14:45 < esde> without the <>'s
14:45 < Voyage> its 168.235.66.43 and I am typing command in terminal
14:46 < esde> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to 168.235.66.43
14:46 < esde> assuming eth0 too, your interface name may be different
14:47 < esde> whatever interface name has that ip, put that name in place of eth0
14:48 < Voyage> ;push "redirect-gateway def1 bypass-dhcp"
14:48 < Voyage> uncommenting it
14:48 < esde> great!
14:48 < esde> you'll need to reload/restart openvpn to reflect any changes you make to configs
14:49 < Voyage> how can I know the interface name?
14:49 < esde> ifconfig
14:49 < Voyage> k
14:50 < Voyage> venet0:0 Link encap:UNSPEC
14:50 < esde> there ya go! :D
14:50 < Voyage> so its venet0? or venet0:0
14:51 < esde> whatever interface name has that ip, put that name in place of eth0
14:51 < hyper_ch> venet0:0 IMHO
14:51 < Voyage> Just did iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0:0 -j SNAT --to 168.235.66.43
14:52 < Voyage> restarted vpn
14:52 < esde> bear in mind, you restart openvpn for config changes. iptables rules are automatic
14:53 < Voyage> did that but ip of client browser did not changed
14:53 < Voyage> do I need to reconnect client?
14:54 < esde> did you add the redirect-gateway directive to the client conf too?
14:54 < Voyage> yes
14:55 < Voyage> I just uncommnented it.
14:55 < esde> yes
14:55 < Voyage> how can I debug?
14:55 < Voyage> Do I need to add the highligted lines also ? http://pastie.org/9818919#9,11
14:56 < esde> Not afaik
14:56 < Voyage> ok. how can I list iptables rules
14:56 < Voyage> any other way to debug?
14:57 < esde> is it not working still?
14:57 < esde> if not, do you have ip forwarding enabled on the server?
14:58 < Voyage> how can I know
14:59 < esde> cat /proc/sys/net/ipv4/ip_forward
14:59 < esde> 0=no 1=yes
14:59 < Voyage> ok
14:59 < Voyage> esde, dont you think I need these http://pastie.org/9818956#14-19
15:00 < Voyage> cat /proc/sys/net/ipv4/ip_forward says 1
15:00 < esde> this came from a guide "Enter the following commands one by one to forward traffic through OpenVPN:"
15:00 < Voyage> ya
15:01 < esde> i think your iptables are borked
15:01 < Voyage> ok. how can I list iptables rules
15:02 -!- JBravo [~JBravo@babylon5.ra.is] has joined #openvpn
15:03 < esde> iptables -L and iptables -t nat -L are probably what you need
15:03 < JBravo> need some help with "Bad LZO decompression header byte: 69" in server's log (and no traffic over the vpn tunnel
15:03 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 252 seconds]
15:03 < esde> JBravo, is compression set on both sides? or vice-versa?
15:04 < JBravo> yes
15:04 < esde> you only want one postrouting rule to route openvpn clients out to WAN. If you have the MASQUERADE and SNAT rules both in place at the same time, it wont work
15:05 < Voyage> http://pastie.org/9818966 esde
15:05 < esde> do you have fragment in your confs?
15:05 < JBravo> omg
15:05 < JBravo> what is it with asking for help and then finding the answer :)
15:05 < JBravo> 64 bytes from 10.8.0.1: icmp_seq=945 ttl=64 time=1.71 ms
15:05 < JBravo> hah :)
15:06 < esde> iptables -t nat -D POSTROUTING 2 Voyage to get rid of the double SNAT rules
15:06 < JBravo> thanks :)
15:06 -!- JBravo [~JBravo@babylon5.ra.is] has left #openvpn ["Leaving"]
15:06 < Voyage> iptables -t nat -D POSTROUTING 2 ?
15:06 < Voyage> ok
15:06 < esde> yeah, you have that rule entered twice
15:07 < Voyage> shoudl It work now?
15:07 < Voyage> I just just open a browser from client now?
15:07 < Voyage> to check ip?
15:07 < esde> give it a shot
15:07 < Voyage> same issue
15:08 < Voyage> ok. how can I check that the vpn is in action and connection?
15:08 < Voyage> can I browse files of server from client?
15:08 < esde> sudo service openvpn status
15:08 < Voyage> running
15:08 < esde> and tail -f /path/to/openvpn.log
15:08 < Voyage> on client or on server?
15:08 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
15:08 < esde> server
15:09 < Voyage> issues.
15:09 < Voyage> too many
15:10 < esde> try deleting the POSTROUTING rule thats left and in it's place put this iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0:0(or whatever the WAN interface is) -j MASQUERADE
15:10 < Voyage> http://pastie.org/9818978#
15:11 < Voyage> TLS handshake failed
15:11 < esde> paste at pastebin.com so we can see the whole lines
15:11 < Voyage> TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
15:11 < Voyage> k
15:12 < esde> not here, on a site like pastebin.com
15:12 < Voyage> http://pastebin.com/uiD9eh3W
15:13 < esde> looks like you didnt copy the client certs/keys to the client or the conf doesn't have their locations defined properly
15:14 < Voyage> I did
15:14 < Voyage> let me check
15:14 -!- glosoli [~textual@unaffiliated/glosoli] has joined #openvpn
15:15 < Voyage> :/etc/openvpn$ ls
15:15 < Voyage> ca.crt client.conf clientname.crt clientname.key update-resolv-conf
15:15 < esde> is that client or server?
15:16 < Voyage> client
15:16 < Voyage> the client.conf says # file can be used for all clients.
15:16 < Voyage> ca ca.crt
15:16 < Voyage> cert clientname.crt
15:16 < Voyage> key clientname.key
15:16 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.91.1 [Firefox 34.0.5/20141126041045]]
15:16 < esde> stop pasting mulitple lines at once in the channel please
15:17 < Voyage> k
15:17 < esde> so the client.conf is at /etc/openvpn/openvpn.conf and the certs/keys are in the same directory?
15:18 < Voyage> the client conf is client.conf in :/etc/openvpn
15:18 < Voyage> and certs/keys are in same dir
15:18 < Voyage> yes
15:18 -!- glosoli [~textual@unaffiliated/glosoli] has left #openvpn []
15:19 < esde> ok, does the user running the openvpn client process have permissions to view those files?
15:19 < Voyage> he should as openvpn was started as sudo
15:19 < Voyage> he should as openvpn was started as sudo openvpn start
15:19 < esde> ps aux, look for the openvpn process and see who the user is running the process
15:20 < Voyage> the files have this permissions too rwxrwxrwx
15:21 < esde> only need 0600 on keys/certs and ownership set to the openvpn user
15:21 < Voyage> $ sudo ps aux | grep openvpn
15:21 < Voyage> root 5771
15:22 < Voyage> ownership? should I chown openvpn .key .crt ?
15:22 < esde> 1sec
15:23 < esde> sudo adduser openvpn; sudo chown openvpn:openvpn /etc/openvpn/ca.crt /etc/openvpn/client.crt /etc/openvpn/client.key; sudo chmod 0600 /etc/openvpn/ca.crt /etc/openvpn/client.crt /etc/openvpn/client.key
15:24 < esde> that will create a non-root user (open) and set the correct permissions and ownership
15:24 < esde> *openvpn
15:24 < esde> then add user openvpn group openvpn to config
15:25 -!- mattock is now known as mattock_afk
15:27 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 244 seconds]
15:28 < Voyage> esde, where in config?
15:29 < esde> between the first and last line
15:29 < Voyage> in client config? right?
15:29 < esde> yes
15:29 < Voyage> ok. how to add it?
15:29 < Voyage> the exact line/command
15:29 < esde> i would do the same thing on the server
15:30 < Voyage> what line be added?
15:31 < esde> ;user openvpn ;group openvpn
15:31 < esde> without the comments, on separate lines
15:31 < Voyage> oh]
15:31 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
15:33 < Voyage> error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
15:33 -!- Brutser [~email@d51A48718.access.telenet.be] has joined #openvpn
15:34 < esde> !all
15:34 <@vpnHelper> "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles or (#2) For more detailed instructions, look to: !logs !configs !interface
15:34 < Brutser> hi, anyone around with some windows background? i try create some rules in outpost firewall, to only allow openvpn traffic for certain applications - really having a hard time with this...
15:34 < esde> please post what you have for client and server conf to pastebin
15:34 < Voyage> esde, and I would not want a password to be entered for openvpn user and he be able to login
15:35 < esde> you should have ssh password login disabled
15:40 < Voyage> esde, http://pastebin.com/C7rVnqK5
15:42 < esde> sudo chown openvpn:openvpn /etc/openvpn/client.conf; sudo chmod 0600 /etc/openvpn/client.conf
15:42 < esde> i doubt it's not seeing the conf file, but i noticed it sticking out like a sore thumb
15:43 < Voyage> done
15:44 < esde> did you use the easy-rsa scripts?
15:44 < Voyage> yes
15:44 < esde> ./build-ca ./build-key-server ./build-key client ?
15:44 < Voyage> yes
15:44 < esde> *+server
15:44 < esde> it looks like something is wrong with them
15:45 < esde> try ./clean-all and recreate them
15:45 < esde> unless someone wants you to set verbosity higher and help you, as I'll need to leave soon
15:46 < esde> https://forums.openvpn.net/topic10261.html
15:46 <@vpnHelper> Title: OpenVPN Support Forum [Resolved] Self Signed certificate : Server Administration (at forums.openvpn.net)
15:47 < esde> that thread sould be helpful
15:47 < esde> s/sould/should
15:47 < Voyage> is there a service that I can use just to tunnel traffic?
15:48 < esde> openvpn
15:48 < Voyage> I mean some service that is already setup
15:48 < esde> you've come this far, just troubleshoot your configuration until it works how you want it
15:49 < Voyage> hm
15:49 < Voyage> ok
15:49 < esde> you've got the daemon running, now you just need to fix the PKI issues
15:49 < esde> if you take some time and read through that thread, there is very helpful information
15:50 < Voyage> ok
15:54 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:58 < esde> gotta run, good luck
16:10 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has quit [Remote host closed the connection]
16:20 -!- Mike-- [mad@mx.probie.nl] has quit [Ping timeout: 245 seconds]
16:26 < Brutser> on one client, every time he will try first connection (after reboot) to vpn server - the dhcp times out
16:27 < Brutser> only 'solution' i have now is to remove tap and re-add it
16:27 -!- dazo is now known as dazo_afk
16:27 < Brutser> what can be wrong with the config for this behaviour?
16:33 < Voyage> http://pastebin.com/rFupb818 any ideas ?
16:36 < Voyage> my internet goes off on client when I connect
16:40 < Voyage> krzee, hyper_ch you around?
16:43 < Voyage> http://pastebin.com/8MTYrQvL
16:43 < esde> Voyage, see this http://openvpn.net/index.php/open-source/faq/79-client/253-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity.html
16:43 <@vpnHelper> Title: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) (at openvpn.net)
16:47 < Voyage> esde, which port does openvpn uses? I will check if its blocked or not
16:47 < esde> 1194 by default
16:49 < Voyage> PORT STATE SERVICE
16:49 < Voyage> 1194/tcp closed openvpn
16:49 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has joined #openvpn
16:50 < esde> got another firewall running?
16:50 < Voyage> iam on ramnode. i dont think they do
16:51 < esde> !configs
16:51 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
16:51 < esde> follow those steps to a T, i wont read it with comments, i dont have the time and i'll check out your configs before i have to go again
16:54 < Voyage> cat /etc/openvpn/server.conf | grep -vE '^#|^;|^$
16:54 < Voyage> ?
16:54 < pekster> Why TCP?
16:54 < pekster> !tcp
16:54 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
16:55 < esde> i don't know why he chose tcp, but given his geoip i'd think possibly to get past some restrictive fireall maybe
16:56 < Voyage> esde, no . I can ping server
16:56 < esde> also pekster here, http://pekster.sdf.org/code/projects/easyrsa3.html you have a hyperlink (see my GitHub project) that 404's. it should be https://github.com/OpenVPN/easy-rsa not https://github.com/QueuingKoala/easy-rsa as it is now
16:56 <@vpnHelper> Title: Project: Easy-RSA 3 (next-gen Easy-RSA codebase) (at pekster.sdf.org)
16:57 < pekster> Don't use that first URL
16:57 < Voyage> cat /etc/openvpn/server.conf | grep -vE '^#|^;|^$ esde
16:57 < esde> .......
16:57 < esde> that's the link defined in the hyperlink
16:58 < pekster> Use the real project URL, not a supremely out of date development resource
16:58 < pekster> !easyrsa
16:58 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases or (#3) Source checkouts available from the github project; current official release download is 2.2.2 with 3.x code in git-master. or (#4) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
16:58 < esde> I was trying to be helpful
16:58 < esde> I'll stop now
16:58 < esde> tip: maybe remove that hyperlink to avoid any confusion
16:59 < esde> as it is linked from a factoid
16:59 < esde> !easyrsa-ng
16:59 <@vpnHelper> "easyrsa-ng" is To track development or usage of the next-gen Easy-RSA codebase with improvements to the original, see http://pekster.sdf.org/code/projects/easyrsa3.html . Be aware this code is beta , but is usable as it stands now. Send suggestions/comments to pekster.
16:59 < pekster> esde: Fixed.
17:00 < Voyage> esde, I think server might not be routing traffic to client. no?
17:00 < pekster> esde: The !easyrsa has the right URL. Where did you find the ancient URL?
17:00 < Voyage> esde, client gets connected fine. and server is runing UDP on the port. but when client gets connected, internet goes off on client side
17:00 < esde> pekster, if he's willing to help, can offer assistance. As i mentioned, im about to leave
17:01 < esde> I told you in my first massage.
17:01 < esde> *e
17:01 < esde> the parenthetical is the hyperlink text (mostly)
17:01 < pekster> I'm not "seeing your github project" for whatever reference you think you're helping with
17:02 < esde> this paragraph For active source development, see my GitHub project (Windows wrapper-scripts available at this GitHub project, with binaries included in my Windows-release above from the win-bash project.)
17:02 * pekster does not have time for 20 questions. Maybe message me or send me a nickserv memo that I'll read when I have time
17:02 < esde> the first hyperlink
17:02 < pekster> No, that's outdated
17:02 < pekster> Where did you get THAT resources?
17:02 < esde> the link to that page is the last link in the easyrsa-ng factoid
17:02 < pekster> !easyrsa-ng
17:02 <@vpnHelper> "easyrsa-ng" is To track development or usage of the next-gen Easy-RSA codebase with improvements to the original, see http://pekster.sdf.org/code/projects/easyrsa3.html . Be aware this code is beta , but is usable as it stands now. Send suggestions/comments to pekster.
17:02 < esde> i dont have time either i gotta run lol
17:02 < pekster> !forget easyrsa-ng
17:02 <@vpnHelper> Joo got it.
17:02 < pekster> !learn easyrsa-ng as [easyrsa]
17:02 <@vpnHelper> Joo got it.
17:04 < Voyage> esde, http://pastebin.com/6bppep1b
17:05 < esde> Voyage, if you're on later I'll highlight you and see how it went/is going but i have to go now
17:05 < esde> get those uncommented configs with your logs and iptables and pastebin them, they will be helpful to the next helper
17:06 < Voyage> esde, ok. thanks a lot :)
17:06 < esde> yw, good luck man! :)
17:12 < Voyage> http://pastebin.com/Sy3BBN9y server and client configs at botton
17:13 -!- Brutser [~email@d51A48718.access.telenet.be] has quit [Ping timeout: 245 seconds]
17:32 -!- novae [~novae@unaffiliated/novae] has joined #openvpn
17:43 -!- Voyage [~Voyage@182.189.236.89] has quit [Ping timeout: 264 seconds]
18:05 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
18:05 -!- mode/#openvpn [+v s7r] by ChanServ
18:09 -!- xsamurai [~fahad@unaffiliated/xsamurai] has joined #openvpn
18:09 < xsamurai> is it possible to send a single command to the telnet management interface ?
18:09 < xsamurai> as in " echo kill someguy | telnet localhost 1234 "
18:34 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
18:34 < ljvb> evening
18:37 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Ping timeout: 255 seconds]
18:43 -!- xsamurai [~fahad@unaffiliated/xsamurai] has left #openvpn []
18:45 -!- stewi [~quassel@2400:6800:ffff:2:d12d:c01a:e607:1b94] has quit [Ping timeout: 244 seconds]
18:49 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
18:58 < ljvb> anyone around running ovpn/fbsd as a gateway.. I'm getting terrible performance.. between client and vpn gateway is fine, as well as any internal host.. but when routing traffic to the outside (using ovpn as default route for clients), performance is abysmal.
19:02 -!- moparisthebest [~mitb@unaffiliated/moparisthebest] has quit [Ping timeout: 264 seconds]
19:03 < ljvb> it appears to be somewhere around the handoff to the external interface.
19:06 < esde> there are people running openvpn on bsd in here. im just not one of them lol
19:07 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
19:09 < ljvb> I know.. just trying to figure out why I am taking a perf hit when routing externally..
19:11 -!- moparisthebest [~mitb@unaffiliated/moparisthebest] has joined #openvpn
19:12 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
19:17 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
19:30 -!- Brutser [~email@d51A48718.access.telenet.be] has joined #openvpn
19:31 < Brutser> im trying to create a static route to the vpn server, but not allow any other traffic - how can i accomplish this?
19:31 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
20:18 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 245 seconds]
20:34 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
20:47 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
21:50 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
21:54 -!- nutron [~nutron@unaffiliated/nutron] has quit [Remote host closed the connection]
22:08 <@krzee> http://www.spiegel.de/media/media-35515.pdf
22:09 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has quit [Ping timeout: 250 seconds]
22:10 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Ping timeout: 250 seconds]
22:11 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:49 < ljvb> if anyones alive.. when use level 5 verb.. W w R r.. for read write obviously, but what is the difference between upper and lower case?
22:51 <@krzee> !man
22:51 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
22:51 <@krzee> its in --verb
22:51 < ljvb> I'm already in there
22:51 < ljvb> :)
22:52 < ljvb> aha
22:52 < ljvb> trying to figure out why I have such piss poor performance currently
22:54 < ljvb> gained a little perf after removing the static routes
22:54 <@krzee> !speed
22:54 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu) or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links or (#5) less likely are issues with bad TCP
22:55 <@vpnHelper> window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs) or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp) or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better.
22:58 < ljvb> not sure the problem is with openvpn, performance between the client and the vpn server is fine, it is when I try to use it as my def gateway to non internal addresses...
22:59 < ljvb> getting around 300 to 400 kbit when I should be getting close to 8mbit.. thats not really a tuning issue.. I could be wrong..
23:12 -!- OShobbit [~andrew@cpe-72-228-8-249.nycap.res.rr.com] has joined #openvpn
23:24 < ljvb> *sigh* okay.. I have narrowed the problem down to not openvpn.. at least I do not think it is. using iperf3, I get exact same performance over the 2 external ip's using public network as I get over the 2 internal ip's traversing openvpn
23:25 < ljvb> guess it is time to bust out tcpdump on the external interface
23:32 -!- ShadniX [dagger@p5DDFF120.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
23:32 -!- ShadniX [dagger@p5481D67A.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Thu Jan 08 2015
00:01 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has joined #openvpn
00:05 -!- atyoung [~darkwurm@gateway/tor-sasl/darkwurm] has joined #openvpn
00:09 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
00:10 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Client Quit]
00:11 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 244 seconds]
00:12 -!- OShobbit [~andrew@cpe-72-228-8-249.nycap.res.rr.com] has quit [Quit: Leaving]
00:14 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
00:42 -!- kossy [a@unaffiliated/kossy] has quit [Ping timeout: 245 seconds]
00:47 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
00:47 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
01:20 -!- master_of_master [~master_of@p4FD7B201.dip0.t-ipconnect.de] has joined #openvpn
01:23 -!- master_o1_master [~master_of@p4FF24564.dip0.t-ipconnect.de] has quit [Ping timeout: 244 seconds]
01:25 -!- atyoung [~darkwurm@gateway/tor-sasl/darkwurm] has quit [Ping timeout: 250 seconds]
01:26 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Ping timeout: 250 seconds]
01:43 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
01:44 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 265 seconds]
01:47 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
01:48 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
01:49 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 240 seconds]
01:55 < hyper_ch> hmmm, anyone here knows czech?
01:55 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
01:55 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Remote host closed the connection]
01:55 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
01:59 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
01:59 -!- le0 [~le0@unaffiliated/le0] has joined #openvpn
02:03 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
02:05 -!- havingFun is now known as xrosnight
02:13 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
02:22 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has quit [Ping timeout: 244 seconds]
02:30 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has joined #openvpn
02:33 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has quit [Ping timeout: 250 seconds]
02:48 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
02:58 -!- TommyC [~TommyC@unaffiliated/sepulchralbloom] has left #openvpn ["TTFN, Ta Ta For Now!"]
03:02 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has joined #openvpn
03:06 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
03:10 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
03:17 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has quit [Ping timeout: 250 seconds]
03:19 -!- DerDuddle [~duddle@s15408483.onlinehome-server.info] has joined #openvpn
03:23 < DerDuddle> hello! I am trying to expand my openvpn 2.1.4 setup with a new network, ideally without needing to restarting the daemon.
03:23 < DerDuddle> on the client side is a new network and I want the server side to be able to route through the vpn tunnel
03:24 < DerDuddle> the client-config-dir has a config file for the client with iroute options for the new network
03:24 < DerDuddle> I've manually added a route via "ip route", because I don't want to restart the daemon
03:25 < DerDuddle> with tcpdump I can see that it already sends packets to the tunnel interface, but from there they seem to get lost
03:25 -!- KidCartouche [~user@194.183.244.5] has joined #openvpn
03:26 < DerDuddle> there is already a working network on the client side and I basically copied that configuration and modified it
03:26 < KidCartouche> !welcome
03:26 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
03:26 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:26 < DerDuddle> there are no firewall rules that would prevent the communication
03:26 < DerDuddle> !route
03:26 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
03:26 <@vpnHelper> client
03:27 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
03:32 < DerDuddle> !serverlan
03:32 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
03:32 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
03:35 < DerDuddle> !route_outside_openvpn
03:35 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
03:35 < DerDuddle> !clientlan
03:35 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route
03:35 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
03:36 < DerDuddle> I think I did everything correctly. I'll compile my config, maybe I am missing something
03:38 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 256 seconds]
03:41 -!- iokill [~dave@pippin.sigma-star.at] has joined #openvpn
03:50 < iokill> !welcome
03:50 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
03:50 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:56 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 265 seconds]
03:56 < DerDuddle> http://pastebin.com/YKXEG5A3
03:57 < DerDuddle> a bit of my config and what works and what doesn't
03:57 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
03:57 -!- mode/#openvpn [+v hazardous] by ChanServ
03:59 < iokill> hi! i just hit this bug: https://community.openvpn.net/openvpn/ticket/71
03:59 <@vpnHelper> Title: #71 (Windows 7 (and Vista) - tunnel fails after resume from Sleep/Standby) – OpenVPN Community (at community.openvpn.net)
03:59 < iokill> is there any known workaround for this?
04:02 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
04:04 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has quit [Ping timeout: 244 seconds]
04:11 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has joined #openvpn
04:15 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has joined #openvpn
04:45 -!- JackWinter [~jack@vodsl-9520.vo.lu] has quit [Excess Flood]
04:45 -!- hypermist [hypermist@unaffiliated/hypermist] has joined #openvpn
04:46 -!- JackWinter [~jack@vodsl-9520.vo.lu] has joined #openvpn
04:46 < hypermist> Erm. someone mind helping i tried to start my openvpn-as via the webpanel annd this happened http://hastebin.com/etibekitep.vhdl
04:46 <@vpnHelper> Title: hastebin (at hastebin.com)
04:47 -!- le0 [~le0@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
05:00 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:12 -!- hypermist is now known as extrememist
05:12 -!- extrememist is now known as hypermist
05:13 < hypermist> hello anyone ??
05:14 < hypermist> !welcome
05:14 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
05:15 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:15 < hypermist> !howto
05:15 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
05:15 < hypermist> not what i need. waits
05:15 -!- dazo_afk is now known as dazo
05:20 < hypermist> why is erryone dead D:
05:20 -!- Chex [~Chex@swampjax.northnook.ca] has quit [Ping timeout: 272 seconds]
05:21 < hypermist> dazo you there
05:37 < DerDuddle> ok, it seems like I _had_ to use openvpns "route" to add the route and restart the daemon, the manual static route wasn't enough
05:38 < DerDuddle> which seems really weird, but I guess openvpn somehow needs to know that on startup ...
05:47 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:47 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 244 seconds]
05:48 -!- edward [~edward@4angle.com] has quit [Ping timeout: 244 seconds]
05:54 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
05:55 -!- edward [~edward@4angle.com] has joined #openvpn
06:02 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
06:04 -!- edward [~edward@4angle.com] has quit [Ping timeout: 244 seconds]
06:10 -!- edward [~edward@4angle.com] has joined #openvpn
06:13 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 240 seconds]
06:13 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
06:15 -!- DerDuddle [~duddle@s15408483.onlinehome-server.info] has quit [Quit: Leaving]
06:18 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 255 seconds]
06:22 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
06:30 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
06:34 <@dazo> hypermist: whazzup?
06:35 <@dazo> !ask
06:35 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
06:51 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 245 seconds]
07:00 < hypermist> dazo i already asked my question but i never got an answer sadly
07:01 < hypermist> and i basically got my friend to answer it for me.
07:01 < hypermist> Since i only have a vps i cannot make a openvpn-as :\
07:03 <@dazo> if you asked a question, it's not in my scrollback
07:06 < hypermist> Erm. someone mind helping i tried to start my openvpn-as via the webpanel annd this happened http://hastebin.com/etibekitep.vhdl
07:06 <@vpnHelper> Title: hastebin (at hastebin.com)
07:06 < hypermist> well i asked for help
07:06 <@dazo> !as
07:06 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
07:07 < hypermist> Oh sorry
07:10 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
07:20 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Ping timeout: 245 seconds]
07:25 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Read error: Connection reset by peer]
07:26 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
07:31 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
07:32 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
07:41 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 264 seconds]
08:12 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
08:36 -!- mattock_afk is now known as mattock
08:41 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 240 seconds]
08:48 < hyper_ch> krzee: http://www.usatoday.com/story/tech/2015/01/04/ces-2015-intels-new-biometric-password-manager/21198555/ - what could possibly go wrong... I guess they didn't take notice of 31C3
08:48 <@vpnHelper> Title: Intel unveils app that opens sites with user's face (at www.usatoday.com)
09:07 -!- KidCartouche [~user@194.183.244.5] has quit [Ping timeout: 264 seconds]
09:25 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
09:32 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has quit [Ping timeout: 265 seconds]
09:44 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
09:52 -!- Henryabcd [~Henryabcd@pD9E0AA1A.dip0.t-ipconnect.de] has joined #openvpn
10:21 < masterkorp> Do I need to be a subscriber to post to the openvpn mailing list ?
10:22 < hyper_ch> that's how mailing lists usually work
10:27 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:36 < masterkorp> not always
10:36 < masterkorp> most of them don't
10:41 -!- elfixit [~Icedove@88-227.197-178.cust.bluewin.ch] has joined #openvpn
10:46 < hyper_ch> all lists I've been involved with require subscription
10:47 <@plaisthos> masterkorp: in the 90s, yes
10:47 < masterkorp> "You are not allowed to post to this mailing list, and your message has
10:47 < masterkorp> "
10:47 <@plaisthos> but nowadays it is different
10:48 < masterkorp> well, the git mailing list the email had to be accepted by hand
10:48 < masterkorp> anyways I will subscribe
10:48 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
10:50 -!- hmmhesegs is now known as hmmhesays
10:55 < hyper_ch> krzee: http://marc.info/?l=openssl-announce&m=142046772204265
10:55 <@vpnHelper> Title: '[openssl-announce] Forthcoming OpenSSL releases' - MARC (at marc.info)
10:57 < hyper_ch> krzee: http://marc.info/?l=openssl-announce&m=142046772204265 --> ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572)
10:57 <@vpnHelper> Title: '[openssl-announce] Forthcoming OpenSSL releases' - MARC (at marc.info)
10:57 < hyper_ch> sorry, meant this: https://www.openssl.org/news/secadv_20150108.txt
10:58 -!- elfixit [~Icedove@88-227.197-178.cust.bluewin.ch] has quit [Ping timeout: 256 seconds]
11:00 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:05 -!- elfixit [~Icedove@88-227.197-178.cust.bluewin.ch] has joined #openvpn
11:10 -!- elfixit [~Icedove@88-227.197-178.cust.bluewin.ch] has quit [Ping timeout: 264 seconds]
11:43 -!- Karou [~smuxi@unaffiliated/karou] has joined #openvpn
11:43 < Karou> yo
11:44 < Karou> is there a config switch for tls-auth for embeding it in the config like ?
11:46 -!- Karou [~smuxi@unaffiliated/karou] has quit [Read error: Connection reset by peer]
11:47 -!- karou [~smuxi@unaffiliated/karou] has joined #openvpn
11:47 < karou> sorry, swapped networks
11:52 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
11:52 < hyper_ch> probably
11:54 < karou> if so what would the syntax for that be
11:55 < hyper_ch> what does the man page say?
11:55 < karou> it doesn't
11:56 < hyper_ch> that's weird...
11:56 < hyper_ch> I guess you must have missed it in the man page
12:03 < karou> yeah, doesn't look like it
12:17 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 252 seconds]
12:17 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
12:25 -!- karou [~smuxi@unaffiliated/karou] has quit [Ping timeout: 245 seconds]
12:35 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
12:58 < esde> damniy
12:58 < esde> *t
13:01 < esde> In the future, to inline the tls auth key, 'key-direction 1' '' 'static key contents' '' the text between quotes goes on separate lines
13:06 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
13:07 < hyper_ch> a quick google search told me so
13:39 -!- bonjurkes [~bonjurkes@104.131.52.107] has joined #openvpn
13:40 < bonjurkes> guys, I get TLS: tls_process: killed expiring key in my logs. Is it ta key file?
13:40 < bonjurkes> I will post full log when it includes the other bad package error also
13:41 < esde> iirc, thats what shows in the logs when openvpn renegotiates the connection every hour by default
13:41 -!- atyoung [~darkwurm@gateway/tor-sasl/darkwurm] has joined #openvpn
13:42 < bonjurkes> yeah, the other problem is I started to get lots of stuff like Authenticate/Decrypt packet error: bad packet ID (may be a replay)
13:43 < bonjurkes> it was working fine for a long time, right now after some time, my vpn connection stops working, so I need to reconnect to make it work again
13:43 < esde> that could be at least a few different things
13:43 < bonjurkes> I thought it's related with this expiring key thing
13:43 < esde> i've seen people report that syncing the clocks on client and server will resolve the replays
13:43 < bonjurkes> yeah but I never saw that stuff before, and never saw this expiring key thing also.
13:43 < hyper_ch> I just set my keys to expire in 100 years... I don't expect to live that long ;)
13:43 < bonjurkes> aha
13:43 < esde> i've seen people claim it's an attack
13:44 < esde> but for me, it was a faulty NIC
13:44 < bonjurkes> hyper_ch good idea, I didn't know that so I created a normal key with normal expiry date, so I am trying to find it's expiry date now
13:44 < hyper_ch> did you use easy rsa?
13:44 < esde> the client/server keys and certs you generated and their lifetime has no bearing on the ephemeral keys that are renegotiated every hour be default IIRC
13:45 < bonjurkes> hyper_ch afaik yes
13:46 < hyper_ch> then edit the config file
13:46 < hyper_ch> it's in there
13:46 < hyper_ch> well, the vars file
13:46 < esde> You realize you could set the days from 3650 to 999999 and it would still renegotiate every hour, right?
13:47 < esde> you can change the renegotiation time, but vars isnt where to do it
13:47 < bonjurkes> I am just trying to find why my connection stops working after some time
13:47 < bonjurkes> It is connected but pinging etc doesn'T work
13:48 < esde> this might be helpful http://openvpn.net/archive/openvpn-users/2005-09/msg00171.html
13:48 <@vpnHelper> Title: Re: [Openvpn-users] VPN disconnecting (possibly re-auth) (at openvpn.net)
13:49 < esde> of course the fact OP is using PAM and cryptocard could make it a one-off situation that wont apply to you, but it's the first thing i found
13:49 < bonjurkes> time is correct and same on both server and client
13:50 < bonjurkes> crt files expiry dates are good, trying to find how to check expiry dates for .key files
13:50 < esde> ..
13:50 < esde> this might be more helpful http://openvpn.net/archive/openvpn-users/2007-07/msg00104.html
13:50 <@vpnHelper> Title: Re: [Openvpn-users] TLS: tls_process, killed expiring key - What does this mean? (at openvpn.net)
13:51 < bonjurkes> I don't know expiry dates of my tls keys
13:55 < bonjurkes> aha so it's not really some certificate or tls key is expiring for real, it's just the 1 hour timeout to generate new key?
13:56 < bonjurkes> esde did I got it right?
13:56 < esde> ephemeral keys, check it out
13:57 < esde> they are real keys, by default only used for an hour.
13:58 < bonjurkes> Authenticate/Decrypt packet error: packet HMAC authentication failed
13:58 < bonjurkes> Sun May 25 19:40:12 2014 us=761451 TLS Error: incoming packet authentication failed from
13:58 < bonjurkes> this is from an old log tho
13:58 < esde> That's different
13:59 < bonjurkes> well okay if there is ephemeral keys . Why does my vpn stops working after some time
13:59 < bonjurkes> but stays connected
14:00 < bonjurkes> and reconnecting fixes everything
14:01 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
14:01 < esde> did you read any of the links i provided?
14:01 < esde> specifically http://openvpn.net/archive/openvpn-users/2007-07/msg00104.html
14:01 <@vpnHelper> Title: Re: [Openvpn-users] TLS: tls_process, killed expiring key - What does this mean? (at openvpn.net)
14:01 < bonjurkes> esde yes
14:02 < esde> that's got your answer in it
14:03 < bonjurkes> However, the renegotiation doesn't cause OpenVPN to restart; data can still be sent during the negotiation process, and the old key is still valid for a default of 60 minutes and can be changed with the --tran-window option.
14:03 < bonjurkes> this vpn is working rock solid till 2013
14:03 < bonjurkes> what I do is updating client and server versions from time to time that's it
14:04 < esde> well as it's 2015 now, you've waited sometime to address the issue, it seems
14:04 < bonjurkes> but nothing has changed?
14:05 < bonjurkes> same keys, i am a personal user, it's on a vpn in a cloud that nothing else works on it
14:07 -!- crised [~crised@186.67.181.203] has joined #openvpn
14:08 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has quit [Read error: Connection reset by peer]
14:08 < bonjurkes> or my level of english sucks
14:08 < esde> !info
14:08 <@vpnHelper> Error: The command "info" is available in the Factoids and RSS plugins. Please specify the plugin whose command you wish to call by using its name as a command before "info".
14:09 < esde> !allinfo
14:09 <@vpnHelper> "allinfo" is Please type !configs !logs and !interface to see all the info we want to be able to help you
14:11 < bonjurkes> ..
14:12 < esde> !effort
14:12 <@vpnHelper> "effort" is If you are not willing to put the effort into gathering information and trying to figure out your problem we are not willing to help you with it
14:13 < bonjurkes> !noclue
14:13 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Disconnected by services]
14:13 < esde> There is also AS, if you'd like it to "just work". Join #openvpn-as for more information.
14:13 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:206f:b2a9:3d71:f30b] has joined #openvpn
14:13 < bonjurkes> well there is no canned response about it
14:13 < bonjurkes> I can provide all data required and whatever is needed. But linking to 2 posts didn't ring any bells on me
14:15 < esde> This narration is unnecessary, if you have the info at your disposal, pastebin and share it with the channel the users can help. Else, try access server, which requires far less effort
14:15 < esde> *so the
14:17 -!- Darkclaw66 [~Andre@unaffiliated/darkclaw66] has joined #openvpn
14:17 < Darkclaw66> hi, I am trying to install openvpn 2.3.6_1 and I am getting the following error: Cannot resolve host address: fe80::1: ai_family not supported
14:18 < Darkclaw66> im not sure how to fix this error
14:20 -!- Henryabcd [~Henryabcd@pD9E0AA1A.dip0.t-ipconnect.de] has quit [Quit: Leaving]
14:20 < bonjurkes> esde http://pastebin.com/Ra4XV8H8
14:21 < esde> from lines 476 to 494, everything looks ok
14:22 < crised> !welcome
14:22 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:22 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:22 < bonjurkes> those huge errors started to appear recently I think, and the problem about connection stop working is related with those loong errors on top
14:22 < crised> !goal
14:22 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:23 < esde> right bonjurkes
14:23 < Darkclaw66> any chance someone knows how to fix the error im getting?
14:23 -!- pipi- [~pipi-@unaffiliated/pipi-] has quit [Ping timeout: 256 seconds]
14:23 < esde> when i had that issue, it was a faulty nic
14:23 < crised> I would like to access a machine that's behind a LAN, this machine can change LANs, so I want to put it in every LAN in the world, and this machine needs to contact my public control server, how to achieve this? Is this an uncommon thing to do?
14:23 < bonjurkes> esde can you describe more about this faulty nic thing?
14:23 < bonjurkes> I mean "nic" part
14:24 < esde> nic = network interface controller
14:24 < esde> the thing you plug the internet cable into on your machine
14:24 < bonjurkes> orr the connection maybe?
14:24 < esde> wat
14:25 < esde> yeah it could be a crappy connection, or the server's nic could be bad too
14:25 < bonjurkes> it's on digitalocean, so I doubt
14:25 < bonjurkes> it's not home hosted server
14:25 < bonjurkes> then it must be about my home connection then? or can be
14:25 < esde> you'd be surprised. DO's infrastructure isn't bleeding-edge or stellar by any means
14:26 < esde> but the fact is (as i mentioned initially), there are at least a few different things that can cause that. the constant is the issue will be something that effects the data traveling over the network
14:27 < Darkclaw66> Im not sure where else to turn to. this is the error I am getting when trying to install openvpn RESOLVE: Cannot resolve host address: fe80::1: ai_family not supported
14:27 < bonjurkes> Darkclaw66 why are you messing up on ipv6 ?
14:27 < esde> !whining
14:27 <@vpnHelper> "whining" is < MacGyver> If somebody reads your question, and knows the answer, he'll answer it when and how he feels like it. This is IRC, not your company's paid tech support desk. Whining doesn't do any good except annoy the people who could help you.
14:27 < Darkclaw66> bonjurkes I am not sure
14:28 < bonjurkes> esde thank you, so it's about networking. Sorry if I sounded like an a.hole or d.bag . Just didn't understood what you meant and those links didn't ring any bells on me. I'm grateful that you helped me
14:28 < esde> Darkclaw66, you've stated your issue at least twice within a short amount of time. Instead of repeating your issue, please provide !allinfo and wait for assistance.
14:29 < esde> good luck bonjurkes!
14:33 < Darkclaw66> I am able to install an older version of openvpn but when I try to connect to it with the client, this is the error I get http://pastebin.com/97xdsqx9
14:37 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
14:43 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
14:46 < bonjurkes> Does openvpn use any encyption for traffic as default? I forgot to uncomment encryption method in server.conf but in the connection log it shows http://pastebin.com/S0JhNzh8
14:47 < hyper_ch> yes
14:47 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has quit [Ping timeout: 244 seconds]
14:47 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has joined #openvpn
14:47 <@krzee> default it uses blowfish sipher and sha1
14:47 < bonjurkes> Blowfish is default then I assum
14:47 <@krzee> cipher*
14:48 <@krzee> krzee: http://www.usatoday.com/story/tech/2015/01/04/ces-2015-intels-new-biometric-password-manager/21198555/ - what could possibly go wrong... I guess they didn't take notice of 31C3
14:48 <@krzee> wow
14:48 <@vpnHelper> Title: Intel unveils app that opens sites with user's face (at www.usatoday.com)
14:49 <@krzee> i mean, forget 31c3
14:49 <@krzee> we knew this was a DAMN stupid idea for a long long time
14:49 < hyper_ch> yes, but 31c3 has taken it to a whole new level :)
14:49 < hyper_ch> btw, I didn't see you at 31c3
14:50 <@krzee> https://www.youtube.com/watch?v=MAfAVGES-Yc
14:50 <@vpnHelper> Title: MythBusters Fingerprints Busted - YouTube (at www.youtube.com)
14:51 <@krzee> thats mythbusters in 2008 breaking fingerprint readers with a fingerprint touched up (with high tech mspaint.exe) and printed on a normal sheet of paper
14:51 < hyper_ch> well, 31c3... you don't need physical access anymore... just taking pictures is enough for fingerprints and iris
14:51 <@krzee> thats awesome, but it was never a difficulty to get biometrics
14:51 <@krzee> they did go further, but it wasnt an issue anyways
14:52 <@krzee> dont get me wrong, they did awesome work
14:52 < hyper_ch> :)
14:52 <@krzee> certainly not intending to downplay what they did
14:52 < hyper_ch> as do the Mythbusters
14:52 <@krzee> but like, intel knew this was dumb WAY WAY before 31c3
14:52 < hyper_ch> roundabouts are more traffic efficient than a traffic cop or red lights ;)
14:52 <@krzee> that was recent, if it was something that was thought to be secure until 31c3 i would feel sorry for them
14:53 <@krzee> for having used all that $ making the product
14:53 < hyper_ch> unfortuantely, roundabouts are deemed to bo too complex for the average USian :)
14:54 <@krzee> that episode of mythbusters is fun
14:54 <@krzee> they severely overestimate the machine
14:54 <@krzee> they win, then back off and try with less skill, win, back up, win
14:54 <@krzee> til its just printed on paper
14:56 <@krzee> oh and for legal purposes, biometrics can be compelled in USA
14:56 < hyper_ch> I know
14:57 <@krzee> which is another bad thing about that intel thing
14:57 <@krzee> you give them a method to compell actual passwords
14:57 < hyper_ch> and three-letter-agencies can beat passwords out of you :)
14:57 <@krzee> using a biometric pw manager gives them a legal loophole to compel passwords
14:57 <@krzee> ^ they can and probably do, but not legally.
14:58 < hyper_ch> you know, as long as it's not on US soil, you have no consitutional protection... or so the try to justify it
14:58 <@krzee> not true
14:58 <@krzee> 1sec lemme find the vid from my class
14:59 < hyper_ch> yes, they did use that to justify things
15:00 < esde> however, 1024 bit is weak
15:00 <@krzee> correct
15:01 < esde> re: http://pastebin.com/S0JhNzh8 line 6
15:01 < hyper_ch> add more bits to it :)
15:01 < esde> that's bonjurkes paste
15:02 < hyper_ch> make him add more bits to it :)
15:02 < esde> I wouldnt add more bits. I would remove the weak file and regenerate a stronger one. As I'm not aware of any way to extend the bitsize of an existing cert/key
15:03 < hyper_ch> I'm pretty sure krzee knows a way:)
15:03 <@krzee> hyper_ch,
15:03 <@krzee> 5 - 2 - The Fourth Amendment in Extraterritorial and National Security Contexts (26_32)
15:03 <@krzee> err misfire
15:03 <@krzee> https://class.coursera.org/surveillance-001/lecture/57?_escaped_fragment_=
15:03 <@vpnHelper> Title: The Fourth Amendment in Extraterritorial and National Security Contexts | Coursera (at class.coursera.org)
15:04 < hyper_ch> krzee: however, the administration used this argumentation a few years back
15:04 < hyper_ch> law doesn't matter when it's ignored
15:04 < esde> ^yup
15:04 <@krzee> hence: ^ they can and probably do, but not legally.
15:04 < esde> krzee, is there a way to extend bitsize of existing certs/keys? i.e. - make a 1024 bit key 2048 bits
15:04 <@krzee> esde, nope.
15:05 < hyper_ch> probably not :)
15:05 < hyper_ch> taking the easy route and recreating all the stuff :)
15:05 <@krzee> you'll want the CA to be stronger too anyways
15:05 -!- bonjurkes [~bonjurkes@104.131.52.107] has quit [Ping timeout: 255 seconds]
15:05 <@krzee> prolly want to beef up the digest alg too
15:05 < hyper_ch> in the vars file just set it to 4096, right?
15:05 * esde just rekeyed all his hosts to 8192bit rsa keys (after ed25519 was too much of a PITA :P )
15:05 <@krzee> ya and check your openssl.cnf doesnt suck
15:06 < hyper_ch> 8192 dh generation... you probably can have a nap in between
15:06 < esde> depends on the entropy (;
15:06 < hyper_ch> I've heard that word before :)
15:08 <@krzee> hyper_ch, skip to 7:10 in the video if you like
15:08 < hyper_ch> krzee: seen the openssl link?
15:08 <@krzee> the whole video is great, but 7:10 is where it clearly goes over it
15:09 <@krzee> and really, the whole class is great, not just that video
15:09 < hyper_ch> well, there's no 4th amendmened here
15:11 <@krzee> im not sure what the laws are here where im at
15:11 <@krzee> but im generally left alone here anyways
15:11 < hyper_ch> the laws of the strongest?
15:11 <@krzee> *flex*
15:17 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
15:18 <@krzee> reading the openssl link now
15:21 <@krzee> oh also: https://class.coursera.org/surveillance-001/lecture/53
15:21 <@vpnHelper> Title: Decrypting Your Devices (Fifth Amendment Privilege) | Coursera (at class.coursera.org)
15:23 < esde> did i miss a useful openssl link?
15:23 -!- mattock is now known as mattock_afk
15:24 < hyper_ch> esde: https://www.openssl.org/news/secadv_20150108.txt ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572)
15:24 < esde> ah the exploits from earlier today, yeah. :(
15:28 -!- Darkclaw66 [~Andre@unaffiliated/darkclaw66] has quit []
15:29 <@syzzer> yeah, not very relevant to openvpn, the most recent release doesn't do ECDH anyway :')
15:33 -!- alphawave [~aw@unaffiliated/alphawave] has joined #openvpn
15:35 < hyper_ch> krzee: your forum post has replies again :)
15:38 < alphawave> Openvpn 2.3.6-1 is working fine, no errors, connects and sets up the tun0 interface with correct IP information. Problem is that the system is not using the VPN when it's active. Same as if it wasn't active.
15:38 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Quit: bis später]
15:38 -!- `Ile` [~ile@178-221-191-46.dynamic.isp.telekom.rs] has joined #openvpn
15:38 < hyper_ch> syzzer: you use android?
15:39 < esde> !goal
15:39 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:39 <@syzzer> hyper_ch: yes
15:39 < hyper_ch> which openvpn client do you recommend for it?
15:39 <@syzzer> openvpn for android
15:39 <@syzzer> it's the app by plaisthos
15:39 < hyper_ch> can that autoconnect upon restart?
15:39 < esde> i think so
15:40 < hyper_ch> been using the other this far and upon reboot of the phone it asks me if I want to connect again/if I trust the app
15:40 <@syzzer> I wouldn't know, I don't do that
15:40 < alphawave> Goal is to figure out why, when the VPN connection is established, that the system is still using the regular interface as if the VPN wasn't connected.
15:40 < esde> Reconnect on reboot is in the settings
15:40 <@krzee> hyper_ch, is that you on the forum?
15:40 < hyper_ch> syzzer: plaisthos - arne schwabe?
15:40 <@krzee> yes
15:40 < hyper_ch> krzee: no :)
15:40 <@syzzer> hyper_ch: yes, same guy
15:40 < hyper_ch> I'll have to try that then
15:40 < esde> !welcome
15:40 <@krzee> whois him and see his arne@
15:40 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
15:40 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:41 < esde> read that too alphawave ^
15:41 <@syzzer> the 'do you trust this app' is an android thing, which no vpn app (upto android 5.0) can avoid
15:41 < hyper_ch> the other one works fine.. except reboot where I need to confirm it again
15:41 < esde> you'll have to with any app that does that
15:41 < hyper_ch> syzzer: no, no idea how to avoid it
15:41 < hyper_ch> not using 5
15:41 < esde> it's default behavior to confirm before connecting to another network and forwarding traffic through or something like that
15:41 < esde> iirc it's a play store best practice
15:42 < hyper_ch> same will happen with the OpenVPN for Android app?
15:42 < esde> yup
15:42 < esde> why would you want it to auto-connect?
15:42 < hyper_ch> awwwwww
15:43 < esde> what if some adversary modified your config?
15:43 < hyper_ch> esde: because I route csipsimple over the vpn to my server
15:43 < esde> BAM - automatically sending your data to god knows who
15:43 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
15:44 < hyper_ch> well, if you just get a dialog whether you want to allow it
15:44 < hyper_ch> you won't notice anyway if someone modified the config
15:44 < esde> you have the opportunity too and that's the point
15:45 < esde> if you want to go clicking yes on dialogs all willy-nilly, that's on you
15:45 < hyper_ch> you always have the opportunity to check your config
15:46 < esde> if you were to boot your phone, and on boot, openvpn immediately connected, to the default config, that may or may not have been modified. you've got zero chance to review what you're connecting to
15:46 < hyper_ch> have you ever reviewed what you're connecting to?
15:46 < esde> but this a moot point, so i dont see the point in furthering this discussion. it's default behavior for a reason and I doubt the functionality will change just because it's inconvenient for your special use
15:46 < esde> yes i do
15:46 < hyper_ch> every time?
15:47 < esde> yes.
15:47 < esde> it only takes a few seconds
15:47 < esde> are people really this lazy?
15:47 < hyper_ch> yes
15:49 < hyper_ch> krzee: still love battery life on my OPO :)
15:50 <@krzee> same
15:50 < esde> Xposed Module "Auto VPN Dialog Confirm" might be worth a look (never used it personally),maybe. if you're willing to blindly trust the connection automatically
15:51 < hyper_ch> well, as long as baseband is still one big blob, how can you trust anything on a cell phone?
15:53 <@krzee> hyper_ch, looks like we're getting closer, you saw karsten nohls talk at 31c3 im sure
15:54 < hyper_ch> no
15:54 <@krzee> oh DUDE
15:54 <@krzee> mobile self defense
15:54 <@krzee> also, https://forums.openvpn.net/post48323.html#p48323
15:54 <@vpnHelper> Title: OpenVPN Support Forum Idea for direct connections : Wishlist (at forums.openvpn.net)
15:54 <@krzee> i replied =]
15:56 < hyper_ch> :)
15:56 <@krzee> https://www.youtube.com/watch?v=GeCkO0fWWqc
15:56 <@vpnHelper> Title: Karsten Nohl: Mobile self-defense [31c3] (SnoopSnitch) - YouTube (at www.youtube.com)
15:56 < hyper_ch> but why do you say server1 and server2? I thought it's for direct client-to-client connection
15:56 < hyper_ch> ah, snoopsnitch...
15:57 < hyper_ch> now that rings a bell
15:57 <@krzee> good xcall, refreshed
15:58 <@krzee> changed to client1 client2
15:58 < hyper_ch> :)
15:58 <@krzee> i think of servers because when i do this stuff they're really all a bunch of servers
15:59 < esde> clients serve data to servers :)
15:59 < hyper_ch> servers serve data to clients
15:59 < esde> so their interchangeable?
15:59 < esde> *they're
15:59 < hyper_ch> not always :)
15:59 < esde> :P
16:00 <@krzee> in ptp sure
16:00 < hyper_ch> not in the current setup where everything has to go to a central server
16:00 <@krzee> right but direct connections would happen over impromptu ptp connections
16:01 <@krzee> with keyx happening over the existing centralized vpn
16:01 <@krzee> transparent to the user of course
16:01 < hyper_ch> but you or syzzer need first to implement that of course
16:01 <@krzee> thought you were on it
16:01 < hyper_ch> you have my mental support :)
16:02 < hyper_ch> I only know a bit of PHP
16:02 < hyper_ch> and python and JS terrifies me
16:02 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Disconnected by services]
16:02 -!- badon_ [~badon@pdpc/supporter/active/badon] has joined #openvpn
16:03 -!- badon_ is now known as badon
16:05 <@krzee> no problem openvpn uses no python nor js
16:05 < hyper_ch> it probably uses some c dialect
16:05 <@krzee> probably
16:05 < hyper_ch> like c # maybe
16:06 < hyper_ch> and most of it is OOP?
16:09 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Ping timeout: 250 seconds]
16:18 -!- Darkclaw66 [~Andre@unaffiliated/darkclaw66] has joined #openvpn
16:18 < Darkclaw66> hi, I am trying to have the client connect to the openvpn server and I am getting the following error: http://pastebin.com/cuDrAE5N
16:19 <@krzee> !mitm
16:19 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config
16:20 <@krzee> you probably have remote-cert-tls server and did not build the key signed as server
16:21 < Darkclaw66> I used easy-rsa to build all the certs/keys. ./build-ca then ./build-key-server server then ./build-key client1
16:22 <@krzee> easy-rsa 3?
16:22 <@krzee> !easy-rsa
16:22 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
16:22 < Darkclaw66> looks like 2.0
16:22 <@krzee> since its not too late, i sugest 3
16:23 < Darkclaw66> it looks like the latest version available for my distro is 2.2
16:23 <@krzee> its a shell script, what makes you think its distro specific?
16:23 <@krzee> !easy-rsa
16:23 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
16:24 < Darkclaw66> I am using freebsd and they have it as a port but I see I can just d/l it seperately
16:24 < hyper_ch> krzee: are you involed in the easy rsa scripts?
16:25 <@krzee> no
16:25 <@krzee> !factoids remove 2
16:25 <@krzee> !factoids
16:25 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
16:26 < Darkclaw66> so the reason why im having these problems is because easyrsa is generating certs/keys not compatible with newer versions of the openvpn client?
16:26 < hyper_ch> no
16:26 <@krzee> !factoids forget easy-rsa 2
16:26 <@vpnHelper> Joo got it.
16:26 <@krzee> !factoids forget easy-rsa 2
16:26 <@vpnHelper> Joo got it.
16:26 < hyper_ch> why do you want to forget the easy rsa 2 download?
16:27 <@krzee> !learn easy-rsa as Download here: https://github.com/OpenVPN/easy-rsa/releases
16:27 <@vpnHelper> Joo got it.
16:27 <@krzee> !learn easy-rsa as Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
16:27 <@vpnHelper> Joo got it.
16:28 <@krzee> Darkclaw66, yes, but only because of the exact config option you choose to have
16:28 <@krzee> 1sec ill get the other
16:28 <@krzee> --ns-cert-type server
16:29 <@krzee> but really, since you can still update, do
16:29 < Darkclaw66> I'll give it a shot :)
16:30 < hyper_ch> Ha... "Easy-RSA is able to manage multiple PKIs".... up so fare I just made copies of the easy rsa folder for different servers
16:35 < Darkclaw66> weird, still getting the same error
16:41 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Read error: Connection reset by peer]
16:43 -!- alphawave [~aw@unaffiliated/alphawave] has quit [Ping timeout: 265 seconds]
16:43 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
16:47 < Darkclaw66> hmm interesting. I deleted all reference to --ns-cert-type server and remote-cert-tls and now it connects but does that mean openvpn is vulnerible to mitm attacks?
16:48 < esde> more vulnerable to
16:49 -!- `Ile` is now known as Veil
16:49 -!- Veil is now known as Kerkis
16:54 -!- alphawave [~aw@unaffiliated/alphawave] has joined #openvpn
16:55 <@syzzer> Darkclaw66: it means any client can pose as a server
16:55 < esde> that sounds secure
16:55 < esde> /s
16:56 < Darkclaw66> it's funny because I had this all working perfectly in the past when I had a static ip. but now im running it behind a router and it has a private ip address it seems like it created a lot of problems
17:00 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:00 < esde> i dont see how it's funny. but if you put enough effort into troubleshoot the issue, im sure you'll get it going :)
17:07 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
17:16 -!- Kerkis [~ile@178-221-191-46.dynamic.isp.telekom.rs] has quit [Quit: leaving]
17:19 < esde> krzee, you around?
17:20 <@krzee> kinda
17:20 <@krzee> writing some bash too, but still physically at the terminal
17:20 <@krzee> wassup?
17:21 < esde> quick question about that thread. the source port for a user, if i visit http://www.displaymyhostname.com/ for instance and it shows a remote port, is the remote port the same as the one you're talking about
17:21 <@vpnHelper> Title: Display My Hostname - Find your current public hostname (at www.displaymyhostname.com)
17:21 < esde> if /that/ makes sense
17:24 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
17:26 <@krzee> yep, thats likely the same thing
17:26 * esde happy dance
17:27 <@krzee> your web browser sent its request with that srcport
17:27 <@krzee> the webserver then sent its request to that dstport
17:27 <@krzee> thats how the response got through your NAT
17:27 < esde> srcport = dstport?
17:28 < esde> for the client
17:28 < esde> wait. i mean to say, is the client srcport the same as the server's destination port?
17:29 < esde> Yeah, it is, nice.
17:30 <@krzee> easily seen from looking at packet dumps in wireshark
17:31 <@krzee> and once you think about how the nat table works, its not hard to use that to your advantage
17:31 <@krzee> note, you must have keepalives!
17:33 < esde> im not too knowledgeable about NAT but so long as the clients keep sending data thats flagged to keep alive for a duration of time, they could connection could persist that way?
17:33 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
17:33 <@krzee> clients?
17:33 < esde> *-y
17:33 <@krzee> this is a 1 - 1 thing
17:33 < esde> A and B
17:33 <@krzee> doesnt matter about being flagged
17:34 <@krzee> just got to have some data
17:34 <@krzee> something so the nat table doesnt remove it
17:34 < esde> so as soon as the port opens, keep using it
17:34 <@krzee> a standard --keepalive is fine
17:35 <@krzee> its possible to have a ptp connection where the vpn is up but no traffic has moved for an hour
17:35 <@krzee> and when more does send, it works fine
17:35 <@krzee> that would not be ok for this.
17:35 < esde> so long as the keepalives are there, got ya
17:35 < esde> very cool
17:35 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 244 seconds]
17:36 -!- Darkclaw66 [~Andre@unaffiliated/darkclaw66] has quit []
17:37 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 245 seconds]
17:38 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
17:38 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
17:38 -!- mode/#openvpn [+o mattock] by ChanServ
17:48 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
18:03 <@krzee> hey esde, can you read the post again after my edits and tell me if that is more clear?
18:06 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Remote host closed the connection]
18:07 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
18:11 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Remote host closed the connection]
18:13 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
18:24 -!- alphawave [~aw@unaffiliated/alphawave] has quit [Quit: Leaving]
18:24 -!- crised [~crised@186.67.181.203] has quit [Quit: Leaving.]
18:26 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Ping timeout: 256 seconds]
18:29 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
18:40 -!- phunyguy is now known as phunyguy-zombie
18:42 -!- phunyguy-zombie is now known as phunyguy
19:25 < esde> yeah
19:34 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Read error: Connection reset by peer]
19:46 -!- r00t^2_ [~bts@g.rainwreck.com] has joined #openvpn
19:48 -!- r00t^2 [~bts@g.rainwreck.com] has quit [Ping timeout: 265 seconds]
19:48 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
19:53 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
19:59 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Remote host closed the connection]
20:01 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
20:02 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Read error: Connection reset by peer]
20:03 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
20:06 -!- r00t^2_ is now known as r00t^2
20:16 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Remote host closed the connection]
20:33 -!- dazo is now known as dazo_afk
20:45 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
21:12 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has quit [Ping timeout: 255 seconds]
21:20 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 244 seconds]
21:21 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
21:32 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has quit [Ping timeout: 250 seconds]
21:35 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has joined #openvpn
21:44 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has quit [Remote host closed the connection]
21:46 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has joined #openvpn
21:54 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
21:55 -!- moparisthebest [~mitb@unaffiliated/moparisthebest] has quit [Ping timeout: 245 seconds]
22:00 -!- moparisthebest [~mitb@gateway/tor-sasl/moparisthebest] has joined #openvpn
22:12 -!- novae [~novae@unaffiliated/novae] has quit [Ping timeout: 264 seconds]
22:17 -!- novae [~novae@unaffiliated/novae] has joined #openvpn
22:18 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
22:19 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
22:24 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Quit: Server shutdown]
22:24 -!- MogDog [MogDog@unaffiliated/mogdog66] has joined #openvpn
22:54 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
22:56 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
23:09 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:12 -!- Yoderp [Yoda@unaffiliated/itsyoda] has quit [Ping timeout: 244 seconds]
23:18 -!- `Yoda [Yoda@unaffiliated/itsyoda] has joined #openvpn
23:30 -!- ShadniX [dagger@p5481D67A.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
23:30 -!- Brutser [~email@d51A48718.access.telenet.be] has quit []
23:31 -!- ShadniX [dagger@p5481D788.dip0.t-ipconnect.de] has joined #openvpn
23:36 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
23:45 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
23:47 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Quit: Lost terminal]
23:51 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
23:51 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
--- Day changed Fri Jan 09 2015
00:16 -!- quup [~ppp@unaffiliated/quup] has quit [Ping timeout: 244 seconds]
00:22 -!- edward [~edward@4angle.com] has quit [Read error: Connection reset by peer]
01:13 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Ping timeout: 245 seconds]
01:20 -!- master_o1_master [~master_of@p4FD7BA92.dip0.t-ipconnect.de] has joined #openvpn
01:23 -!- master_of_master [~master_of@p4FD7B201.dip0.t-ipconnect.de] has quit [Ping timeout: 255 seconds]
01:56 -!- le0 [~le0@unaffiliated/le0] has joined #openvpn
02:30 -!- brallan [~brallan@186.176.89.59] has joined #openvpn
02:31 < brallan> Hi. Is it possible to restring VPN traffic for a specific app?
02:53 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
03:30 < hyper_ch> depends on the app
03:41 < brallan> hyper_ch: I want for example, use vpn only for torrent traffic, and use "normal" traffic with other apps/resources
03:43 < hypermist> yay two hyper's :D
03:44 < hyper_ch> can your torrent client be bound to a specific interface?
03:45 < brallan> hyper_ch: nope
03:47 < hyper_ch> can it use proxies?
03:48 < brallan> hyper_ch: yes, it can
03:48 < hyper_ch> do you run the vpn server?
03:48 < brallan> hyper_ch: no
03:49 < hyper_ch> then no idea how you could achieve that
03:50 < brallan> hyper_ch: umm, ok thank you :)
03:55 < hypermist> I really want to turn the pc in my bedroom to a vpn. but thats not gunna be any help cause its on the same network..
03:55 < hypermist> xD
04:02 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Read error: Connection reset by peer]
04:05 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
04:05 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Read error: Connection reset by peer]
04:06 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
04:15 -!- dazo_afk is now known as dazo
04:25 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:45 -!- brallan [~brallan@186.176.89.59] has quit [Quit: Konversation terminated!]
04:59 < hyper_ch> why would same network prevent you from setting up a vpn?
05:00 < hypermist> cause then i can't mask my ip and stuff things hyper_ch
05:14 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 264 seconds]
05:19 -!- AL13N_work [~alien@91.183.52.232] has joined #openvpn
05:21 < AL13N_work> i got a serious issue, i got a tunnel over UDP where i do voip over, but every packet loss on my ISP seems to result in a 2min where i can't ping over the tunnel... then it gets inactivity timeout and restarts
05:21 < AL13N_work> i tried setting keepalive 2 5
05:21 < AL13N_work> but it didn't seem to work
05:22 < AL13N_work> why does the keepalive not work sooner? is it something else?
05:23 < hypermist> hydrajump you there ?
05:24 < hypermist> woops
05:24 < hypermist> sorry i ment hyper_ch reason is i wanted to make an access server so yea
05:35 < pekster> AL13N_work: Using --keepalive 2 5? Do you really want the client to die after missing just 2 stateless packets from the server after 5 seconds? That seems very prone to failure. Try 5 30 or something for a bit more sanity
05:37 < pekster> The main reason for keepalive is two-fold: 1) it keeps stateful firewalls aware that the UDP stream is still alive, because many firewalls (and OS defaults for them) consider UDP streams unused after somewhere between 1 and 5 minutes, and 2) it provides a mechanism by which true connectivity issues (network died, ISP problems, server crashed, etc) can be detected by either end
05:38 < AL13N_work> the problem isn't that it seems
05:39 < pekster> And with --keepalive on the server, you'll need to first restart the server instance (to pick up that change) and then the client instance (to pull it.) And of course your client needs to be using --pull (implied by --client) to have it pushed, and should not specify that itself
05:39 < AL13N_work> it seems a single packet loss from ISP just makes the tunnel non-functional
05:39 < AL13N_work> though it's still up
05:39 < pekster> !configs
05:39 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
05:40 < AL13N_work> the problem here is that the client doesn't restart itself unless after 2min no matter what ping/ping-restart settings i try on the client
05:41 < pekster> That's not the default behavior with pushing --keepalive which is why I asked for your configs. But I don't have much time this morning, so if you'd rather tell me what your problem is, you probably don't need my suggestions anyway
05:41 < AL13N_work> which means that a single packet loss seems to hang the tunnel, it's still up but eg: a running ping stops until the inactivity timeout restarts the client connection
05:42 < AL13N_work> pekster: sorry, i'll get the config and logs
05:42 < pekster> That's not the default behavior; the client *will* reconnect by default, by definition of what --keepalive does. YMMV if you're using other options or a frontend or initscript that changes them
05:42 < AL13N_work> pekster: but surely i can set ping and ping-restart on a single client? i don't want to kill the other connections that don't have issues
05:42 < AL13N_work> ic
05:43 < pekster> See --client-connect or --client--config-dir for dynamic pushing to clients
05:44 < pekster> You can also set --keepalive (or just the directives it sets) on the client to alter its own timeouts for that client, though then you can't control it from the server anymore. And it has to be defined after --pull in that case
05:44 < AL13N_work> client config: http://pastebin.com/twwADkjQ
05:45 < pekster> Don't use --persist-key and --persist-tun on a client, and don't use the --user and --group options. It's incompatible with dynamic IP assignment unless you've gone to great lenghts to assure that the client always gets the same IP with !static reservations
05:46 < AL13N_work> server: http://pastebin.com/P8kVaBYA
05:46 < AL13N_work> in this case, the ips are always the same
05:46 < pekster> --verb 9 is worthless. Use --verb 4 (or 5 when you can't get the initial VPN connection and need per-packet printouts.) >5 is only ever useful for developers who compiled openvpn with special debugging builds
05:47 < AL13N_work> i only changed to 9 to see what went wrong
05:47 < AL13N_work> it was 3 before
05:47 < pekster> You have not done the !static config. Do not have your client persist tun or things are likely to break
05:47 < AL13N_work> ccd only has ifconfig push and iroute
05:48 < pekster> Those would be helpful to see
05:48 < pekster> Also your networks would be useful to know as well, but..
05:48 < pekster> !topsecret
05:48 <@vpnHelper> "topsecret" is (#1) if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust. or (#2) Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice.
05:48 < pekster> Assuming you haven't overlaped networks, used common networks likely to collide, or otherwise made a mistake somewhere, it may be fine
05:48 < pekster> Also, if you're pushing an IP, you didn't properly limit your dynamic pool
05:48 < pekster> !static
05:48 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing
05:49 < pekster> ie: don't use --server with --ifconfig-push (via ccd or --client-connect)
05:49 < AL13N_work> ccd for this client: http://pastebin.com/gnB9QKwc
05:49 < pekster> Expand it, and limit your pool accordingly
05:49 < pekster> You need --topology subnet for that
05:50 < pekster> Otherwise your IPs should be the middle of a /30, which is basically deprecated behavior to support 7-year-old builds with Windows. No one should be running code that ancient
05:50 < AL13N_work> all clients have ccd here
05:50 < pekster> Read wiki info at !topology for details
05:50 < pekster> You're also not pushing your routes for the "hidden" address space. I'm both out of time and since you apparently want to hide your netwnork info (wtf man, really) I can't provide any more useful suggestions
05:51 < AL13N_work> ... fine
05:51 < pekster> I'm unlikely to look for several hours, but someone else might have suggestions in the meantime. Review use of --push
05:51 < pekster> Probably the info/flowcharts at !clientlan too
05:52 < AL13N_work> but this openvpn server has 4 clients, only 1 has issues, and it's due to packet loss from ISP, but somehow it fails to work when a packet loss was there, and immediately all running pings over the tunnel fail until the inactivity timeout
05:52 < AL13N_work> something seems wrong here
05:53 < masterkorp> http://sourceforge.net/p/openvpn/mailman/message/33216641/
05:53 <@vpnHelper> Title: OpenVPN / Mailing Lists (at sourceforge.net)
05:53 < AL13N_work> i don't need to push routes, these are only iroutes, there's nothing behind the server
05:53 < masterkorp> shameless link for help
06:00 -!- atyoung [~darkwurm@gateway/tor-sasl/darkwurm] has quit [Quit: Leaving]
06:06 < AL13N_work> pekster: maybe this makes my problem more clearly visible: loglevel 5 on the client side:
06:06 < AL13N_work> http://pastebin.com/6siVawZB
06:06 < AL13N_work> you see the sudden Wr pattern?
06:06 < AL13N_work> this is the moment the tunnel stops working
06:07 < AL13N_work> and at the same time, monitoring shows a single packet loss from ISP
06:07 < AL13N_work> eventually, there's inactivity timeout and the output looks better again... but then it fails again...
06:10 < AL13N_work> imho an UDP tunnel shouldn't suffer from a single packet loss
06:10 < AL13N_work> if this goes on for too long, i'll switch to TCP
06:11 <@ecrist> um
06:11 <@ecrist> UDP is best-effort
06:11 <@ecrist> packet loss is a thing, it's bound to happen at some point.
06:11 <@ecrist> a TCP tunnel isn't ideal for encapsulating VPN traffic
06:11 <@ecrist> !tcp
06:11 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
06:11 < AL13N_work> ecrist: i know
06:12 < AL13N_work> ecrist: i don't mind a few packet loss
06:12 < AL13N_work> but one packet loss shouldn't mean a nonworking tunnel for 2 minutes
06:12 < AL13N_work> i know TCP is a bad idea
06:12 < AL13N_work> and TCP is bad for encapsulating vpn traffic, especially udp stuff like voip (which is what i use in this case)
06:13 < AL13N_work> but i can't have phone being dead for 2min just because my ISP is doing badly
06:13 < AL13N_work> the ping-restart was indeed pushed, so i put it on the server side now
06:13 < AL13N_work> gonna check if this "works around" the problem
06:14 < AL13N_work> i donno why the tunnel stops working, that's the real problem
06:14 <@ecrist> what do the logs show
06:14 < AL13N_work> we've been using this a lot, but it seems our ISP is having packet loss since this morning
06:14 < AL13N_work> ecrist: http://pastebin.com/6siVawZB
06:15 < AL13N_work> see this?
06:15 < AL13N_work> the Wr stuff means the tunnel is dead and the ping i'm running with interval 0.2 has stopped working
06:16 <@ecrist> no, the Wr stuff is reads and writes from the tunnel
06:17 < AL13N_work> i know
06:17 <@ecrist> though, it does indicate that the local instance is trying to read and not getting anything back.
06:17 < AL13N_work> but do you see the sudden pattern?
06:17 < AL13N_work> right
06:17 <@ecrist> you keep saying you know things, but you say the wrong things
06:17 < AL13N_work> i think i just explain badly
06:17 < AL13N_work> sorry
06:17 < AL13N_work> but i see a pattern
06:18 <@ecrist> what shows in the logs after line 2?
06:18 < AL13N_work> eventually inactivity timeout
06:18 < AL13N_work> lemme get a full log of such a thing
06:19 < AL13N_work> ecrist: http://pastebin.com/VRznXzgw
06:20 < AL13N_work> anyway, the ping i keep running stops a the same time the Wr pattern starts and then after 2min, inactivity timeout
06:21 < AL13N_work> ecrist: do you want something else?
06:22 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 265 seconds]
06:23 < masterkorp> http://sourceforge.net/p/openvpn/mailman/message/33216641/
06:23 <@vpnHelper> Title: OpenVPN / Mailing Lists (at sourceforge.net)
06:23 < masterkorp> another shameless call for help :p
06:23 < AL13N_work> when i look at google people tell mostly about multiple openvpn instances, running or whatever, but i checked that. i even issued a new key and crt to be sure
06:31 < AL13N_work> ecrist: anyway, if you tell me that 1 packet loss means the tunnel will be down, and that is normal behavior, i can leave you alone, but i don't think it does?
06:36 < masterkorp> Can you guys explain me this line 'push “redirect-gateway def1 bypass-dhcp”' or point me to doc about it ?
06:40 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:45 <@ecrist> !def1
06:45 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
06:46 < masterkorp> thanks
06:50 -!- Droolio [~drool@host86-134-61-249.range86-134.btcentralplus.com] has joined #openvpn
06:52 < masterkorp> Ok, i am thinking on another approach for this
06:53 < masterkorp> Can I have 2 separated openvpn servers in the same machine ?
06:53 < masterkorp> one with udp where the main users get into
06:53 < masterkorp> udp is open to the world
06:53 < masterkorp> openvpn udp is stealthy
06:55 < masterkorp> stealhthy as is can't be mapped on a network scan unless you're really looking for
06:56 < masterkorp> I will have a tcp server that will not be open to the wourld that will respond to the obfsproxy
06:56 -!- Latrina [~Latrina@ppp-177-9.26-151.libero.it] has quit [Ping timeout: 255 seconds]
07:00 -!- Latrina [~Latrina@151.56.185.105] has joined #openvpn
07:18 -!- _FBi [~B@Aircrack-NG/User] has quit [Excess Flood]
07:19 -!- _FBi [~B@Aircrack-NG/User] has joined #openvpn
07:23 < AL13N_work> pfff
07:23 < masterkorp> any ideas or suggestions ?
07:27 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 252 seconds]
07:41 <@krzee> Can I have 2 separated openvpn servers in the same machine ?
07:41 <@krzee> you may have more than 2
07:42 <@krzee> they must use different VPN subnets and different listen sockets
07:42 <@krzee> but thats just general networking ;]
07:44 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
07:45 -!- Tracker [~tracker@m88.ip1.anvianet.fi] has quit []
08:02 <@ecrist> they do NOT need different subnets, but that's just advanced networking ;]
08:03 -!- Paladine [~Paladine@secure.think-privacy.com] has joined #openvpn
08:04 < Paladine> anyone managed to get openvpn 0.6.26 for android to work on Lollipop?
08:05 <@plaisthos> Paladine: yes
08:05 < lev__> Paladine: works for me on Nexus 5 (Android 5.0.1)
08:06 < Paladine> I keep getting the following error
08:06 < Paladine> route rejected by android 224.0.0.0/3 bad link address
08:06 <@plaisthos> Paladine: ignore that one
08:06 < Paladine> but my config works fine on windows and kit-kat
08:07 < Paladine> well I would ignore it except it errors straight afterwards ERROR: Cannot open TUN
08:07 < Paladine> and exits
08:07 <@plaisthos> there should be another error before/after that
08:07 < Paladine> nope
08:07 < Paladine> just the rejected route and that error
08:07 <@plaisthos> hm
08:08 <@plaisthos> that was never a fatal error for me
08:08 <@plaisthos> Paladine: do you full details on? Slider to the right?
08:09 < Paladine> yeah I just did now
08:09 < Paladine> MANAGEMENT: CMD 'needok 'OPENTUN' cancel'
08:10 < Paladine> MANAGEMENT: Client disconnected
08:10 < Paladine> then the TUN error
08:10 < Paladine> and finally MGMT: Got unrecognised command>FATAL:ERROR:Cannot open TUN
08:11 <@plaisthos> anything before the line with cancel?
08:12 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
08:12 < Paladine> nope, I just went through the log after trying again, nothing else
08:13 < Paladine> let me check my server logs sec (because it does connect to the server for a second)
08:13 -!- moparisthebest [~mitb@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
08:16 < Paladine> SENT CONTROL [home]: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,redirect-gateway def1 bypas
08:16 < Paladine> s-dhcp,dhcp-option DNS 10.8.0.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9' (status=1)
08:17 <@plaisthos> hm
08:17 < Paladine> that is the last command sent from the server
08:17 < Paladine> am wondering if the apk is bad
08:18 < Paladine> I don't use Google Play so I had to get it from another source which I thought would be ok
08:18 -!- moparisthebest [~mitb@unaffiliated/moparisthebest] has joined #openvpn
08:18 < Paladine> that was from syslog, is there an openvpn specific server log? I don't seem to be able to find on in /var/log
08:20 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
08:23 <@krzee> !logfile
08:23 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
08:23 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
08:27 < Paladine> I don't get it at all - I mean I am connected to the VPN right now on this windows machine accessing IRC - my tablet on kitkat is connected to the same VPN right now as well, this phone was connected to the VPN 1 hour ago when it was on KitKat but now it is on Lollipop using 0.6.26 it doesn't work and the error doesn't really tell me anything...
08:40 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
08:44 <@krzee> Paladine, well id say you got the right guy paying attention, if plaisthos doesnt know then nobody does :D
08:44 < Paladine> oh I wasn't complaining about the help, just frustrated with the problem :)
08:44 < Paladine> clearly it isnt an issue with the configuration otherwise it wouldn't work for everything else
08:44 <@krzee> right i did not think there was a complaint
08:45 <@plaisthos> Paladine: as an obscure test
08:45 <@plaisthos> add 224.0.0.0/3 to the list of excluded networks
08:45 <@plaisthos> and seei f that changes anything
08:46 < Paladine> same error
08:47 < Paladine> the issue seems to be with MANAGEMENT: CMD 'needok 'OPENTUN' cancel'
08:47 < Paladine> it is getting a cancel instead of an ok
08:48 <@plaisthos> yeah
08:48 <@plaisthos> could you send me the whole log?
08:49 < Paladine> earlier in the log I get also MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
08:49 < Paladine> no ok
08:51 < Paladine> trying to figure out how I can grab the log file from android, the only option in the menu is to send
08:52 <@plaisthos> yepp
08:52 <@plaisthos> that should work
08:52 <@plaisthos> and then send it to email/dropbox/sms/pastebin app/whatever :)
08:52 < Paladine> oh I don't have email setup yet that is why I am not getting an email option :)
08:52 < Paladine> do you know where the log is stored on android so I can just grab it?
08:53 <@plaisthos> Paladine: in memory
08:54 <@plaisthos> anyway, http://plai.de/android/ics-openvpn-0.6.27pre.apk, should fix the multicast route error
08:54 <@plaisthos> but I don't think that is really your problem
09:00 < Paladine> I think I know what the problem is
09:00 < Paladine> I am on cyanogenmod and it seems there might be a permissions error on /dev/tun
09:01 <@plaisthos> Paladine: look if there are errors in adb logcat
09:02 <@plaisthos> but openvpn for android *should* log a error message if it does a cancel on the opnetun command
09:03 < Paladine> yeah I can't get adb working at the moment, settings keep crashing when I go into developer settings to enable usb debug
09:05 < Paladine> just rebooting phone to see if it fixes dev settings
09:06 <@plaisthos> you should have a line in your log like Failed to open tun interface
09:06 <@plaisthos> Error: something
09:06 <@plaisthos> that something is the real error
09:09 < Paladine> ok weirdness
09:09 < Paladine> reboot fixed openvpn, no more errors
09:09 < Paladine> it is connected and running fine now
09:09 -!- kexmex [~kexmex@195.42.130.233] has joined #openvpn
09:10 < Paladine> I was sat in alogcat waiting for the error and nothing was happening so I went back to make sure I had hit connect and discovered it connected lol
09:10 < Paladine> so now I have no idea what the problem was but hey at least it works now
09:19 -!- kexmex [~kexmex@195.42.130.233] has quit [Quit: Computer has gone to sleep.]
09:22 < Paladine> plaisthos, thanks for your help, apologies that I didn't try a reboot sooner
09:25 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
09:27 * krzee cheers
09:29 <@krzee> hyper_ch, new posts in my wishlist thread
09:30 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has joined #openvpn
09:31 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has quit [Ping timeout: 265 seconds]
09:32 <@krzee> https://forums.openvpn.net/post48342.html#p48342
09:32 <@vpnHelper> Title: OpenVPN Support Forum Idea for direct connections : Wishlist (at forums.openvpn.net)
09:32 * krzee thinks plaisthos would like this too
09:32 <@krzee> seeing as arne is the socketmaster
09:34 <@plaisthos> yeah. But so interesting for me ;)
09:35 <@plaisthos> I haven't really looked into nat tranversal
09:35 < esde> looks very neat
09:36 -!- dkr [~dkr@108.60.141.178] has joined #openvpn
09:38 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has joined #openvpn
09:39 -!- le0 [~le0@unaffiliated/le0] has quit [Quit: Leaving]
09:43 -!- kexmex [~kexmex@195.42.130.233] has joined #openvpn
09:53 -!- redpill [~redpill@unaffiliated/redpill] has quit [Remote host closed the connection]
10:02 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
10:14 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 264 seconds]
10:19 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
10:21 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 265 seconds]
10:33 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
10:48 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 244 seconds]
10:50 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
10:54 < hyper_ch> krzee: so poking holes in NAT is simple?
10:54 <@krzee> well it depends what we mean by that
10:54 < hyper_ch> wouldn't it be just sufficient if client A would make a request to client B on port XXX
10:54 <@krzee> to support all nat is very not simple
10:55 <@krzee> to support the average househoulds nat box linksys type router then ya pretty easy
10:55 < hyper_ch> then stateful firewalls should allow back communications for a while
10:55 < hyper_ch> and client B does the same, makes a request to client A on the same port
10:55 < hyper_ch> then on both sides firewalls should be open... or something
10:56 < hyper_ch> well, with IPv6, there's no need for NAT anymore - at least that's what people keep telling me
10:56 <@krzee> right
10:56 < hyper_ch> (I like NAT)
10:56 < hyper_ch> so probably in 20 years, when we have wide-range deployed ipv6....
10:57 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:58 < hyper_ch> btw, that thread has become quite popular over the last few days :)
10:58 < hyper_ch> (compared to the years before)
10:59 -!- `Yoda is now known as Yoder
11:00 <@krzee> it got burried before the forum had so much activity
11:00 <@krzee> now theres too much activity for the bot to scrape it to irc without flooding
11:01 < hyper_ch> you could make a bot that scrapes your wish list to irc ;)
11:01 <@krzee> the trac is scraped to irc
11:01 <@krzee> thats the real place for that stuff anyways
11:03 < hyper_ch> wishlist isn't so budy
11:03 < hyper_ch> busy
11:04 < hyper_ch> Automatic Version Update --> don't they use linux?
11:05 < hyper_ch> "We are using openvpnas and would have 100+ users for Windows Phone 8 openvpn on use." I never knew so many WP actually got sold....
11:07 < hyper_ch> krzee: there isn't too much going on in the forum
11:07 <@krzee> maybe at the moment
11:07 < hyper_ch> in the main admin subofrum there were only like 3 threads updated today
11:07 <@krzee> vpnHelper has flooded off in the past
11:08 < hyper_ch> :)
11:08 < hyper_ch> tomorrow it'll be like 14°.... that's rather warm for middle of january
11:20 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Ping timeout: 264 seconds]
11:29 <@krzee> "warm for middle of january" depends on where you are :-p
11:30 < hyper_ch> there should be snow here
11:30 < hyper_ch> and you know what the freezing point of water is, right?
11:30 <@krzee> 14° right now where i live would be a sign of some sort of global event
11:30 <@krzee> 0°
11:30 < hyper_ch> you know your metric system :)
11:30 < hyper_ch> or rather si system
11:31 <@krzee> metric makes far more sense
11:31 < hyper_ch> although si system is a bit redundant
11:31 <@krzee> celsius / kelvin as well
11:31 <@krzee> the usa system is weird
11:31 <@krzee> i mean i understand it, grew up with it, but still weird
11:32 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:33 <@krzee> we wont be dropping below 25° this week :D
11:33 < hyper_ch> that's rather hot
11:35 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
11:57 -!- _jdccdevel [~chatzilla@69.196.87.218] has joined #openvpn
11:57 < _jdccdevel> Hey all.
12:08 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
12:13 -!- pie_ [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn
12:14 < _jdccdevel> I have a TAP Connection between two systems, and the tap endpoint devices (on both client and server) are bridged with ethernet devices. Traffic is flowing from the client side to the network bridged on the server side, but devices on the client network cannot ping the server. The server has client-to-client enabled. I've checked iptables rules, and everything looks OK. Ideas?
12:15 < pie_> any implications for openvpn?: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205
12:20 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
12:23 < _jdccdevel> Also, the client and server cannot ping eachother over the bridge. tcpdump shows the packets leaving the client, but not showing up on the server for some reason.
12:23 < _jdccdevel> other bridged traffic is fine though.
12:26 < pie_> im no guru but it still sounds like firewall issues to me, can hosts on, the server network ping the serverÜ
12:26 < pie_> ?
12:28 < esde> "possibly, for really exotic certificates: DH client certificates accepted without verification [Server] (CVE-2015-0205)" pie
12:29 < _jdccdevel> pie_: Hosts on the server network can ping the server, and the client, and devices on the client network. The visibility problem is between the server and the client and the client network.
12:30 <@krzee> _jdccdevel, why using tap/bridge?
12:31 < _jdccdevel> pie_: Say box 2 is the client, and 3 is the server, with network topology 1-2<->3-4 ... 1 and 2 can see 4 (and vice versa) but not 3
12:32 < _jdccdevel> krzee: need L2 connection (shared subnet), with a L3 link in between (Wan Failover scenario)
12:32 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Max SendQ exceeded]
12:32 <@krzee> sounds valid
12:33 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
12:33 <@krzee> im not much of a tap/bridging guy but id suppose you may need the client tap bridged to its network if you want its lan as part of the bridge
12:33 < hyper_ch> krzee: "Sorry but you are not permitted to use the search system." :(
12:33 <@krzee> hyper_ch, on the forum?
12:33 < hyper_ch> yes
12:33 <@krzee> use google with site:
12:34 <@krzee> the forum search stuff was way beyond suck/broken
12:34 < hyper_ch> can't find a furball thread there
12:34 < hyper_ch> what serious forum has no cute kitten thread....
12:34 <@krzee> !google site:forums.openvpn.net hyper_ch
12:34 <@vpnHelper> OpenVPN Support Forum • "normal ssh" won't work : Configuration:
12:35 < _jdccdevel> krzee: I'm bridging on both sides, and that's mostly working... But neither the client, nor devices on the client's network can see the server. (But they can see devices on the server's network)
12:35 <@krzee> oh interesting
12:35 < hyper_ch> I do have an account there?
12:35 < hyper_ch> I never knew
12:35 <@krzee> tried by lan ip?
12:36 < hyper_ch> 6 years and still newbie
12:36 < _jdccdevel> krzee: when I ping the server IP from the client, tcpdump sees the packets leave via the tap interface, but tcpdump on the server never sees them arrive
12:37 <@krzee> _jdccdevel, and tried vpn ip?
12:37 < _jdccdevel> krzee: which VPN ip, the one configured via server-bridge?
12:38 <@krzee> yes
12:38 <@krzee> probably .1
12:38 <@krzee> 10.8.0.1 or whatev
12:39 < _jdccdevel> krzee: It doesn't see that either, but this is something I'm not 100% confident is configured correctly. In a tap-bridge scenario, which interface should that IP belong to? The Tap interface before bridging, or the bridge?
12:39 <@krzee> no idea i dont bridge
12:39 <@krzee> pekster would likely know, if he happens to pop through
12:40 < _jdccdevel> krzee: Thanks, I'll look for him.
12:40 <@krzee> i think ecrist also plays with bridges
12:42 < masterkorp> Hello
12:42 < masterkorp> Is it possible to serve tcp and udp at the same time?
12:42 < masterkorp> if not, how can I have 2 servers with minimal hassle ?
12:43 <@krzee> only by having 2 seperate instances running
12:43 <@krzee> simply use 2 configs and start both
12:43 < masterkorp> will they use the same keys ?
12:43 <@krzee> if you tell them to
12:44 < masterkorp> how do i tell them to ? :)
12:44 <@krzee> not sure what you dont understand
12:45 <@krzee> if both configs reference the same certs, then they will use the same certs
12:45 < masterkorp> oh sweet
12:45 <@krzee> its not like openvpn is writing to the certs
12:45 <@krzee> you can also read those files with programs like cat and openvpn will not care ;]
12:45 < masterkorp> can they have the same ip range and everything ?
12:46 < _jdccdevel> krzee: The Wan is back on it's normal circuit now, so the pressure is off a bit. I'm going to experiment a bit now that I know what symptoms to look for.
12:46 <@krzee> masterkorp, they must have a different socket, so one may bind to IP:PORT:TCP and another may bind to IP:PORT:UDP
12:46 < masterkorp> yeah no problem
12:47 <@krzee> masterkorp, for vpn subnet, they will need to have their own
12:47 < masterkorp> aww that sucks
12:47 <@krzee> its 1 push route away from them communicating if needed
12:47 <@krzee> well 1 on each
12:59 -!- pie_ [~pie_@unaffiliated/pie-/x-0787662] has quit [Read error: Connection reset by peer]
12:59 -!- pie__ [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn
13:03 < masterkorp> true
13:06 -!- kexmex [~kexmex@195.42.130.233] has quit [Quit: Computer has gone to sleep.]
13:13 < _jdccdevel> krzee: It looks like the vpn ip for both interfaces need to be attached to the bridge (on each side). After playing around a bunch I've been able to get it to work properly that way (And that does make some sense). Now I just have to figure out the configuration options I need to do what I want.
13:18 -!- pie__ [~pie_@unaffiliated/pie-/x-0787662] has quit [Read error: Connection reset by peer]
13:19 <@krzee> generally i believe at least some of it happens as an up script
13:19 < masterkorp> ok i made the obfsproxy get to the vpn
13:19 -!- pie__ [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn
13:19 <@krzee> awesome
13:19 < masterkorp> but the vpn server tried to make a connection with the client to a port
13:20 < masterkorp> https://www.zerobin.net/?799058a05b4f7bf2#YVUKj8ObzalskLbQAQ7AnuKlpy2P8c8Myw6EJdy4hds=
13:20 <@vpnHelper> Title: ZeroBin (at www.zerobin.net)
13:20 < masterkorp> any ideas how to force all connection to happen trough that port
13:20 < masterkorp> ?
13:20 <@krzee> see all port options in the manual
13:21 <@krzee> --lport --rport iirc
13:21 < masterkorp> thanks
13:21 <@krzee> that port you saw was your clients tcp source port
13:22 < masterkorp> the client connects to the obfsproxy server port 80
13:23 < masterkorp> so help me understand the problem
13:24 < masterkorp> TCP connection established with [AF_INET]172.31.37.18:50767
13:24 < masterkorp> why do i see this one the logs
13:24 <@krzee> i dont know your problem
13:24 <@krzee> but i know your client had src port 50767
13:25 <@krzee> dst port 80 from what you said
13:26 < masterkorp> so how do i change that
13:26 <@krzee> by doing what i said the first time you asked that
13:26 < masterkorp> lport ?
13:26 <@krzee> it was only 6 minutes ago
13:26 < masterkorp> or rport ?
13:26 <@krzee> !man
13:26 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
13:28 < masterkorp> what is the lport param equilaton on the config file ?
13:29 < masterkorp> is this a server param or client param ?
13:31 < masterkorp> Fri Jan 9 19:31:01 2015 TCP connection established with [AF_INET]172.31.37.18:50779
13:31 < masterkorp> it still tried too
13:58 -!- akamaru [~akamaru21@2601:0:8a80:1064:206f:b2a9:3d71:f30b] has joined #openvpn
14:00 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 265 seconds]
14:02 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:206f:b2a9:3d71:f30b] has quit [Ping timeout: 265 seconds]
14:03 -!- MrSparkle [~MrSparkle@cpe-74-69-103-73.rochester.res.rr.com] has joined #openvpn
14:03 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
14:11 -!- Droolio [~drool@host86-134-61-249.range86-134.btcentralplus.com] has quit [Quit: Error closing Trouser.zip - Replace floppy and retry?]
14:14 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 245 seconds]
14:15 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
14:15 -!- mode/#openvpn [+o raidz] by ChanServ
14:15 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Excess Flood]
14:16 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 245 seconds]
14:16 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
14:16 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
14:46 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
14:46 -!- mode/#openvpn [+v s7r] by ChanServ
14:51 -!- KeatonT [~keatont@keatonstaylor.com] has quit [Ping timeout: 255 seconds]
15:02 -!- pie__ [~pie_@unaffiliated/pie-/x-0787662] has quit [Ping timeout: 240 seconds]
15:14 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 252 seconds]
15:15 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
15:19 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
15:22 -!- gmc [~gmc@freenode/sponsor/gmc] has joined #openvpn
15:34 -!- dazo is now known as dazo_afk
15:35 -!- MadTBone [~MadTBone@128.59.37.113] has joined #openvpn
15:37 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
15:42 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
15:45 -!- Henryabcd [~Henryabcd@pD9E087C7.dip0.t-ipconnect.de] has joined #openvpn
15:52 -!- Henryabcd [~Henryabcd@pD9E087C7.dip0.t-ipconnect.de] has quit [Quit: Leaving]
16:00 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
16:00 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
16:02 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
16:33 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Quit: Leaving]
17:04 -!- _jdccdevel [~chatzilla@69.196.87.218] has left #openvpn []
17:04 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:13 -!- mattock is now known as mattock_afk
17:22 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Remote host closed the connection]
17:28 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
17:30 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
17:34 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:55 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
17:56 < linuxthefish> hi, why does openvpn not work on windows 8.1 ?
17:58 <@krzee> works for others
17:58 <@krzee> !8ball
17:58 <@krzee> !crystalball
17:58 <@krzee> !crystal
17:58 <@vpnHelper> "crystal" is (#1) Our crystal ball is out of service. Try explaining your !goal, a description of your problem, and relevant !configs and !logs. See also: !welcome. or (#2) unless reiffert is here, his crystal ball is functional again
17:59 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
17:59 < svm_invictvs> so...
18:01 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
18:01 < linuxthefish> i've talked to many people who say openvpn does not work in windows 8.1...
18:01 < linuxthefish> it connects fine but nttwork is not connected
18:02 < svm_invictvs> Why would a VPN work fine on one OS but not another
18:02 < linuxthefish> yet on other PC can connect and connected to vpn network
18:02 < svm_invictvs> OSX, my VPN connection works without any issues.
18:02 < svm_invictvs> Windows, not so much
18:02 < svm_invictvs> I've tried turning off the firewall to no avail
18:02 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Quit: bis später]
18:03 <@krzee> svm_invictvs, whats the error
18:04 < svm_invictvs> krzee: Nothing
18:05 < svm_invictvs> krzee: Windows connects successfully, the GUI icon goes green
18:05 <@krzee> svm_invictvs, linuxthefish, did you change the gui to always start as admin?
18:05 < linuxthefish> yes
18:05 <@krzee> svm_invictvs, you also on 8.1?
18:05 < svm_invictvs> Yes
18:05 < linuxthefish> it works now after reboot :S
18:05 <@krzee> :D
18:05 < svm_invictvs> Whatever client is current as of like 4 weeks ago
18:05 <@krzee> windows 8.1
18:05 <@krzee> seems like people always show up in waves with the same problem
18:05 < svm_invictvs> oh, no
18:06 < svm_invictvs> Windws 7
18:06 <@krzee> did you disable the windows firewall on the tap interface?
18:09 < svm_invictvs> Yeah
18:09 < svm_invictvs> Well, I think I did
18:09 < svm_invictvs> I'm a bit lost on how to actually disable it on the interface
18:10 < svm_invictvs> so I just disabled it compoletely
18:10 <@krzee> then give it a reboot
18:11 <@krzee> and test again
18:12 < svm_invictvs> Okay
18:14 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
18:23 < esde> svm_invictvs, did you run the vpn gui ads administrator the first time?
18:23 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
18:23 < esde> oh nvm
18:23 < esde> are you using the client from !download?
18:26 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Ping timeout: 264 seconds]
18:27 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
18:41 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
18:42 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
18:42 < esde> see if this helps http://pastebin.com/mPCkh6Ga
19:23 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
19:29 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Ping timeout: 264 seconds]
19:32 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
19:32 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 276 seconds]
19:34 -!- ljvb [~jason@us.vps.vanbrecht.com] has quit [Quit: reboot]
19:37 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
19:50 -!- Paladine [~Paladine@secure.think-privacy.com] has quit [Quit: Leaving]
20:08 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 264 seconds]
20:24 -!- ArtVandalae [~SuperUnkn@CPE-110-148-145-150.vxl8.lon.bigpond.net.au] has joined #openvpn
20:28 < ArtVandalae> Hi all. I've been using OpenVPN for years as a "road warrior", it's a fantastic piece of software. I'm currently looking for a different use-case. I'm looking to configure a 24/7 remote server (as opposed to a human with a laptop/desktop) to VPN into a site. What's the recommended way to do this? Authentication via shared secret, certificates, etc. Anything else that I need to know? Any guides would be much appreciated
20:28 < ArtVandalae> . I'm having issues finding guides on Google because I think I'm using wrong terminology
20:30 < esde> You came to the right place!
20:31 < esde> type !welcome
20:32 < ArtVandalae> !welcome
20:32 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
20:32 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:32 < esde> you have goal almost covered, but we need a few more details
20:34 < ArtVandalae> !howto
20:34 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
20:50 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has quit [Read error: Connection reset by peer]
21:11 < BtbN> You don't realy need to change anything.
21:11 < BtbN> Works the exact same way
21:46 -!- novae [~novae@unaffiliated/novae] has quit [Ping timeout: 244 seconds]
21:52 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
22:04 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has quit [Read error: Connection reset by peer]
22:04 -!- moparisthebest [~mitb@unaffiliated/moparisthebest] has quit [Quit: No Ping reply in 180 seconds.]
22:07 -!- moparisthebest [~mitb@gateway/tor-sasl/moparisthebest] has joined #openvpn
22:10 -!- keatont [~keatont@keatonstaylor.com] has joined #openvpn
22:24 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:27 -!- ampsix [uid26275@gateway/web/irccloud.com/x-dyxiyxsgndexsnur] has joined #openvpn
22:58 -!- jadergabriel [~quassel@179-197-167-254.user.veloxzone.com.br] has joined #openvpn
23:13 -!- jadergabriel [~quassel@179-197-167-254.user.veloxzone.com.br] has quit [Remote host closed the connection]
23:32 -!- ShadniX [dagger@p5481D788.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
23:32 -!- ShadniX_ [dagger@p5DDFE699.dip0.t-ipconnect.de] has joined #openvpn
23:32 -!- ShadniX_ is now known as ShadniX
23:37 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
23:42 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
23:45 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
23:49 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 245 seconds]
23:50 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Quit: and in a dream i'm a different me, with a perfect you, we fit perfectly, and for once in my life i feel complete- and i still want to ruin it, afraid to look, as clear as day, this plan has long been underway, i hear them call, i cannot stay, the voice i]
--- Day changed Sat Jan 10 2015
00:12 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has quit [Quit: ZNC - http://znc.in]
00:17 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
01:20 -!- master_of_master [~master_of@p4FD7B43F.dip0.t-ipconnect.de] has joined #openvpn
01:24 -!- master_o1_master [~master_of@p4FD7BA92.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
01:36 < hyper_ch> good morning, channel
02:12 -!- Veverak [~Squirrel@ip-89-102-104-133.net.upcbroadband.cz] has quit [Ping timeout: 245 seconds]
02:30 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
02:33 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
02:39 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
02:51 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:09 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
03:21 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
03:46 -!- mattock_afk is now known as mattock
03:50 -!- xTz [~xTz@DeathStar.Techn0.eu] has quit [Ping timeout: 245 seconds]
03:51 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Ping timeout: 265 seconds]
04:08 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
04:09 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
04:25 -!- moparisthebest [~mitb@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
04:25 -!- moparisthebest [~mitb@unaffiliated/moparisthebest] has joined #openvpn
04:29 -!- novae [~novae@unaffiliated/novae] has joined #openvpn
04:41 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
04:43 -!- ampsix [uid26275@gateway/web/irccloud.com/x-dyxiyxsgndexsnur] has quit [Quit: Connection closed for inactivity]
05:11 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
05:39 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 264 seconds]
05:45 -!- Latrina [~Latrina@151.56.185.105] has quit [Ping timeout: 244 seconds]
05:48 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 265 seconds]
05:50 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
05:50 -!- Latrina [~Latrina@ppp-170-5.26-151.libero.it] has joined #openvpn
05:55 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
06:40 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
06:41 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
06:47 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:18 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 244 seconds]
07:28 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Read error: Connection reset by peer]
07:30 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
07:34 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 244 seconds]
07:34 -!- TBJoe [~TBJoe@drms-4d0d6cff.pool.mediaWays.net] has joined #openvpn
07:35 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
07:37 -!- brallan [~brallan@186.176.89.59] has joined #openvpn
07:38 < brallan> Hi. Can anyone help me with VPN splitting?
07:41 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
07:44 < esde> brallan, type !welcome
07:44 < brallan> !welcome
07:44 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
07:44 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:45 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
07:46 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:46 < brallan> !interface
07:46 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6) or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn' or (#4) For Linux:
07:46 <@vpnHelper> iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes)
07:52 < brallan> esde: Right now I can connect to VPN, but I want to restring it to one application (KTorrent) and keep other ones unaffected. I am not the server, my app can use proxy and use specific interface
07:53 < hyper_ch> esde: you're nick isn't an abbreviation for esdeath, right?
07:56 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
08:02 -!- natha_n [~nathan@unaffiliated/natha-n/x-3655843] has joined #openvpn
08:07 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Read error: Connection reset by peer]
08:07 -!- MrsSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
08:10 -!- kexmex [~kexmex@195.42.130.233] has joined #openvpn
08:16 -!- MrsSavage [~MrSavage@unaffiliated/mrsavage] has quit [Read error: Connection reset by peer]
08:16 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
08:21 < esde> brallan, I've not worked with openvpn on a per application basis. but for the time being (until you work out how to do it with openvpn), try creating an ssh session with the server (the one you'd like to forward ktorrent traffic through) with a port forward option. and only define localhost:$forwarded_port within ktorrent. then ktorrent goes through the server and everything else works as normal.
08:22 < esde> it might be not be an ideal solution, but it could work as a band-aid until you get the fix you need :)
08:35 -!- kexmex [~kexmex@195.42.130.233] has quit [Quit: Computer has gone to sleep.]
08:36 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has quit [Max SendQ exceeded]
08:42 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has joined #openvpn
08:44 -!- natha_n [~nathan@unaffiliated/natha-n/x-3655843] has quit [Remote host closed the connection]
08:51 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco_]
08:52 -!- Droolio [~drool@host86-134-61-249.range86-134.btcentralplus.com] has joined #openvpn
08:55 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 264 seconds]
08:58 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
09:02 -!- mirco [~mirco@tmo-113-153.customers.d1-online.com] has joined #openvpn
09:02 -!- mirco [~mirco@tmo-113-153.customers.d1-online.com] has quit [Remote host closed the connection]
09:02 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:15 -!- tekk [~me@185.17.149.149] has quit [Ping timeout: 264 seconds]
09:24 -!- brallan [~brallan@186.176.89.59] has quit [Quit: Konversation terminated!]
10:12 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 245 seconds]
10:23 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
10:33 -!- shadok [~muaddib@unaffiliated/shadok] has joined #openvpn
10:37 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 264 seconds]
10:38 -!- hyper_ch [~hyper_ch@81.4.108.20] has quit [Changing host]
10:38 -!- hyper_ch [~hyper_ch@unaffiliated/hyper-ch/x-5230410] has joined #openvpn
10:42 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
10:43 -!- mode/#openvpn [+o raidz] by ChanServ
10:56 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has quit [Quit: Gone...]
11:05 -!- Droolio [~drool@host86-134-61-249.range86-134.btcentralplus.com] has quit [Quit: 98% of all constipated people don't give a crap.]
11:23 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has joined #openvpn
11:35 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
11:36 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
11:55 < hyper_ch> krzee: https://scontent-a-ord.xx.fbcdn.net/hphotos-xfa1/v/t1.0-9/10924790_676027922516411_3609482144127501544_n.jpg?oh=3cd739fb18434e923511a15340c70651&oe=5536E80A
11:57 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
11:59 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
12:06 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Ping timeout: 250 seconds]
12:06 -!- johnfg [johnfg@spirit.org] has joined #openvpn
12:07 < johnfg> hi folks
12:07 < johnfg> I'm stumped over some behavior of openvpn.
12:07 < johnfg> All's fine with my original server and clients (3 of them).
12:08 < johnfg> However, when I want to add a new client, I get a tls error.
12:10 < johnfg> I source ./vars; do a ./build-key client4; copy the ca.* and client5.* files to the new client; edit client.conf to reflect the server; and add client5 to /etc/openvpn/ccd.
12:10 < johnfg> But, it won't connect due to a TLS error.
12:10 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
12:12 < johnfg> If I were to shut down an existing client, then use its client and server files, then I can connect.
12:12 < johnfg> What to do?
12:13 < pekster> If you copied your ca.key to the client, your entire PKI is compromised
12:14 < pekster> !intro-to-pki
12:14 <@vpnHelper> "intro-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
12:15 < hyper_ch> what makes easy-rsa 3.0 better than 2.0?
12:15 < johnfg> pekster: But that's not why the new client can't connect, right?
12:15 < pekster> Nope. There are a number of TLS errors, so without !logs it's hard to say anything
12:15 < pekster> (logs from both ends)
12:16 < johnfg> pekster: ok.
12:17 < pekster> hyper_ch: It's a complete re-write, because 2.0 was hard to maintain, did a horrible job of supporting true CA separation (ie: all nodes, servers & clients, should send a CSR to get signed, and 2.0 did that poorly)
12:17 < hyper_ch> I see
12:18 < pekster> See that !hardening wiki link on PKI security recommendations, plus the above intro if you're new to PKI concepts
12:18 < johnfg> Here's from the server: http://dpaste.com/0H6CDGZ
12:18 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
12:18 < hyper_ch> but is there anything wrong with the keys and certs generate from 2.x?
12:19 < pekster> Until the most recent release, they're using 1024-bit key sizes by default, largely considered too small today. There's also the potential exposure of (by design) the org/company/city/state info in the "traditional" X.509 field model that's useless to openvpn
12:20 < pekster> If people fill them in honsetly, it makes cold-call attacks a bit easier if you know that guy at the coffee shop is "John Doe, working for the Customer Sales divission of Acme Widgets, Inc." -- giving that info out by default is usually quite silly.
12:23 < pekster> johnfg: Looks like the server can't validate the clients cert against the CA; it might not be signed by the same PKI
12:23 < hyper_ch> well, the I did change to 4096
12:23 < hyper_ch> and altered to aes something
12:23 < pekster> You can check by taking the _actual_ cert the client is presenting and verifying it to:
12:23 < pekster> !verify
12:23 <@vpnHelper> "verify" is (#1) If you receive certificate-based 'VERIFY ERROR' messages, you can manually verify the remote cert against a local CA using openssl: `openssl verify -verbose -CAfile /local/ca.crt /remote/copy/of/other.crt` or (#2) Note that this requires you to manually transfer the remote certificate to the local system for testing or (#3) You can also manually check issuer fingerprints with
12:23 <@vpnHelper> detailed cert output: `openssl x509 -in /some/cert.crt -noout -text` and compare against the CA cert fingerprint
12:24 < hyper_ch> does 3.0 now have as default 2048 or 4096 bit?
12:24 < pekster> 2048 by default
12:24 < hyper_ch> why so low=
12:25 < hyper_ch> well, I need to use 2048 for my snome phones... they can only handle that much
12:25 < hyper_ch> (according to the documentation...)
12:25 < pekster> Because increasing it won't really do what you expect from a cryptographic standpoint, and has very real implications in embedded and mobile environments
12:25 < pekster> You're free to do so if you want, but it doesn't make sense to use 4k as a default for everyone
12:26 < hyper_ch> I fail to see why it doesn't make sense to use 4k as default
12:26 < pekster> Bummer.
12:27 < pekster> !hardening
12:27 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
12:27 < pekster> And that "EU suggestion" is kind of moot anyway: just re-issue your keys at _least_ once a decade, which you should be anyway
12:27 < hyper_ch> but once a decade is pretty frequent...
12:27 < pekster> For an end-node? Not really
12:28 < pekster> Web servers often have to get new certificates every 1-5 years from "real" CAs
12:28 -!- troulouliou_dev [~troulouli@unaffiliated/troulouliou-dev/x-4757952] has joined #openvpn
12:28 < hyper_ch> I made mine valid for 36500 days :)
12:28 < troulouliou_dev> hi is it ossible to connect multiple client with a tun setup ?
12:28 < pekster> Yea, RSA is going to be broken in the next "100 years" almost without a doubt
12:28 < pekster> ECC is the next thing anyway. ##security can explain why.
12:29 < hyper_ch> error correcting code?
12:29 < hyper_ch> electronic credit cards?
12:29 < hyper_ch> troulouliou_dev: what do you mean?
12:29 < pekster> Surely you can try harder. https://en.wikipedia.org/wiki/ECC
12:29 <@vpnHelper> Title: ECC - Wikipedia, the free encyclopedia (at en.wikipedia.org)
12:30 < pekster> troulouliou_dev: Yes, use a multi-client mode for your server
12:30 < pekster> TLS is required for that
12:30 < pekster> (ie: you can't use --secret and support multiple clients)
12:30 < troulouliou_dev> pekster, yes i have with topology subnet
12:30 < troulouliou_dev> pekster, but i can't connect client between them
12:31 < troulouliou_dev> but all can connect server
12:31 < pekster> What's your goal here? Are you just trying to let the clients reach other clients over the VPN, using the VPN network addressing?
12:32 < pekster> You'll either need to allow that in your OS firewall on the server (and obviously the client's firewalls too) or see --client-to-client in the manpage to let openvpn route such traffic directly, without hitting your server-side OS firewall
12:33 < pekster> Personally I'd recommend going the firewall apparoach so you don't need to restart your server if you ever need to firewall one client uniquely, but it depends on what you want/need really
12:34 < troulouliou_dev> pekster, i want all client to be visible between them
12:34 < pekster> Right, so I just gave you 2 solutions to that
12:34 < pekster> Pick which one works better and implement it
12:34 < troulouliou_dev> pekster, it works with tap flawlessly with remote clients and some vm bridge to the tap
12:35 < troulouliou_dev> pekster, but in this mode the latency is too high and i have problems with freeswitch / sip
12:35 < pekster> It's best not to use tap unless you need non-IP (ie: raw Ethernet frame support)
12:35 < troulouliou_dev> mainly due to echio cancelation / lag issue
12:36 < troulouliou_dev> pekster, so in tun i need to put my vms in a separate neswork and route ?
12:37 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
12:37 < pekster> What's a VM got to do with it? OpenVPN doesn't care, and it's just "a computer"
12:37 < troulouliou_dev> pekster, even if i connect my vm by vpn i can't xwonnect client between them without routing
12:37 < pekster> You only mentioned you have clients, which in the context of openvpn, are location-agnostic. I don't understand what this "separate network" for your VMs has to do with your originally stated goal of allowing the OpenVPN clients to talk directly to another OpenVPN client
12:38 < pekster> So, back up a moment. Is _all_ you want to do connect 2 or more OpenVPN clients and allow them to reach other clients on this same VPN, using the unique addressing the openvpn server is using?
12:38 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
12:38 < troulouliou_dev> pekster, yes
12:39 < pekster> Then the OpenVPN server uses a network (RFC1918 is fine here, best to pick an unlikely to collide network) and your clients connect to it. Then configure your firewall properly on the server to allow forwarding between the clients, or optionally have openvpn route client traffic directly by using --client-to-client (both from my suggestions to you earlier)
12:39 < pekster> That's it.
12:40 < pekster> You _cannot_ re-use that OpenVPN network on any OpenVPN node (server or any clients.)
12:40 < pekster> It'd be like having 2 houses named "123 Fake Street" -- how would the mail carrier know which to deliver mail to
12:40 < troulouliou_dev> pekster, yeah just fugured out too thanks ; but without client-to*-client what is the difference btween topology subnet end p2p ?
12:41 < johnfg> Here's from the client: http://dpaste.com/0XAEK7Q
12:41 < pekster> One uses Point-to-Point networking, the other forms a more traditional subnet. Unless you know 1) you're never going to use Windows clients on your VPN, and 2) you're handling pushing the client supernet over the VPN to all clients, you should not use p2p
12:42 < pekster> troulouliou_dev: See also a description of topology options here:
12:42 < pekster> !topology
12:42 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
12:42 < pekster> You almost surely want --topology subnet
12:43 < troulouliou_dev> pekster, and if i want to improve latency ; but not allow client to client then i use p2p
12:43 < pekster> Nope
12:43 < pekster> It makes exactly zero difference for latency
12:43 < troulouliou_dev> pekster, ok got it perfect thanks :)
12:44 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
12:44 < pekster> johnfg: Right, the issue is that the sever cannot validate your certificate. I gave you the !validate info above
12:44 < pekster> Did you do that? WHat did you find out by having the server validate the exact same certificate the client is using (best to actually send it over from the client based on the file refernced in the client's config)
12:44 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
12:48 < troulouliou_dev> pekster, where does the latency comes from in tap mode from aditional arp .. pacquets
12:48 < troulouliou_dev> pekster, or from internal process ?
12:50 < pekster> Mostly the additional RTT for ARP, yea. There's a slight loss of efficiency due to the Ethernet frame overhead, but that's not usually relevant for RTP like SIP. L2 is also less secure since any client can spoof another client's IP
12:53 -!- stewi [~quassel@2400:6800:ffff:2:3507:a9ac:1cfa:235c] has joined #openvpn
12:56 -!- tekk [~me@185.17.149.149] has joined #openvpn
13:01 -!- gringao [~gringao@2a02-8420-4d45-cf00-e024-00bc-1228-edb9.rev.sfr.net] has joined #openvpn
13:43 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has quit [Ping timeout: 265 seconds]
13:56 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
14:03 -!- atyoung [~darkwurm@gateway/tor-sasl/darkwurm] has joined #openvpn
14:07 -!- CaTtleyA [~CaTtleyA@plb95-9-78-241-235-51.fbx.proxad.net] has joined #openvpn
14:14 -!- mistermajestic [~mistermaj@gateway/vpn/privateinternetaccess/mistermajestic] has quit []
14:14 -!- mistermajestic [~mistermaj@gateway/vpn/privateinternetaccess/mistermajestic] has joined #openvpn
14:16 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
14:21 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 252 seconds]
14:24 < ljvb> looking for help still.. trying to figure out what the problem is with the handoff between my internal ovpn tunnel and the outside world.
14:26 < ljvb> doing a speed tests.. from A to B (b neing the openvpn server and gateway) I get "Download: 29.43 Mbit/s", between b and the internet I get Download: 564.27 Mbit/s, between a and the internet going through b, I get around 2 to 3 MBit
14:26 < ljvb> (fyi, a network limitation is 30Mbit, so thats about right)
14:27 < ljvb> freebsd, not an appliance, just openvpn, freebsd, and pf
14:50 -!- shadok [~muaddib@unaffiliated/shadok] has quit [Quit: Konversation terminated!]
14:54 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
14:58 -!- mattock is now known as mattock_afk
15:14 -!- i336_ [~i336_@101.174.0.19] has joined #openvpn
15:15 < i336_> Hey. I want OpenVPN to handle all network I/O for a given set of processes on Linux, some of which will be being run through WINE. Where do I start?
15:33 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has joined #openvpn
15:48 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 264 seconds]
16:18 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
16:23 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 264 seconds]
16:27 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
16:39 -!- shio [marmot@6.121.101.84.rev.sfr.net] has quit [Ping timeout: 255 seconds]
16:42 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 244 seconds]
16:53 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:01 -!- z1ktest [~troulouli@unaffiliated/troulouliou-dev/x-4757952] has joined #openvpn
17:01 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
17:04 -!- troulouliou_dev [~troulouli@unaffiliated/troulouliou-dev/x-4757952] has quit [Ping timeout: 264 seconds]
17:04 < Thermi> i336_: Run those applications inside a dedicated network namespace and create virtual adapters, whose traffic is routed through your openvpn tun device.
17:06 < i336_> ah. I see...
17:06 < i336_> so like, a cgroup where the only network device is the virtual adapter?
17:06 < Thermi> i336_: I don't know anything about cgroups, sorry.
17:07 < Thermi> It's a semi contained network area with its own routing table, network devices and stuff.
17:07 < Thermi> Interaction with the normal namespace is done using virtual interfaces
17:07 < i336_> right. Yeah, I was trying to figure out what you meant by "dedicated network namespace"
17:08 < i336_> and what actual /thing/ that term translated to in practice =P
17:08 < Thermi> network namespace
17:08 < Thermi> netns
17:08 < Thermi> ip netns help
17:09 < i336_> oh ok
17:10 < i336_> ohh. Interesting
17:11 < i336_> thanks, I'll run with that and see how I go...
17:12 < Thermi> Sure, sure.
17:12 < Thermi> Don't mind bothering me with any specifics or other questions. Sadly, that is all I know about network namespaces on Linux.
17:18 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Quit: bis später]
17:19 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 245 seconds]
17:35 -!- idl0r [~idl0r@gentoo/developer/idl0r] has quit [Ping timeout: 244 seconds]
17:43 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:47 -!- troulouliou_dev [~troulouli@unaffiliated/troulouliou-dev/x-4757952] has joined #openvpn
17:51 -!- z1ktest [~troulouli@unaffiliated/troulouliou-dev/x-4757952] has quit [Ping timeout: 264 seconds]
17:52 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
18:03 -!- nutron [~nutron@unaffiliated/nutron] has quit [Remote host closed the connection]
18:21 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
18:26 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 252 seconds]
18:29 -!- shio [marmot@6.121.101.84.rev.sfr.net] has joined #openvpn
18:47 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
18:48 -!- z1ktest [~troulouli@unaffiliated/troulouliou-dev/x-4757952] has joined #openvpn
18:51 -!- troulouliou_dev [~troulouli@unaffiliated/troulouliou-dev/x-4757952] has quit [Ping timeout: 256 seconds]
18:53 -!- troulouliou_dev [~troulouli@unaffiliated/troulouliou-dev/x-4757952] has joined #openvpn
18:53 -!- z1ktest [~troulouli@unaffiliated/troulouliou-dev/x-4757952] has quit [Ping timeout: 245 seconds]
18:54 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 244 seconds]
18:56 -!- TBJoe [~TBJoe@drms-4d0d6cff.pool.mediaWays.net] has quit [Quit: TBJoe]
19:00 -!- JackWinter [~jack@vodsl-9520.vo.lu] has quit [Quit: Konversation terminated!]
19:01 -!- troulouliou_dev [~troulouli@unaffiliated/troulouliou-dev/x-4757952] has quit [Ping timeout: 244 seconds]
19:04 -!- JackWinter [~jack@vodsl-9520.vo.lu] has joined #openvpn
19:12 -!- troulouliou_dev [~troulouli@unaffiliated/troulouliou-dev/x-4757952] has joined #openvpn
19:17 -!- troulouliou_dev [~troulouli@unaffiliated/troulouliou-dev/x-4757952] has quit [Ping timeout: 252 seconds]
19:20 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
19:21 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
19:22 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
19:23 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
19:25 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Remote host closed the connection]
19:30 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
19:31 -!- mode/#openvpn [+v RBecker] by ChanServ
19:48 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn
19:49 < bluenemo> hi guys. can i only use crl-verify when I actually have a crl.pem file? When I create the server I'd like to already specify a crl.pem path, as the server auto updates the crl.pem file for new clients as far as i know. so when I start the server the first time I dont have banned clients yet, and therefore no crl.pem file. can I supply a dummy crl.pem file somehow until i have my first unwanted certific
19:49 < bluenemo> ate?
19:50 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
19:55 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 264 seconds]
20:05 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
20:06 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
20:29 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
20:43 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Quit: Leaving]
21:11 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Read error: Connection reset by peer]
21:14 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
21:18 -!- moparisthebest [~mitb@unaffiliated/moparisthebest] has quit [Ping timeout: 252 seconds]
21:19 < esde> !revoke
21:19 < esde> !crl
21:19 <@vpnHelper> "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that
21:19 <@vpnHelper> will create the CRL file for you. ssl-admin will also build a crl for you or (#3) openssl ca -config openssl-1.0.0.cnf -gencrl -out keys/crl.pem
21:19 < esde> bluenemo, ^
21:19 < esde> :)
21:24 -!- moparisthebest [~mitb@gateway/tor-sasl/moparisthebest] has joined #openvpn
21:41 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Remote host closed the connection]
21:46 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
22:06 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
22:11 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has joined #openvpn
22:19 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
23:03 -!- akamaru [~akamaru21@2601:0:8a80:1064:206f:b2a9:3d71:f30b] has quit [Read error: Connection reset by peer]
23:08 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:d8d3:44be:23fe:c65b] has joined #openvpn
23:12 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 264 seconds]
23:16 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
23:19 -!- akamaru [~akamaru21@2601:0:8a80:1064:1c44:fefa:fd88:b819] has joined #openvpn
23:20 -!- akamaruu [~akamaru21@2601:0:8a80:1064:7c81:4727:3145:a8f4] has joined #openvpn
23:22 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:d8d3:44be:23fe:c65b] has quit [Ping timeout: 244 seconds]
23:24 -!- akamaru [~akamaru21@2601:0:8a80:1064:1c44:fefa:fd88:b819] has quit [Ping timeout: 265 seconds]
23:27 -!- akamaruu [~akamaru21@2601:0:8a80:1064:7c81:4727:3145:a8f4] has quit [Ping timeout: 265 seconds]
23:29 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
23:32 -!- ShadniX [dagger@p5DDFE699.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
23:33 -!- ShadniX_ [dagger@p5DDFCE07.dip0.t-ipconnect.de] has joined #openvpn
23:33 -!- ShadniX_ is now known as ShadniX
23:35 -!- kossy [a@unaffiliated/kossy] has quit [Excess Flood]
23:38 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
23:45 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 244 seconds]
23:50 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
23:54 -!- novae [~novae@unaffiliated/novae] has quit [Ping timeout: 264 seconds]
23:57 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:e051:1773:8bb:8586] has joined #openvpn
--- Day changed Sun Jan 11 2015
00:04 -!- stewi [~quassel@2400:6800:ffff:2:3507:a9ac:1cfa:235c] has quit [Quit: No Ping reply in 180 seconds.]
00:23 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
00:28 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 245 seconds]
00:28 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Excess Flood]
00:29 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
00:30 -!- mode/#openvpn [+v RBecker] by ChanServ
00:48 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
00:49 -!- gerforce [~zoujunc@120.210.161.234] has joined #openvpn
01:02 -!- altker128 [~vr@c-24-61-12-138.hsd1.ma.comcast.net] has joined #openvpn
01:02 < altker128> Hey guys. Anyone here use Tunnelblick on OSX Mavericks?
01:15 -!- gerforce [~zoujunc@120.210.161.234] has quit [Quit: leaving]
01:19 -!- MACscr [~Adium@2601:d:c800:de3:b96b:9a2d:7865:a240] has quit [Ping timeout: 244 seconds]
01:20 -!- master_o1_master [~master_of@p4FF24B56.dip0.t-ipconnect.de] has joined #openvpn
01:23 -!- master_of_master [~master_of@p4FD7B43F.dip0.t-ipconnect.de] has quit [Ping timeout: 244 seconds]
01:24 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
01:28 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 244 seconds]
01:35 -!- u0m3 [~u0m3@92.80.69.178] has quit [Ping timeout: 245 seconds]
01:39 < hyper_ch> no
01:57 -!- mistermajestic [~mistermaj@gateway/vpn/privateinternetaccess/mistermajestic] has quit [Ping timeout: 256 seconds]
03:01 -!- Henryabcd [~Henryabcd@pD9E0AAB8.dip0.t-ipconnect.de] has joined #openvpn
03:12 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:19 -!- Henryabcd [~Henryabcd@pD9E0AAB8.dip0.t-ipconnect.de] has quit [Quit: Leaving]
03:25 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
03:26 -!- u0m3 [~u0m3@92.80.116.127] has joined #openvpn
03:30 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 265 seconds]
03:45 -!- i336_ [~i336_@101.174.0.19] has quit [Ping timeout: 265 seconds]
03:59 -!- mattock_afk is now known as mattock
04:19 -!- catsup [d@ps38852.dreamhost.com] has quit [Remote host closed the connection]
04:20 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn
04:20 -!- catsup [~d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer]
04:21 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
04:21 -!- KavanS [~quassel@LINBIT/KavanS] has joined #openvpn
04:26 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 256 seconds]
04:26 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
04:27 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
04:31 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 255 seconds]
04:32 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 255 seconds]
04:32 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
04:33 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:38 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 265 seconds]
04:38 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
04:43 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 264 seconds]
04:49 -!- tobinski [~tobinski@x2f5eafa.dyn.telefonica.de] has joined #openvpn
04:49 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
04:53 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 256 seconds]
05:00 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Max SendQ exceeded]
05:02 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
05:04 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Max SendQ exceeded]
05:04 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
05:30 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Quit: I Was Just De-c0ded!]
05:31 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
05:47 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
05:48 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Quit: I Was Just De-c0ded!]
05:50 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
05:53 -!- rhagu [5ed98f15@gateway/web/freenode/ip.94.217.143.21] has joined #openvpn
05:57 < rhagu> Hi, what android Client (open source and free of charge) is secure and recommended?
05:57 <@plaisthos> !faq
05:57 <@vpnHelper> "faq" is (#1) http://openvpn.net/index.php/documentation/faq.html or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ
05:57 <@plaisthos> hm not that one
05:58 <@plaisthos> !learn android as https://code.google.com/p/ics-openvpn/wiki/FAQ
05:58 <@vpnHelper> Joo got it.
05:58 <@plaisthos> see that FAQ: Difference between android clients
06:01 < rhagu> Thanks, I guess openvpn connect is the way to go then
06:03 <@plaisthos> depends on what you are trying to accomplish
06:03 < rhagu> I have a owncloud server which hands out carddav and caldav data in my vpn and would like to connect to it via vpn
06:10 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Read error: Connection reset by peer]
06:12 < rhagu> this is the config I use on my ubuntu laptop: http://pastebin.com/9g7f03aQ
06:18 -!- rhagu [5ed98f15@gateway/web/freenode/ip.94.217.143.21] has quit [Ping timeout: 246 seconds]
06:37 -!- pipi- [~pipi-@unaffiliated/pipi-] has joined #openvpn
06:55 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
06:58 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
06:58 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
07:03 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 252 seconds]
07:39 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 244 seconds]
07:52 -!- CaTtleyA [~CaTtleyA@plb95-9-78-241-235-51.fbx.proxad.net] has quit [Quit: leaving]
07:52 -!- CaTtleyA [~CaTtleyA@plb95-9-78-241-235-51.fbx.proxad.net] has joined #openvpn
07:58 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
07:59 < hyper_ch> krzee: can anyone just ask to get an openvpn host cloak on freenode?
08:11 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
08:23 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
08:30 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
08:41 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
08:55 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 264 seconds]
08:56 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
09:00 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
09:05 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 264 seconds]
09:15 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Quit: Sto andando via]
09:32 -!- tobinski [~tobinski@x2f5eafa.dyn.telefonica.de] has quit [Quit: Leaving]
09:47 -!- gringao [~gringao@2a02-8420-4d45-cf00-e024-00bc-1228-edb9.rev.sfr.net] has quit [Ping timeout: 244 seconds]
09:54 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
10:06 -!- webczat [webczat@webczatnet.pl] has joined #openvpn
10:07 < webczat> !welcome
10:07 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
10:07 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:09 < webczat> questions: if I have any globally routed pool ipv4 or ipv6, do I always need to have another public or private v4/v6 address over which the parent router can send packets coming to those routed subnets?
10:11 < webczat> Yes, I am starting with questions from general networking, but in general my goal is to configure ipv6-only vpn with openvpn, I am just trying to also understand exactly what I am doing or going to do
10:16 < webczat> ethernet links have (at least sometimes) local link addresses like fe80::/64 for this too, am I right? but I am not sure how do you actually configure openvpn in dev tun mode when I wanted to use ipv6, I mean server side.. I wanted to run openvpn in server mode
10:17 < webczat> the problem is the ifconfig-ipv6 setting. what is the remote address on the server?
10:23 -!- ddddddda [~yaaic@unaffiliated/he110wo1d] has joined #openvpn
10:29 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
10:49 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has quit [Remote host closed the connection]
10:51 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has joined #openvpn
10:53 <@krzee> hyper_ch, sure, user cloaks for all!
10:54 <@krzee> see ecrist for yours
11:09 < pekster> altker128: Tunnelblick is the most popular build and frontend for Macs; AFAIK it "should" work on the latest version too; you're likely to get more useful help if you ask a real question, not "does anyone use X"
11:12 < hyper_ch> krzee: how comes you can give cloaks away on this network?
11:12 < hyper_ch> does ecrist have some kind of super magic powers?
11:14 <@krzee> he runs the openvpn cloaks, if that counts as magic
11:14 <@krzee> you ask him, then he talks to an oper, and gets you your cloak
11:16 < hyper_ch> now knowing what kind of power he weilds, I'm kinda scared talking to him
11:16 * hyper_ch hides behind krzee
11:17 <@krzee> just avoid fridays
11:17 <@krzee> !friday
11:17 <@vpnHelper> "friday" is It's Friday, be warned that, due to him working at home, our resident guard-dog, ecrist, is likely already in the bag. Tread carefully.
11:23 -!- altker128 [~vr@c-24-61-12-138.hsd1.ma.comcast.net] has quit [Ping timeout: 252 seconds]
11:27 -!- heraclitus [~phobos@unaffiliated/heraclitis] has quit [Ping timeout: 264 seconds]
11:27 -!- altker128 [~vr@c-24-61-12-138.hsd1.ma.comcast.net] has joined #openvpn
11:30 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 256 seconds]
11:33 -!- lamppid [~lamppid@78.58.251.19] has joined #openvpn
12:05 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has quit [Remote host closed the connection]
12:15 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has joined #openvpn
13:05 < esde> ecrist, may I have an openvpn cloak, too? much shorter than *unaffiliated*
13:06 -!- Popsikle [~popsikle@2600:1017:b024:f3c2:a0e1:de6:da4c:a120] has joined #openvpn
13:07 < KavanS> !mitm
13:07 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config
13:10 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
13:10 -!- Popsikle [~popsikle@2600:1017:b024:f3c2:a0e1:de6:da4c:a120] has quit [Ping timeout: 244 seconds]
13:34 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Excess Flood]
13:34 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
13:35 -!- mode/#openvpn [+v RBecker] by ChanServ
13:42 < webczat> If I use openvpn in server mode with ipv6 tunnel
13:43 < webczat> and I assign with ifconfig-ipv6 and ifconfig-ipv6-push ip addresses that are in /80 address pool
13:43 < webczat> then why does windows add a route to /64 too when windows client connects over this vpn?
14:16 < pekster> webczat: Your CIDR for the pool and server-side network should match or strange things happen
14:17 < pekster> IOW, don't push a /80 CIDR mask if your VPN is really a /64 (which is & should be the common use-case, although things like a /112 are possible too if needed/desired)
14:21 -!- KjetilK is now known as Guest29245
14:21 -!- Guest29245 [~kjetil@ti0071a400-3057.bb.online.no] has quit [Ping timeout: 240 seconds]
14:23 < webczat> pekster: hmmm... actually they match., the whole configuration is set to /80 in openvpn
14:24 < pekster> Have a pastebin of your server config, sans comments/blanks? Plus the ccd for your push bits?
14:25 < pekster> If you're using /80 everywhere, it should be pushing that to the client. There's some odd behavior if your pool attempts to use a smaller CIDR size than the server network though (but sounds like this won't matter here)
14:25 < webczat> not really, I have removed it because I happen to hmm not do things I do not fully understand, so I wanted to understand it first. also, on linux the routing table is good and does not have anything with /64
14:25 < webczat> it actually pushes /80, but on windows I get address with /80, route with /80, but also another route with /64 even though config does not specify it
14:26 < pekster> The "no idea." Presumably you're declaring a /64 somewhere, but without !configs or !logs (bot has suggestions for pasting those) best you can be told here is "something is probably not configured right"
14:26 < pekster> Verify your configs & logs yourself for clues
14:26 < webczat> I believe it is just some windows specific behaviour, not config error
14:26 < webczat> because same config clientside on linux works and does not do this
14:27 < webczat> and same ccd config
14:28 < webczat> I do not add any routes. I am pushing /80 and ipconfig-ipv6 is also setting /80, but windows adds both /80 as push suggests, and /64 too
14:28 < webczat> and there is no config like routes in openvpn.conf
14:29 < webczat> I really believe this may be windows specific.
14:29 < pekster> Without logs I don't really care.
14:29 < pekster> Surely you're able to go read the factoids above and read your own logs for clues?
14:29 < webczat> I believe it is not a route added by openvpn, that in turn means openvpn does not do this and logs would not show anything
14:30 < webczat> lemme check something then
14:31 < pekster> Unlikely, unles you mean IPv6 LL
14:31 < pekster> But since you refuse to show any deatils, that's nothing more than a WAG
14:31 < webczat> I cannot show you things that I do not have, as I said
14:32 < pekster> Then you obviously haven't read !logs that I referenced above that explains very clearly how to generate logs
14:32 < pekster> !logs
14:32 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
14:32 < pekster> !configs
14:32 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
14:32 < pekster> !verb
14:32 <@vpnHelper> "verb" is (#1) verb command is for setting log verbosity, see --verb in the manual (!man) for more info or (#2) verb 5 is good for finding firewall problems, verb 4 for troubleshooting anything else, and 3 is good for every day usage. or (#3) Anything more than 5 is for developer debugging only
14:32 < pekster> !logfile
14:32 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
14:32 < pekster> Happy hunting.
14:32 < pekster> Oh, and probably:
14:32 < pekster> !interface
14:32 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6) or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn' or (#4) For Linux:
14:32 <@vpnHelper> iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes)
14:33 < pekster> to see wtf you actually have as for interface configs and verify if you're "mystery top secret /64 that can't be shared with the class" is LL or some strange supernet
14:34 -!- mistermajestic [~mistermaj@gateway/vpn/privateinternetaccess/mistermajestic] has joined #openvpn
14:35 < webczat> this /64 actually exists but I just divided it :) and as said I cannot test it at the moment. I will have to look/write it again
14:40 < pekster> Curious, I'm seeing similar behavior
14:40 < pekster> C:\Windows\system32\netsh.exe interface ipv6 add route fd29:884a:4456:123::/80 Local Area Connection 3 fe80::8 store=active
14:48 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
14:50 < pekster> I'd guess this is either Windows being brain-dead, or possibly the TAP-WIN32 driver not handling non-/64 subnets properly
14:51 < pekster> fwiw, you're usually better off just using /64 anyway so that the "early developer preview" patches that Debian was so fond of including before OpenVPN officially supported IPv6 will work: they break if you use sub-/64 networks
14:54 < webczat> pekster: actually: I just tested by command like openvpn --proto tcp-server ... --dev tun --tun-ipv6 --ifconfig-ipv6 .../80 remote etc, and similar on a client side (windows) and didn't get /64 route. :O maybe it works differently in case of a push/whatever?
14:54 < webczat> like now it was p2p mode
14:54 < pekster> Unlikely; here's my testcase for the server that resultsin duplicate routes, one /80 and one /64
14:55 < pekster> https://paste.kde.org/p5lm46sja
14:56 < pekster> Here's the nonsense that results from `route -6 print` on the client:
14:56 < pekster> 17 286 fd29:884a:4456:123::/64 On-link
14:56 < pekster> 17 286 fd29:884a:4456:123::/80 fe80::8
14:56 < pekster> 17 286 fd29:884a:4456:123::1000/128
14:58 -!- mistermajestic [~mistermaj@gateway/vpn/privateinternetaccess/mistermajestic] has quit [Remote host closed the connection]
14:58 < webczat> okay. suggestion: what happens if you replace a mode server vpn with mode p2p and configure ip address on the client with ifconfig-ipv6? same with configuring ipv6 address client side but leaving mode server. :D
14:58 < webczat> because it didn't add this /64 route in p2p mode when clients were locally specifying addresses in their config
14:59 < webczat> s/clients/peers/
14:59 < pekster> You can't use p2p in Windows since that OS is incapiable of Point-to-Point networking
14:59 < webczat> I mean --mode p2p, not the p2p topology
15:00 < webczat> like openvpn without --mode server
15:00 < webczat> that works, trust me, tested. :P
15:00 < webczat> another things that would be interesting: what is gonna happen if you use a larger pool like /48... lol
15:01 < pekster> /48 on-link? Don't do stupid things like that
15:01 < pekster> The only reason for a /64 is convention and integration with SLAAC (and backwards-compat with older 2.2.x dev-patches, as noted earlier.) Unelss you're going to tell me how you need more than 2^64 clients on your VPN
15:02 < webczat> I meant just testing, nothing more. my network here is incapable of v6 and such tests are probably safe
15:02 < pekster> That's still a useless thing to try
15:02 < pekster> Try something useful instead, like evalaute the netsh.exe call win your non-multi-client serve setup
15:02 < pekster> server*
15:03 < webczat> in my p2p setup, /64 is not added but the netsh call is the same
15:04 < pekster> Inlcuding the silly fe80::8 call?
15:04 < webczat> hmm
15:05 < webczat> hell... I cannot as easily compare it with multiserver set up because I have no certs at hand
15:06 < webczat> but yes, it seems to use something like fe88, like it probably uses the link local addresses appropriate for the tunnel
15:07 < pekster> "something like" isn't good enough here. https://github.com/OpenVPN/openvpn/blob/v2.3.6/src/openvpn/route.c#L1639
15:07 <@vpnHelper> Title: openvpn/route.c at v2.3.6 · OpenVPN/openvpn · GitHub (at github.com)
15:10 -!- mattock is now known as mattock_afk
15:12 < webczat> mmm
15:14 < webczat> anyway it still does not explain the /64 thing
15:14 < webczat> I would if possible test /48 but just for one reason: checking if it is consistent/smart/whatever
15:15 < webczat> unfortunately I cannot atm
15:16 < pekster> I bet this is the issue: C:\Windows\system32\netsh.exe interface ipv6 set address vpn1 fd29:884a:4456:123::1000 store=active
15:16 < webczat> but, seems like if I want to have a good v6 support, I should get /48 prefix first and delegate one /64 to vpn. I am using my /64 proper for linux containers and stuff
15:17 < webczat> pekster: the p2p mode linking shows the same message, I checked. but there is no /64 anyway :)
15:17 < pekster> https://imgflip.com/i/g9z7h
15:17 <@vpnHelper> Title: Creepy Condescending Wonka Meme - Imgflip (at imgflip.com)
15:17 * webczat is blind. give me as much images as you want :P
15:18 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
15:18 < webczat> I won't see them anyway
15:18 < pekster> Ah, fair enough. Just poking fun at 18446744073709551616 hosts being too small for anyone's network
15:19 < webczat> pekster: of course. but you are unable to predict the future and the way vpn is used :P
15:19 < pekster> Any single network larger than a /64 is 100% worthless
15:19 < pekster> More worthwhile is the cause of the on-link route addition that doesn't match the linked code line, which might be caused by:
15:19 < pekster> C:\Windows\system32\netsh.exe interface ipv6 set address vpn1 fd29:884a:4456:123::1000 store=active
15:19 < webczat> hmm actually the recommendation is often to grant max /48 to end user.:D
15:20 < pekster> RFC6177 says otherwise
15:20 < pekster> Also, you don't put that /48 on-link unless you're clueless or hate your customers (like a number of well-known VPS "providers" do)
15:21 < webczat> I mean min /64, max /48. I've read ripe recommendations I think and things like that. and ipv6 tunnelbrokers still give both /64 and /48
15:21 < webczat> what is the problem with on-link /48?
15:21 < webczat> maybe except the fact it may or may not be too large?
15:22 < pekster> wtf dude. Do you need more than 18,446,744,073,709,551,616
15:22 < pekster> hosts on your VPN network? If not, don't do insane things like this
15:22 < webczat> no. but slaac has a different model anyway, based on someone's mac address. it's more like if I need more than one subnet, I should have larger than /64
15:22 < pekster> That's 18.4 SEPTILLIAN hosts. I don't think there's enough RAM in the world, nevermind a computer to hold that much, do support it
15:23 < pekster> Yes. But *EACH* subnet should not be larger than a /64
15:23 < webczat> yes.
15:23 < pekster> I'm 100% on-board with RFC6177's recommendations to provide a large enough allocation to end-site (customers, businesses, etc) to route/subnet as they need
15:23 < pekster> on-link /48 is what brain-dead VPSes do, forcing customers who want to use it to do awful, horrible, insane hacks like NDP proxy. These companies hate their users
15:24 < webczat> but I am not sure if it is not said somewhere that end users may need more subnets, I may be mistaken :)
15:24 < pekster> Spend some time looking at RFC6177; it's quite clear, and their conclusion is very upfront about the design goals involved
15:24 < webczat> okay
15:25 < pekster> At any rate, something like a /56 to end-sites is a good starting place. Maybe a /48 for established businesses that can demonstrate a need, and more if the user/customer/site needs it for something
15:25 < webczat> anyway if I need more subnets because I have one for containers and one for vpn, does it justify /48 or /56? like tap mode vpn is not recommended so I cannot use one subnet for all this
15:26 < webczat> I cannot get /56 on the tunnel I have one routed /64 and can optionally get a routed /48.
15:26 < pekster> Right, you should get (without any question from your network provder) a /56 if you ask. A *routed* /56 (none oft his on-link crap.)
15:26 < pekster> Sure, /48 is fine
15:26 < pekster> I said at least ;)
15:27 < pekster> That's now 65,536 unique /64 networks (though usually you'd subnet that /48. That's the whole point of IPv6 is so we can route/subnet properly and do away with NAT-Overload)
15:28 < pekster> The tl;dr here is that there's no reason to give openvpn more than a /64 per-network, and IIRC it prohibits that configuration
15:28 < pekster> Less than that, sure, although that does have implications for backwords-compat support too, and is best avoided as a result
15:29 < webczat> yes. I am doing it mainly for educational purposes. I wanted to have educational linux container with public v6 and I use the main /64 for it. and another thing is that it is all done on a public server, but I also have a "server" that is connected to ipv4 network but behind a nat, that I want to use for hmm testing networking.
15:29 < webczat> so I need a vpn to give the natted server test ipv6 connectivity and possibly I would need a routed /64 going over this server for the purpose of testing
15:30 < pekster> You need a routed allocation to use IPv6 meaningfully with OpenVPN
15:31 < pekster> Unelss you use ULA, but that's not globally routable (and is only valid in the routed domain of your network or "site" that understands about that ULA space)
15:31 < webczat> I have routed /64 and can get additional independent /48 that I could probably divide into vpn thing and the subnet going to the natted server over vpn
15:31 < pekster> fwiw, I think this is a bug in the address setting code by not properly setting the CIDR mask during address execution
15:32 < pekster> This appears to do the right thing from the CLI: netsh interface ipv6>set address vpn1 fd29:884a:4456:1234::1001/80
15:32 < webczat> pekster: maybe, but in p2p case it still does not result in /64, it results in /128 and then route to /80 is separately added
15:32 < pekster> Yea, probably a different codepath, but I'd need to dig further to find out
15:32 < pekster> Did you compare the address setting call at --verb 4?
15:33 < webczat> yeah. but notice that in the case of --mode server, /80 pool etc, it results in /64, /128 and /80 all being there
15:33 < pekster> So is there a CIDR mask at the end of the address set ... call?
15:33 < webczat> no
15:34 < webczat> I am running with default settings for logging and there is no /xxx afgter the ipv6 address in p2p mode. and for server mode I would have to generate and send certificates and that hmm
15:34 < pekster> Right, my above paste is what you get for a P2MP server
15:35 < webczat> unless you are able to go without a client certificate?
15:35 < pekster> And if I omit the CIDR mask, it assumes a /64
15:35 < webczat> so why I did not get /64?
15:35 < webczat> in pure p2p
15:35 < pekster> No clue
15:35 < webczat> try and check what happens if you invoke openvpn in p2p mode.
15:36 < webczat> maybe I am mistaken
15:36 < pekster> https://github.com/OpenVPN/openvpn/blob/v2.3.6/src/openvpn/tun.c#L1209 If I'm going too slow for you in the code review while you keep asking me about the frontend
15:36 <@vpnHelper> Title: openvpn/tun.c at v2.3.6 · OpenVPN/openvpn · GitHub (at github.com)
15:40 * webczat hates reading c. ofc this thing was clear but :P
15:40 < pekster> Seems it's handled by add_route_connected_v6_net possibly, although the easier solution might be to pull the right mask out of the route_ipv6 struct for the involved address, or the tuntap struct if that's not yet availble
15:42 < webczat> so have you found this /64 thing that gets added always?
15:42 < webczat> and it is still interesting why the hell it does not get added in normal cases like p2p
15:42 < pekster> It's implicit, as demonstrated earlier. No clue (yet) why --topology p2p is different, because Windows doesn't understand it at all to begin with (it's only able to create actual subnets)
15:42 < webczat> different code path as you said
15:43 < webczat> pekster: first the topology thing as man says does not affect ipv6
15:43 < pekster> Except all the v6 address stuff is under line 1201 at if ( do_ipv6 )
15:43 < pekster> Yea
15:44 < pekster> The only v6 address-setting specific netsh call is from the arguments starting at tun.c:1209 (as of 2.3.6 anyway)
15:46 < webczat> pekster: okay lemme phase it this way: the /64 thing appears if one openvpn is the server with --mode server, and possibly only if the server pushes addresses to clients. /64 didn't get added for me if none of the openvpn instances had --mode server, and if ip was not pushed, like if it was manually set by both sides
15:47 < webczat> and it may be possible that if you remove the ifconfig-ipv6-pool from server and use ifconfig-ipv6 on the client it may work unless such usage is forbidden
15:48 < webczat> if it is then it should work if you will also remove --mode server
15:49 < johnfg> Sorry I had to be away after an answer from pekster. I generated the client certificate on the server, so why or how could the pki not be the same?
15:51 < pekster> No idea; this is why you'd test it. That's the first thing you'd normally do when faced with a verification error
15:51 < pekster> Could be anything from accidently being in the wrong directory to your click being off, or a dozen more failure modes I could invent if I cared more.
15:51 < pekster> clock*
15:51 < pekster> Which is why you should do exactly what I suggested earlier, using the _actual_ client-cert as referenced by its _current_ config, defined in:
15:52 < pekster> !verify
15:52 <@vpnHelper> "verify" is (#1) If you receive certificate-based 'VERIFY ERROR' messages, you can manually verify the remote cert against a local CA using openssl: `openssl verify -verbose -CAfile /local/ca.crt /remote/copy/of/other.crt` or (#2) Note that this requires you to manually transfer the remote certificate to the local system for testing or (#3) You can also manually check issuer fingerprints with
15:52 <@vpnHelper> detailed cert output: `openssl x509 -in /some/cert.crt -noout -text` and compare against the CA cert fingerprint
15:54 < johnfg> pekster: righto. I actually saw and read it from yesterday, but hadn't done it. I'm on it now :-)
15:55 < webczat> I am curious if I was not mistaken about the behavior of manually configured addresses hmhm
15:56 < pekster> webczat: I think this fixes it: https://github.com/QueuingKoala/openvpn/commit/ffc7ef7966396f3a08db6d663a1e2b217793b104
15:56 <@vpnHelper> Title: Add CIDR mask to win32 netsh call for ipv6 set address · ffc7ef7 · QueuingKoala/openvpn · GitHub (at github.com)
15:57 < pekster> My win32 build VM is a bit FUBAR now, but I might be able to have a build you can test within a day or two
15:58 < webczat> pekster: hmm I am not sure if it is really like you said if my last testcase without --mode server did not add /64 and your testcase with --mode server did. and both had no prefix length when setting address using netsh
15:58 < johnfg> pekster: On the first part of the !verify message, it returns: error 20 at 0 depth lookup:unable to get local issuer certificate
15:58 < webczat> then it may not fix the issue
15:59 < johnfg> I used the ca.crt ro the CAfile, and client5.crt for the remote.
15:59 < pekster> johnfg: Check the AIA of the client-cert against the CA's fingerprint
15:59 < johnfg> What's the remedy?
15:59 < johnfg> pekster: Is that following (#3) of the !verify msg?
16:00 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Read error: Connection reset by peer]
16:01 < pekster> Yup. Dump the client cert, get the fingerprint of the issuing CA, and compare to the actual CA cert fingerprint
16:01 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
16:01 < pekster> If they don't match, you managed to sign that client cert with a different CA, which would not be matched to your -CAfile you attempted to verify with
16:02 * pekster meant AKI, not AIA)
16:03 < johnfg> pekster: Before I do that, the CA has definitely not changed.
16:04 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
16:04 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
16:05 < johnfg> pekster: One thing I note, in running the cmd on the client5.crt, it shows CA:FALSE, but on ca.crt, CA:TRUE.
16:06 < pekster> That's correct, but not currently relevant
16:07 < pekster> More relevant would be a matching AKI on the client to the SKI on the CA
16:08 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:08 < johnfg> pekster: I think you're in the process of nailing it.
16:10 < johnfg> I have one ca.crt in /etc/openvpn, and another in /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.crt
16:11 < johnfg> Both generated on the same day, 1.5 yrs. ago.
16:11 < johnfg> Which is the one that ./build-keys uses when it runs?
16:11 < pekster> Whatever dir your're in
16:11 < pekster> Both are, for the record, horrible places to be doing your PKI in
16:12 < johnfg> pekster: What/where would you recommend?
16:12 < johnfg> At present: server is debian, this client is gentoo.
16:12 < pekster> A dedicated non-root user, with restrictive permisions on the homedir to prevent accidents like the ca.key read by other users
16:13 < pekster> Or out of /root/pki if you really hate priv-sep for some reason
16:13 < johnfg> pekster: Is there a cmd I can run on the current working 4 clients to see which ca.crt they are built (or whatever the word) with?
16:13 < pekster> As above, in !verify
16:14 < pekster> X509v3 Subject Key Identifier:
16:14 < pekster> B4:F5:E3:34:03:F5:63:18:AD:D3:DE:1E:70:05:28:7F:B1:66:99:EC
16:14 < pekster> My sample cert was signed by keyid B4:F5:E3:34:03:F5:63:18:AD:D3:DE:1E:70:05:28:7F:B1:66:99:EC
16:14 < johnfg> pekster: Ok.
16:14 -!- lamppid [~lamppid@78.58.251.19] has quit [Ping timeout: 240 seconds]
16:14 < pekster> You'd go and verify your CAs to see which CA has a matching keyid
16:15 < pekster> Erm, AKI
16:15 < pekster> AKI: what signed this cert. SKI: this own cert's fingerprint
16:16 < pekster> A root CA will have matching values, since it "signed itself", and thus is vouching for its own correctness (and if you cannot trust it independently, you ought to reject it as a CA)
16:16 < pekster> !intro-to-pki
16:16 <@vpnHelper> "intro-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
16:17 < webczat> btw why ipv6 does not support topologies, but ipv4 does? and also why in ipv6 I haveto provide remote address even server side? I do not understand that
16:19 < pekster> Because the concept of net30 is a broken 7-year old Windows concept from before the driver on that crappy platform supported real networking. Since we're behind ancient limitations in the driver there's no point to perpetuate such behavior
16:19 < pekster> Since IPv6 requres >=2.3.0 anyway, it's gaurenteed that Windows can support the non-broken methods
16:19 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
16:19 < pekster> !net30
16:19 <@vpnHelper> "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
16:19 < pekster> !topology
16:19 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
16:20 < pekster> The server still needs a routing target for the OS-routes
16:20 < pekster> (hence the "peer" IP)
16:21 < webczat> oses support adding routes going through interfaces
16:22 < pekster> It's more complex than that since OpenVPN has multiple routing options. Read about --iroute and --iroute-ipv6 to understand how openvpn routes things to particular clients
16:22 < pekster> and the !clientlan info/flowchart
16:22 < webczat> pekster: also what about topology p2p? there is such a thing as a third topology. is it just like when you don't need any subnet? but in any case you still cannot do that with ipv6.
16:22 < webczat> like you can probably but in a different way
16:23 < pekster> Linux can do device routing; build with ENABLE_IPROUTE2
16:23 < pekster> This is for some reason still not the default; patches welcome if you'd like to see the buildsystem do this by default when iproute2 headers/userland is availble
16:24 < pekster> See route.c:1599
16:25 < webczat> arch does not have ifconfig
16:25 < webczat> it has iproute2 only and it means that it probably has it enabled
16:25 < pekster> Wonderful. And if we removed backwards-compat stuff it'll break every other distro that doesn't support this, plus other OSes that don't support this at all
16:27 < pekster> Manpage for --ifconfig-ipv6 is pretty clear on its use. Plus in tap you might be doing on-link IPv6 routes; see route.c:1585 for the explanation
16:28 < webczat> pekster: honestly trued using old route for a while
16:28 < webczat> route add 11.0.0.0 dev vmnet
16:28 < johnfg> pekster: Ok, the certificate in /etc/openvpn is *not* the cert that the other clients were signed with.
16:28 < webczat> worked
16:29 < johnfg> Should I just copy the ca.crt that's the right one to that directory?
16:29 < pekster> FFS, you ask why things are and then refuse to read
16:29 < pekster> I really don't give any more shits if you're goign to be this much of a PITA
16:29 < pekster> 1585 /* On "tun" interface, we never set a gateway if the operating system
16:29 < pekster> 1586 * can do "route to interface" - it does not add value, as the target
16:29 < pekster> 1587 * dev already fully qualifies the route destination on point-to-point
16:29 < pekster> 1588 * interfaces. OTOH, on "tap" interface, we must always set the
16:29 < pekster> 1589 * gateway unless the route is to be an on-link network
16:29 < pekster> 1590 */
16:29 < pekster> So happy I could paste in what I asked you to read that EXPLAINS EXACTLY WHY WE DO WHAT YOU SUGGEST, AND WHY WE SUPPORT LESSER OSES THAT CAN'T DO TI
16:30 < webczat> okay
16:31 < pekster> And yes, net-tools is a smoldering pile of crap
16:31 < pekster> !net-tools
16:31 <@vpnHelper> "net-tools" is https://github.com/QueuingKoala/fn-netfilter/wiki#avoid
16:31 < webczat> I prefer ip, I installed net-tools for something once but do not use it
16:31 < pekster> johnfg: Nope, you need to re-sign your client cert with the PKI your server is expecting
16:32 < pekster> Or replace your CA completely, which will invalidate all your previously-signed certs on every system (all servers & clients under that CA)
16:32 < johnfg> pekster: I'm wondering if that latter actually might be the best way to go.
16:33 < johnfg> And you're recommend I do it in say: /home//pki, e.g.?
16:33 < webczat> is it possible to do ipv6 only openvpn? it seems to enforce the resence of normal ifconfig directives on tun
16:33 < pekster> I create a `pki` user, with a umask of 77 defined in its .profile
16:33 < pekster> You could do it as root too, but I dislike doing things as root that don't require it as a security measure
16:34 < pekster> Further security (especially PKI) recommendations at:
16:34 < pekster> !hardening
16:34 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
16:35 < pekster> webczat: hmm? --ifconfig is a platform-agnostic directive to set addressing; it's got zero to do with /sbin/ifconfig (ENABLE_IPROUTE on Linux, and #if defined(win32) for ipconfig are notably not using ifconfig)
16:35 < pekster> Again, reference tun.c for all the magic ways the addressing gets sent depending on the #ifdef code that's very platform-specific
16:36 < webczat> pekster: I meant something else. the ifconfig directive sets ipv4 addresses. but if my openvpn wants ipv6 and does not want ipv4 and I try to start a client with no ipv4 it just fails loudly
16:36 < pekster> You'll need IPv4, but since RFC1918 is huge, just issue some bogus network if you don't care
16:36 < pekster> At some point that'll change, and it's a todo item. As with all FOSS code, patches welcome if this is a feature you'd like to see sooner.
16:36 < johnfg> pekster: Thanks for your help the last couple of days.
16:36 < pekster> Best check the ML and -master though; I think some groundwork has been done on this fairly recently
16:36 < webczat> It is annoyhing, but not very annoying. I was just wondering why that happens, and I feel satisfied :)
16:40 -!- CaTtleyA_ [~CaTtleyA@plb95-9-78-241-235-51.fbx.proxad.net] has joined #openvpn
16:43 < webczat> so in ipv4 and topology subnet case I should always set route-gateway in case I hit a platform that does not support on link routes? man says that topology subnet's ifconfig requires just ip and netmask instead of localip remoteip so
16:44 -!- CaTtleyA_ [~CaTtleyA@plb95-9-78-241-235-51.fbx.proxad.net] has quit [Client Quit]
16:45 < pekster> You probably want to push that to clients, yes
16:45 < pekster> That ought to be the default with --server but IIRC isn't, making life fun when that breaks for complex routing settups
16:45 < webczat> so I should push it to clients even if I do not forward from the vpn to the internet?
16:46 < pekster> "It depends." Skip it if you're not pushing networks that break
16:46 < pekster> Add it if you get a warning to the effect that it's missing
16:46 < pekster> File a bug if one isn't already open if this is a problem
16:46 < webczat> I am trying to understand the behavior, nothing more
16:47 < pekster> No --push "route ..." means you can happily ignore it
16:48 < webczat> but in case of ipv6 the route-gateway6 is also set by ifconfig-ipv6 and in this case it seems required. so server side, should the address set there not be hmm really used, or it does not matter?
16:58 < webczat> downloading sources
17:13 < webczat> okay i cannot find that in the code. the code seems like the gateway in routes is used only when we are using tap adapters, at least the specified one is used probably only in this case unless I am wrong. and the default gateway param is the one in ifconfig-ipv6 so I don't know where the ipv6 remote addr is used
17:13 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:13 < webczat> because ifconfig-ipv6 is probably not to be used on tap
17:15 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
17:32 -!- Droolio [~drool@host86-134-61-249.range86-134.btcentralplus.com] has joined #openvpn
17:34 < webczat> I probably see. this gateway is just not needed on linux even with net-tools it seems, but solaris needs it for compat
17:49 -!- CaTtleyA [~CaTtleyA@plb95-9-78-241-235-51.fbx.proxad.net] has quit [Ping timeout: 272 seconds]
18:03 -!- novae [~novae@unaffiliated/novae] has joined #openvpn
18:07 -!- ddddddda [~yaaic@unaffiliated/he110wo1d] has left #openvpn []
18:07 -!- hypermist is now known as pcupgrades
18:15 -!- pcupgrades is now known as hypermist
18:33 -!- moparisthebest [~mitb@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
18:33 -!- moparisthebest [~mitb@unaffiliated/moparisthebest] has joined #openvpn
18:41 -!- webczat [webczat@webczatnet.pl] has left #openvpn ["WeeChat 1.0.1"]
19:18 -!- justinzane [~justinzan@67.21.190.132] has joined #openvpn
19:38 -!- ddddddda [~he110wo1d@unaffiliated/he110wo1d] has joined #openvpn
19:59 -!- Droolio [~drool@host86-134-61-249.range86-134.btcentralplus.com] has quit [Quit: Nothing is more believed as that known least by the most.]
20:00 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Read error: Connection reset by peer]
20:01 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
20:05 -!- pipi- [~pipi-@unaffiliated/pipi-] has quit [Ping timeout: 256 seconds]
20:06 -!- pipi- [~pipi-@unaffiliated/pipi-] has joined #openvpn
20:52 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
21:41 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
22:01 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:12 -!- ddddddda [~he110wo1d@unaffiliated/he110wo1d] has quit [Quit: Leaving]
22:14 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
22:41 -!- Denial [~Denial@81.141.16.42] has joined #openvpn
23:16 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 256 seconds]
23:31 -!- ShadniX [dagger@p5DDFCE07.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
23:31 -!- ShadniX_ [dagger@p5481DB12.dip0.t-ipconnect.de] has joined #openvpn
23:31 -!- ShadniX_ is now known as ShadniX
23:55 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
--- Day changed Mon Jan 12 2015
00:19 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Ping timeout: 244 seconds]
00:26 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 244 seconds]
00:40 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
00:43 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
01:02 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
01:11 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Quit: Konversation terminated!]
01:12 < hyper_ch> krzee: can you teach me how cidr are actually calculated?
01:15 -!- nullm0dem [~kaiju@ip24-254-180-150.rn.hr.cox.net] has joined #openvpn
01:20 -!- master_of_master [~master_of@p4FF24197.dip0.t-ipconnect.de] has joined #openvpn
01:24 -!- master_o1_master [~master_of@p4FF24B56.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
01:28 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
01:32 -!- mattock_afk is now known as mattock
01:51 <@krzee> !cidr
01:51 <@vpnHelper> "cidr" is http://www.oav.net/mirrors/cidr.html
01:51 <@krzee> @ hyper_ch
01:51 < hyper_ch> krzee: you don't happen to have a shell script that converts a network range to cidr?
01:51 <@krzee> no, did you bother reading the link?
01:52 < hyper_ch> yes, looking at it
01:53 < hyper_ch> so a network range needs first to be converted to binary
01:55 < hyper_ch> btw, shouldn't whois be standardized?
01:59 <@krzee> what are you really trying to do?
02:03 -!- le0 [~le0@unaffiliated/le0] has joined #openvpn
02:03 < hyper_ch> well, I found yesterday a pythong script that can be used with fail2ban to block a whole subnet instead an individual IP.... I get many attempts from the Gaza... anyway, that script relieas on the inetnum in the whois... but I noticed that other whois return cidr itself or network range.... since I really suck at python, I thought I could do it in bash... so I need to convert a network range like 37.8.0.0 - 37.8.63.255
02:03 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
02:04 < hyper_ch> also I wonder is it better to use -j DROP or -j REJECT --reject-with icmp-port-unreachable
02:05 <@krzee> ya dunno
02:05 < AL13N_work> depends on what you want
02:05 <@krzee> might be able to find that already done for you in python
02:05 < AL13N_work> with REJECT you let them know
02:05 < AL13N_work> and/or you spend a packet on them
02:05 < hyper_ch> krzee: well, in bash I can at least understand what it does... python just hates me ;)
02:06 < AL13N_work> there's also iptables extensions like LABREA
02:06 < AL13N_work> which is like DROP, except they are grabbing the connection and aren't letting go, making the attacker lose a port
02:06 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
02:08 < hyper_ch> doesn't labrea put more stress on the network?
02:22 < AL13N_work> iiuc, it means just the regular TCP keepalive things, nothing more than that
02:23 < hyper_ch> I see
02:24 < AL13N_work> i should note that i haven't used it...
03:02 <@krzee> r/j #python
03:03 <@krzee> oops
03:03 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 265 seconds]
03:03 -!- jdmf [~jdmf@78.156.100.202] has quit [Quit: Bye.]
03:09 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
03:12 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
03:22 < hyper_ch> krzee: well, can't be too hard to write an network range to cidr converter in bash... right?
03:22 <@krzee> *shrug* dunno
03:22 <@krzee> id google for it
03:23 < hyper_ch> in #bash they say that google is not the recommended way of learning bash... too many stupid and wrong scripts out there ;)
03:26 < AL13N_work> man bash
03:36 <@krzee> i wouldnt be looking for it in bash either
03:36 <@krzee> id suspect perl or python would be better suited
03:50 < hyper_ch> they both hate me
04:24 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 276 seconds]
04:51 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has quit [Read error: Connection reset by peer]
04:52 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has joined #openvpn
04:54 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:55 -!- Droolio [~drool@host86-134-61-249.range86-134.btcentralplus.com] has joined #openvpn
05:01 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:28 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 265 seconds]
05:43 -!- jetole [~jetole@unaffiliated/jetole] has joined #openvpn
05:47 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 244 seconds]
05:54 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
06:22 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
06:22 -!- mode/#openvpn [+o mattock_] by ChanServ
06:28 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:33 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
06:48 -!- Henryabcd [~Henryabcd@pD9E08E29.dip0.t-ipconnect.de] has joined #openvpn
06:50 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 272 seconds]
06:51 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
06:52 -!- Henryabcd [~Henryabcd@pD9E08E29.dip0.t-ipconnect.de] has quit [Client Quit]
07:19 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has quit [Quit: IRC for Sailfish 0.8]
07:32 -!- JackWinter_ [~jack@vodsl-9520.vo.lu] has joined #openvpn
07:33 -!- JackWinter [~jack@vodsl-9520.vo.lu] has quit [Read error: Connection reset by peer]
07:56 -!- jetole [~jetole@unaffiliated/jetole] has quit [Quit: Leaving]
08:00 -!- moparisthebest [~mitb@unaffiliated/moparisthebest] has quit [Ping timeout: 264 seconds]
08:15 -!- kexmex [~kexmex@78.111.187.153] has joined #openvpn
08:17 -!- moparisthebest [~mitb@gateway/tor-sasl/moparisthebest] has joined #openvpn
08:35 -!- MadTBone [~MadTBone@128.59.37.113] has quit [Quit: Leaving]
08:43 -!- altker128 [~vr@c-24-61-12-138.hsd1.ma.comcast.net] has quit [Read error: Connection reset by peer]
08:44 -!- Rambozo [~Rambozo@ns503798.ip-192-99-11.net] has quit [Ping timeout: 265 seconds]
08:46 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has quit [Ping timeout: 244 seconds]
08:48 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
08:51 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
08:52 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
09:01 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
09:06 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
09:09 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
09:09 -!- mode/#openvpn [+v s7r] by ChanServ
09:11 < linuxthefish> hi, why does openvpn not work on Windows 8.1 after resuming from sleep?
09:12 < linuxthefish> i need to restart every time i wish to use openvpn or i can't ping anyone inside my vpn network or on the internet
09:12 < esde> !crystal
09:12 <@vpnHelper> "crystal" is (#1) Our crystal ball is out of service. Try explaining your !goal, a description of your problem, and relevant !configs and !logs. See also: !welcome. or (#2) unless reiffert is here, his crystal ball is functional again
09:12 < linuxthefish> i just did, i want it to work
09:13 * esde reads up
09:13 < linuxthefish> http://pastebin.com/raw.php?i=0bjFnrRJ is client log
09:13 < esde> I see no logs or configs
09:13 < linuxthefish> what other log do you need? :S
09:13 < esde> !allinfo
09:13 <@vpnHelper> "allinfo" is Please type !configs !logs and !interface to see all the info we want to be able to help you
09:14 < linuxthefish> !configs
09:14 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
09:14 < linuxthefish> !logs
09:14 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
09:14 < linuxthefish> !interface
09:14 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6) or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn' or (#4) For
09:14 <@vpnHelper> Linux: iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes)
09:14 < linuxthefish> how come it works on my linux and mac PC's after restart?
09:15 < linuxthefish> i've seen lots of other people ask about this before :S
09:15 < esde> (Also, bear in mind, there are less windows users than linux user on average, so this may also contribute to a longer wait time for help)
09:15 < esde> No clue, as I don't use microsoft products wherever possible. Especially windows 8.*
09:16 < esde> There is also openvpn-as if you'd like it to "just work"
09:16 < esde> !as
09:16 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
09:17 -!- sireebob [sireebob@unaffiliated/sireebob] has quit [Ping timeout: 265 seconds]
09:22 -!- sireebob [sireebob@unaffiliated/sireebob] has joined #openvpn
09:28 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
09:30 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Remote host closed the connection]
09:31 -!- kexmex [~kexmex@78.111.187.153] has quit [Quit: Computer has gone to sleep.]
09:31 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
09:40 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 256 seconds]
09:41 -!- jetole [~jetole@unaffiliated/jetole] has joined #openvpn
09:43 < jetole> Hey guys. I am trying to provide routing to a client network. The OpenVPN server is also the router. The client network is on 10.3.0.0/24. All local networks are within the parent 10.2.0.0/16. I have added iroute to the ccd. route to the openvpn server config. "push route" and client-to-client to the openvpn server config however I am not seeing any routes appear to 10.3.0.0/24 on the openvpn server. I am not sure what I am missing
09:43 < jetole> I have restarted openvpn on both the server and client
09:44 < jetole> the client is connected. It's receiving the ifconfig-push IP address from ccd and I can reach other hosts on the server side network but the route for the server (and other server side nodes) to reach 10.3.0.0/24 does not appear
09:52 < esde> Not sure if clientlan is applicable to your goal, but if it is, there's a nifty flowchart to help troubleshooting
09:52 < esde> !clientlan
09:52 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a
09:52 <@vpnHelper> better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
09:53 < jetole> the first link appears dead
09:53 < jetole> oh and yeah I enabled forwarding on the client machine
09:53 < jetole> everything else you mentioned I already said I did
09:53 < esde> the second link is a mirror
09:53 < jetole> reviewing second link now
09:55 < jetole> esde: on the flow chart under route, it says push "route 10.10.10.0 255.255.255.0". On my server I have push "route 10.3.0.0 255.255.255.0 vpn_gateway"
09:55 < jetole> is the vpn_gateway maybe why the route is not being automatically added?
09:57 < esde> I am not sure. Hopefully that information will help someone else understand the issue and offer advice, or help you sort it yourself. :)
10:08 -!- kexmex [~kexmex@195.42.130.233] has joined #openvpn
10:14 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Ping timeout: 255 seconds]
10:22 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
10:24 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
10:26 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Quit: OK, Doei!]
10:26 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
10:27 < johnfg> pekster: btw...all is working on the server & clients. Thanks for the help!
10:27 -!- pipi- [~pipi-@unaffiliated/pipi-] has quit [Ping timeout: 256 seconds]
10:29 -!- johnfg [johnfg@spirit.org] has left #openvpn []
10:33 -!- shio [marmot@6.121.101.84.rev.sfr.net] has quit [Ping timeout: 252 seconds]
10:34 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Remote host closed the connection]
10:40 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Read error: Connection reset by peer]
10:43 -!- shio [marmot@6.121.101.84.rev.sfr.net] has joined #openvpn
10:44 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
10:46 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 245 seconds]
10:51 -!- pipi- [~pipi-@unaffiliated/pipi-] has joined #openvpn
10:54 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
10:57 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
11:01 -!- Drustan [~Drustan@lea.tristanpilat.com] has joined #openvpn
11:02 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
11:02 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 264 seconds]
11:07 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:09 -!- AL13N_work [~alien@91.183.52.232] has quit [Ping timeout: 265 seconds]
11:13 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
11:13 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
11:14 < Drustan> Hi all.
11:14 -!- AL13N_work [~alien@91.183.52.232] has joined #openvpn
11:14 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
11:16 < Drustan> I have 2 WAN. Anyone know how to configure openvpn to send traffic through the interface the client connect to
11:16 < Drustan> ?
11:17 -!- jetole [~jetole@unaffiliated/jetole] has quit [Quit: Leaving]
11:20 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 264 seconds]
11:22 <@plaisthos> !policy-routing
11:22 <@plaisthos> !policy
11:22 <@vpnHelper> "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario or (#3) dynamic OpenVPN policy github project: https://github.com/QueuingKoala/openvpn-dynamic
11:28 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
11:29 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:31 < Drustan> Thanks for your help !
11:44 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
11:45 -!- kexmex [~kexmex@195.42.130.233] has quit [Quit: Computer has gone to sleep.]
11:48 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
12:24 -!- linuxthefish [~ltf@unaffiliated/edmundf] has left #openvpn ["Leaving"]
12:32 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
13:13 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
13:15 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
13:28 -!- Matias_Arg [~matias@190.246.146.237] has joined #openvpn
13:28 < Matias_Arg> buenas tardes
13:28 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Ping timeout: 245 seconds]
13:31 < Matias_Arg> tengo un par de dudas con respecto al funcionamiento de openvpn, ya que tengo 5 servidores bajo la topologia Malla ( todos contra todos) y estoy teniendo algunos problemas
13:32 < esde> English only afaik
13:32 < esde> No espanol
13:32 < Matias_Arg> esde ok.
13:32 < Matias_Arg> sry
13:33 < Matias_Arg> I have a couple of questions regarding the operation of openvpn, since I have 5 servers in the grid (all against all) topology and am having some problems
13:33 < esde> please type !welcome
13:33 < Matias_Arg> !welcome
13:33 -!- Matias_Arg [~matias@190.246.146.237] has quit [Read error: Connection reset by peer]
13:33 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
13:33 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:36 -!- Matias_Arg [~matias@190.246.146.237] has joined #openvpn
13:36 < Matias_Arg> !welcome
13:36 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
13:36 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:37 < Matias_Arg> openvpn runs slow
13:37 < Matias_Arg> in my topology
13:38 -!- Matias_Arg [~matias@190.246.146.237] has quit [Read error: Connection reset by peer]
13:38 < esde> !cloak
13:38 <@vpnHelper> "cloak" is Talk to ecrist if you want an OpenVPN user host cloak such as ircuser@openvpn/user/ircuser
13:38 < esde> I would like one cloak please. Are daggers extra?
13:40 < hyper_ch> no, but you get some % off on poisons
13:40 -!- mcp [~mcp@wolk-project.de] has quit [Ping timeout: 244 seconds]
13:40 -!- Matias_Arg [~matias@190.246.146.237] has joined #openvpn
13:40 < Matias_Arg> and I have 50Mbits at each site
13:41 < Matias_Arg> any ideas or suggestions?
13:42 < hyper_ch> it runs fast
13:42 < hyper_ch> you use dpb?
13:42 < hyper_ch> udp
13:42 < hyper_ch> tried iperf
13:42 < Matias_Arg> udp
13:42 < Matias_Arg> iperf?
13:43 < hyper_ch> yes, iperf
13:43 < hyper_ch> tried different ports?
13:43 < Matias_Arg> yes
13:43 < hyper_ch> does connection work fine when ont using vpn?
13:43 < hyper_ch> tried tcp instead of udp?
13:44 < Matias_Arg> if I perform tests outside openvpn these operate at 50Mbits
13:44 < Matias_Arg> between nodes
13:44 < hyper_ch> you know that everything goes through the vpn server?
13:45 < Matias_Arg> yes
13:45 < hyper_ch> iperf or I don't believe it
13:45 < Matias_Arg> the servers are mine
13:46 < Matias_Arg> I use tcpdump and ntop and iptraf
13:46 -!- Taftse|M_ [~taftse@unaffiliated/taftse] has joined #openvpn
13:46 < Matias_Arg> ok
13:47 < Matias_Arg> any suggestions to better measure
13:47 < Matias_Arg> are production servers. Is there any risk in using iperf?
13:48 < hyper_ch> it could make the universe implode
13:48 -!- Matias_Arg [~matias@190.246.146.237] has quit [Read error: Connection reset by peer]
13:48 -!- Neal_ [neal@felix.ineal.me] has quit [Ping timeout: 272 seconds]
13:48 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 272 seconds]
13:48 -!- batrick [batrick@nmap/developer/batrick] has quit [Ping timeout: 272 seconds]
13:49 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Ping timeout: 264 seconds]
13:50 -!- Matias_Arg [~matias@190.246.146.237] has joined #openvpn
13:50 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
13:50 < Matias_Arg> sorry did not read if they wrote something
13:50 -!- Neal_ [neal@felix.ineal.me] has joined #openvpn
13:50 < esde> it could make the universe implode
13:51 < Matias_Arg> any suggestions to better measure and are production servers. Is there any risk in using iperf?
13:56 -!- Droolio [~drool@host86-134-61-249.range86-134.btcentralplus.com] has quit [Quit: Thank you for not discussing the outside world.]
13:58 < Matias_Arg> hyper_ch: are you there?
13:59 < Matias_Arg> it is over openvpn iperf3
13:59 -!- Matias_Arg [~matias@190.246.146.237] has quit [Read error: Connection reset by peer]
14:00 -!- Matias_Arg [~matias@190.246.146.237] has joined #openvpn
14:00 < Matias_Arg> and whitout openvpn
14:00 < Matias_Arg> [ 4] local 10.10.254.2 port 36708 connected to 10.10.254.18 port 5201
14:00 < Matias_Arg> [ ID] Interval Transfer Bandwidth Retr Cwnd
14:00 < Matias_Arg> [ 4] 0.00-1.00 sec 5.98 MBytes 50.2 Mbits/sec 4 405 KBytes
14:00 < Matias_Arg> [ 4] 1.00-2.00 sec 5.28 MBytes 44.3 Mbits/sec 4 340 KBytes
14:00 < Matias_Arg> [ 4] 2.00-3.00 sec 5.20 MBytes 43.6 Mbits/sec 0 377 KBytes
14:00 < Matias_Arg> [ 4] 3.00-4.00 sec 5.54 MBytes 46.4 Mbits/sec 0 399 KBytes
14:00 < Matias_Arg> [ 4] 4.00-5.00 sec 5.27 MBytes 44.2 Mbits/sec 2 307 KBytes
14:00 < Matias_Arg> [ 4] 5.00-6.00 sec 5.19 MBytes 43.5 Mbits/sec 0 328 KBytes
14:00 < Matias_Arg> [ 4] 6.00-7.00 sec 5.17 MBytes 43.3 Mbits/sec 0 339 KBytes
14:00 < Matias_Arg> [ 4] 7.00-8.00 sec 5.19 MBytes 43.5 Mbits/sec 0 342 KBytes
14:00 < Matias_Arg> [ 4] 8.00-9.00 sec 5.18 MBytes 43.4 Mbits/sec 0 342 KBytes
14:00 < Matias_Arg> [ 4] 9.00-10.00 sec 5.19 MBytes 43.5 Mbits/sec 0 342 KBytes
14:00 < esde> no
14:00 < esde> !paste
14:00 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
14:00 < Matias_Arg> ok. sry
14:00 < esde> In the future, please don't spam.
14:01 < hyper_ch> iperf looks good
14:02 < Matias_Arg> the same destination
14:02 < Matias_Arg> but the performance is poor using openvpn
14:02 < Matias_Arg> see the bandwidth
14:02 < Matias_Arg> 50-43Mbits vs 45-14mbits
14:03 < hyper_ch> where's the one with openvpn?
14:04 < Matias_Arg> the first
14:05 < hyper_ch> there's only one
14:05 < hyper_ch> use pastebins to show them properly
14:05 < Matias_Arg> sry
14:06 < Matias_Arg> wait
14:06 -!- JackWinter_ [~jack@vodsl-9520.vo.lu] has quit [Excess Flood]
14:07 -!- JackWinter_ [~jack@vodsl-9520.vo.lu] has joined #openvpn
14:07 < Matias_Arg> http://pastebin.com/jBZ8j7Eu
14:07 < hyper_ch> pastebin.com is evil
14:08 < hyper_ch> !configs
14:08 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
14:09 -!- JackWinter_ [~jack@vodsl-9520.vo.lu] has quit [Excess Flood]
14:10 -!- JackWinter_ [~jack@vodsl-9520.vo.lu] has joined #openvpn
14:10 < Matias_Arg> hyper_ch: I can not understand you ask me
14:10 < hyper_ch> I need configs
14:10 < Matias_Arg> ok
14:11 < hyper_ch> without comments
14:11 < Matias_Arg> by pastebin or where?
14:11 < hyper_ch> yes
14:11 < Matias_Arg> its only a line
14:11 < hyper_ch> but without comments
14:12 < hyper_ch> config is only one line?
14:12 < Matias_Arg> its run over linux
14:12 < hyper_ch> that should be 10+ lines
14:12 < Matias_Arg> can I paste here?
14:12 < hyper_ch> you can try
14:13 < Matias_Arg> /usr/sbin/openvpn --remote 10.10.254.18 --local 10.10.254.2 --dev tun8 --ifconfig 192.168.2.37 192.168.2.73 --verb 5 --secret /etc/openvpn/clave.key --persist-key --persist-tun --port 5308 --ping 15 --float --daemon --writepid /tmp/pid_tun8
14:14 < hyper_ch> why is that not in a config file?
14:14 < hyper_ch> that's the client config?
14:14 < Matias_Arg> /usr/sbin/openvpn --remote 10.10.254.2 --local 10.10.254.18 --dev tun8 --ifconfig 192.168.2.73 192.168.2.37 --verb 5 --secret /etc/openvpn/clave.key --persist-key --persist-tun --port 5308 --ping 15 --float --daemon --writepid /tmp/pid_tun8
14:14 < hyper_ch> and server config?
14:14 < Matias_Arg> yeap
14:15 < hyper_ch> where's dh? and ca cert?
14:15 -!- JackWinter_ [~jack@vodsl-9520.vo.lu] has quit [Excess Flood]
14:15 < Matias_Arg> are not necessary
14:16 < hyper_ch> no idea waht the --float is
14:16 -!- JackWinter_ [~jack@vodsl-9520.vo.lu] has joined #openvpn
14:16 < Matias_Arg> --float : Allow remote to change its IP address/port, such as through
14:17 < hyper_ch> why don't you use ca.crt and dh.pem?
14:17 < hyper_ch> what's the server config?
14:17 < Matias_Arg> those are the 2 points
14:18 < hyper_ch> ?
14:18 < Matias_Arg> I paste 2 lines
14:18 < esde> methinks he's not using configs
14:18 < Matias_Arg> first client and the second is server
14:18 < hyper_ch> yes, but really weird setup
14:19 < esde> methinks hes using cli arguments for the daemon
14:19 < esde> *'
14:19 < Matias_Arg> I copy this sample from openvpn site
14:19 < Matias_Arg> and really work fine
14:19 < hyper_ch> well, doesn't seem to work fine, otherwise you wouldn't be in here with speed issues
14:19 < Matias_Arg> but I have problem with the speed
14:20 < Matias_Arg> the performance is poor over tun
14:21 < hyper_ch> I'd first try a proper setup like I have it setup
14:21 < hyper_ch> but that's just me
14:23 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
14:23 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 265 seconds]
14:23 -!- jefferai [sid1300@kde/mitchell] has quit [Ping timeout: 265 seconds]
14:23 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Read error: Connection reset by peer]
14:24 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
14:24 -!- Jeroen [~Jeroen@milkyway.jeroendeneef.com] has quit [Remote host closed the connection]
14:24 -!- JackWinter_ [~jack@vodsl-9520.vo.lu] has quit [Excess Flood]
14:25 -!- JackWinter_ [~jack@vodsl-9520.vo.lu] has joined #openvpn
14:25 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 265 seconds]
14:25 -!- batrick [batrick@nmap/developer/batrick] has quit [Ping timeout: 265 seconds]
14:25 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has quit [Ping timeout: 265 seconds]
14:25 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 265 seconds]
14:25 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has quit [Ping timeout: 265 seconds]
14:26 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has quit [Ping timeout: 265 seconds]
14:26 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Ping timeout: 265 seconds]
14:26 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 265 seconds]
14:26 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has quit [Ping timeout: 265 seconds]
14:26 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has joined #openvpn
14:26 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
14:26 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
14:27 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
14:27 -!- BtbN [btbn@btbn.de] has quit [Ping timeout: 244 seconds]
14:29 -!- Neal_ [neal@felix.ineal.me] has quit [Ping timeout: 244 seconds]
14:29 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has joined #openvpn
14:29 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
14:29 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has joined #openvpn
14:30 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
14:31 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
14:32 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
14:32 < Matias_Arg> hyper_ch: are you there?
14:32 -!- JackWinter [~jack@vodsl-10478.vo.lu] has joined #openvpn
14:32 < hyper_ch> yes
14:32 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
14:33 -!- JackWinter_ [~jack@vodsl-9520.vo.lu] has quit [Ping timeout: 244 seconds]
14:33 < Matias_Arg> you can suggest me some change?
14:33 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
14:33 < hyper_ch> that would consist of makin a ca, generate server and client certs, and dh file
14:34 < hyper_ch> and tls-auth
14:34 -!- Neal_ [neal@felix.ineal.me] has joined #openvpn
14:35 -!- BtbN [btbn@btbn.de] has joined #openvpn
14:35 < Matias_Arg> hyper_ch: ok and how these changes that would improve the speed?
14:35 < hyper_ch> works for me
14:36 < Matias_Arg> you have a network of high traffic and not lose performance?
14:36 -!- haasn [~haasn@static.102.126.46.78.clients.your-server.de] has joined #openvpn
14:36 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has quit [Ping timeout: 244 seconds]
14:36 < Matias_Arg> This did not happen because me up to 20Mbits
14:39 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has joined #openvpn
14:41 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
14:42 < Matias_Arg> someone can really help me? I understand that hyper_ch not going to work with me if I do what he asks and I saw that his solution besides being cumbersome will worsen processor usage.
14:43 < esde> my first piece of advice would be to provision a test lab to work on instead of making live changes on your production system(s)
14:43 < Matias_Arg> esde: ok
14:44 < Matias_Arg> esde: I can do thats
14:44 < esde> second, what's more important to you. speed of data transfers, or the integrity of those transfers?
14:45 < Matias_Arg> speed and latency
14:45 < Matias_Arg> I have voip
14:45 < esde> then you don't need any PKI (ca, client certs, tls authentication, et all)
14:46 < esde> but your data becomes more vulnerable to different attacks
14:47 < Matias_Arg> Its run over mpls
14:47 < Matias_Arg> I dont need more security
14:48 < Matias_Arg> I have 2 mpls per site
14:48 < Matias_Arg> I need security
14:48 < Matias_Arg> sry
14:48 < esde> your first goal is to get the test lab up and running. once you've got that, gather your logs, configs (you should be using configs to make things easier), and interface/routing information. then come back, restate your goal, provide pastebin links to your info, and await a reply :)
14:48 < Matias_Arg> I need speed :)
14:48 < Matias_Arg> ok.
14:49 < Matias_Arg> why need use a config file?
14:49 < esde> for our sanity in this case
14:49 < esde> saying, the first one is A
14:50 < esde> the sconed one is B
14:50 < esde> is difficult to keep track of
14:50 < esde> *second
14:50 < Matias_Arg> ok.
14:50 < Matias_Arg> thanks esde
14:51 < esde> it's not mandatory, but if I were capable of helping you, I'd prefer to see individual links with the directives inside, rather than try to decipher a command with arguments within the channel
14:52 < Matias_Arg> ok.
14:52 < Matias_Arg> openvpn has no speed limits ?
14:52 < esde> well Gigabit speed needs some tweaking iirc
14:52 < esde> !gbps
14:52 < esde> !gigabit
14:52 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
14:53 < Matias_Arg> ok
14:53 < Matias_Arg> but not 50 Mbits
14:53 < esde> no you could run 100Mbps and saturate your connection
14:54 < Matias_Arg> when removing the LZO compression, got 30% more performance
14:57 -!- bruce927 [~bruce@cpc10-slou3-2-0-cust163.17-4.cable.virginm.net] has joined #openvpn
14:57 < bruce927> Is it possible to only divert certain traffic through an ovpn connection? I need to connect to some ssh servers but don't want the rest of my traffic going through the vpn connection
14:58 < bruce927> (In linux mint specifically)
14:58 -!- Matias_Arg [~matias@190.246.146.237] has quit [Read error: Connection reset by peer]
14:59 < hyper_ch> bruce927: depends
14:59 < bruce927> hyper_ch on what exactly?
14:59 < hyper_ch> can you use proxies with those apps?
15:00 < hyper_ch> or if you know the destination of that traffic, you could probably add routes to the routing table that will route certain destinations through the vpn
15:01 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has quit [Ping timeout: 244 seconds]
15:01 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has joined #openvpn
15:01 < bruce927> It's just an SSH connection I want to make, though it would be handy to be able to do it via nemo too so I can mount the ssh volume
15:01 < bruce927> So really, more accurately, is it possible to only send traffic on a certain port (22 in this case) through ovpn?
15:01 -!- bakhtiya [~me@office.addictivemobility.com] has quit [Read error: Connection reset by peer]
15:02 < hyper_ch> bruce927: then make the endpoint a client also in the vpn
15:03 < ValdikSS> Hello. Paypal address openvpn@secure-computing.net is not working?
15:03 -!- bakhtiya [~me@office.addictivemobility.com] has joined #openvpn
15:03 <@plaisthos> just give me the money :P
15:03 <@plaisthos> (joking)
15:07 -!- abbe_ [having@badti.me] has joined #openvpn
15:08 -!- abbe [having@badti.me] has quit [Disconnected by services]
15:09 -!- abbe_ is now known as abbe
15:10 -!- roentgen_ [~none@openvpn/community/support/roentgen] has joined #openvpn
15:11 -!- Orbixx_ [~orbixx@freenode/sponsor/orbixx] has joined #openvpn
15:12 -!- nsrbnc [whois@unaffiliated/nsrafk] has joined #openvpn
15:13 -!- two_oes [~orenoi@85.64.3.169.dynamic.barak-online.net] has joined #openvpn
15:14 -!- Netsplit *.net <-> *.split quits: roentgen, clu5ter, Orbixx, nsrafk
15:14 -!- nsrbnc is now known as nsrafk
15:15 < two_oes> !welcome
15:15 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
15:15 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:15 < two_oes> !howto
15:15 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
15:16 -!- mattock is now known as mattock_afk
15:17 < bruce927> hyper_ch: Would doing something like that need access to the vpn server?
15:24 -!- mistermajestic [~mistermaj@gateway/vpn/privateinternetaccess/mistermajestic] has joined #openvpn
15:26 -!- mistermajestic [~mistermaj@gateway/vpn/privateinternetaccess/mistermajestic] has quit [Remote host closed the connection]
15:34 -!- user98067 [~Sappo@46-166-164-239.ip-rdns.com] has joined #openvpn
15:35 < user98067> I get this error Authenticate/Decrypt packet error: packet HMAC authentication failed when a client connects, vpn works fine just logs are filling up with that error and other tls errors, how can i fix this?
15:46 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:48 -!- user98067 [~Sappo@46-166-164-239.ip-rdns.com] has quit [Ping timeout: 252 seconds]
15:51 -!- bruce927 [~bruce@cpc10-slou3-2-0-cust163.17-4.cable.virginm.net] has quit [Ping timeout: 245 seconds]
15:52 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
15:54 -!- bruce927 [~bruce@cpc10-slou3-2-0-cust163.17-4.cable.virginm.net] has joined #openvpn
15:54 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
15:54 < bruce927> I figured out that I need to setup a route for a specific IP to the openvpn tunnel IP, how do I get my system to not send all traffic through the virtual tunnel interface?
16:07 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.91.1 [Firefox 34.0.5/20141126041045]]
16:12 -!- bruce927 [~bruce@cpc10-slou3-2-0-cust163.17-4.cable.virginm.net] has quit [Ping timeout: 256 seconds]
16:22 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
16:24 -!- two_oes [~orenoi@85.64.3.169.dynamic.barak-online.net] has quit [Quit: Leaving]
16:26 -!- markelite [croftworth@gateway/shell/yourbnc/x-prquuakoeiqwuipb] has quit [Ping timeout: 272 seconds]
16:28 -!- atyoung_ [~darkwurm@gateway/tor-sasl/darkwurm] has joined #openvpn
16:29 -!- atyoung [~darkwurm@gateway/tor-sasl/darkwurm] has quit [Ping timeout: 250 seconds]
16:51 -!- benoliver999 [~ben@2001:41d0:a:1fb5::] has quit [Ping timeout: 272 seconds]
16:52 -!- Taftse|M_ [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:53 -!- benoliver999 [~ben@ben.baconseed.org] has joined #openvpn
17:25 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
17:27 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 245 seconds]
17:32 -!- DonRichie [~DonRichie@ricl.de] has joined #openvpn
17:37 -!- Droolio [~drool@host86-134-61-249.range86-134.btcentralplus.com] has joined #openvpn
17:39 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
17:44 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
17:49 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
18:03 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
18:04 -!- pipi- [~pipi-@unaffiliated/pipi-] has quit [Ping timeout: 256 seconds]
18:05 -!- pipi- [~pipi-@unaffiliated/pipi-] has joined #openvpn
18:36 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
18:40 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
18:40 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
18:44 -!- markelite [croftworth@gateway/shell/yourbnc/x-ymizpxtrskwrnrnb] has joined #openvpn
18:59 -!- Adian [~tim@c-71-193-193-43.hsd1.or.comcast.net] has joined #openvpn
19:00 < Adian> I have a tun server set up under Linux and I want to get my android 4.1.2 phone connected to it. The android client connects fine and routes are pushed to the android. Somehow no traffic at all travels over the tunnel. I'm sniffing with tcpdump on the server and pinging from adb shell. nothing at all
19:00 < Adian> would anyone be able to help me debug this?
19:09 < esde> type !welcome
19:11 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
19:12 < Adian> here are my configs: http://pastebin.com/wZUvpsXd
19:12 < Adian> !welcome
19:12 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
19:12 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:14 < Adian> esde: I think my goal was stated. to clarify that, I want to connect my phone but not route all traffic. But even when I do try to push all traffic, it doesn't work either. I'm not new to OpenVPN, routing, firewalling or any of that. I can also paste logs if you like, though I see no errors currently.
19:16 < Adian> on the firewalling end of things, that's not a problem unless my 4G provider is blocking traffic from my phone. (I don't see how that would be an issue, since the handshake is fully successful.) On my server side, I'm sniffing on tun0. If iptables were blocking that, I'd still see a ping request.
19:29 < Adian> I just started seeing "IP packet with unknown IP version=15 seen" in the server log
19:29 < Adian> initial googling says disable compression. did that. still showing up and no traffic
19:30 -!- ruicruz [~ruicruz@100.ip-5-196-5.eu] has joined #openvpn
19:30 -!- ruicruz [~ruicruz@100.ip-5-196-5.eu] has left #openvpn []
19:33 < Adian> ok, so that error is probably nothing. explained here: http://www.toofishes.net/blog/openvpn-and-aoe-interaction/
19:33 <@vpnHelper> Title: toofishes.net - OpenVPN and ATA over Ethernet (AoE) interaction (at www.toofishes.net)
19:40 < Adian> here's the server side log when my client connects: http://pastebin.com/09KZQaBY
20:04 -!- pipi- [~pipi-@unaffiliated/pipi-] has quit [Ping timeout: 256 seconds]
20:06 -!- pipi- [~pipi-@unaffiliated/pipi-] has joined #openvpn
20:36 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
20:40 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 245 seconds]
20:42 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 264 seconds]
20:46 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
20:55 -!- nullm0dem [~kaiju@ip24-254-180-150.rn.hr.cox.net] has quit [Quit: Lost terminal]
21:02 -!- Droolio [~drool@host86-134-61-249.range86-134.btcentralplus.com] has quit [Quit: Don't force it, get a bigger hammer.]
21:34 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
21:35 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
21:38 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
21:44 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Ping timeout: 250 seconds]
21:46 -!- phunyguy [~vortex@ubuntu/member/phunyguy] has quit [Remote host closed the connection]
21:47 -!- phunyguy [~vortex@ubuntu/member/phunyguy] has joined #openvpn
22:00 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
22:16 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
22:32 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
22:46 -!- u0m3_ [~u0m3@92.80.89.9] has joined #openvpn
22:46 -!- u0m3 [~u0m3@92.80.116.127] has quit [Ping timeout: 245 seconds]
22:54 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Quit: Turning IRC client off]
23:31 -!- ShadniX [dagger@p5481DB12.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
23:32 -!- ShadniX [dagger@p5481DB6D.dip0.t-ipconnect.de] has joined #openvpn
23:52 -!- MrWhoo [4c0ab658@gateway/web/freenode/ip.76.10.182.88] has joined #openvpn
23:52 < MrWhoo> Hello @ll
23:54 < MrWhoo> Quick question for you guys, I'm trying to establish two connections to two different VPN servers, Is that possible using one config file ?
23:57 < MrWhoo> !welcome
23:57 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
23:58 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:58 < MrWhoo> !configs
23:58 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
23:58 < MrWhoo> !redirect
23:58 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
23:58 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
23:59 < MrWhoo> !route
23:59 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
23:59 <@vpnHelper> client
--- Day changed Tue Jan 13 2015
00:07 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Disconnected by services]
00:07 -!- badon_ [~badon@pdpc/supporter/active/badon] has joined #openvpn
00:08 -!- badon_ is now known as badon
00:21 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:24 -!- mattock_afk is now known as mattock
00:40 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 264 seconds]
00:50 -!- mattock is now known as mattock_afk
00:50 -!- arkie [~arkie@unaffiliated/arkie] has quit [Quit: Bye]
00:51 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
00:57 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
01:02 -!- two_oes [~orenoi@85.64.3.169.dynamic.barak-online.net] has joined #openvpn
01:07 -!- MrWhoo [4c0ab658@gateway/web/freenode/ip.76.10.182.88] has quit [Ping timeout: 246 seconds]
01:13 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Quit: Leaving]
01:20 -!- master_o1_master [~master_of@p4FD7B4C2.dip0.t-ipconnect.de] has joined #openvpn
01:23 -!- master_of_master [~master_of@p4FF24197.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
01:26 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
01:33 -!- mattock_afk is now known as mattock
02:13 -!- swebb [~swebb@8.36.226.184] has quit [Ping timeout: 245 seconds]
02:33 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has quit [Ping timeout: 244 seconds]
02:36 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
03:15 -!- nomad_fr [~nomad_fr@ks397872.ip-192-95-25.net] has joined #openvpn
03:24 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Quit: Lost terminal]
03:27 -!- swebb [~swebb@8.36.226.184] has joined #openvpn
03:28 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
03:34 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
03:41 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
03:42 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
03:51 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Ping timeout: 250 seconds]
03:53 -!- troulouliou_dev [~troulouli@unaffiliated/troulouliou-dev/x-4757952] has joined #openvpn
03:53 < troulouliou_dev> hi how can i in the server config push some static route but not redirect the gateway ?
03:56 < hyper_ch> push "route 10.66.0.0 255.255.255.0"
03:56 -!- Orbixx_ is now known as Orbixx
03:57 < troulouliou_dev> hyper_ch, at client side ?
03:57 < hyper_ch> that's in the server config
03:57 < hyper_ch> and then it gets pushed to the client
03:57 < hyper_ch> to all clients if it's in the main server config
03:57 < hyper_ch> or individual clients if it's in ccds
03:58 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
03:59 < hyper_ch> what are you trying to achieve though?
04:03 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
04:04 < troulouliou_dev> hyper_ch, all my client that connect get theu gateway redirected as well
04:04 < troulouliou_dev> hyper_ch, i m already using a push config like thois for internal network
04:05 < hyper_ch> !configs
04:05 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
04:08 < troulouliou_dev> hyper_ch, can't get it as soon as i connect to server ; gaeway is redorected :)
04:08 < hyper_ch> what you mean you can't get it?
04:08 < hyper_ch> pretty sure you can reach your server...
04:08 < troulouliou_dev> hyper_ch, basically i xant a "route no-pull gateway" or similar on the srver side
04:09 < hyper_ch> and get the configs
04:09 < troulouliou_dev> hyper_ch, yes byt then the gaeway is redirected
04:09 < troulouliou_dev> and all traffic to the gateway so the conectio ncloses
04:09 < hyper_ch> I fail to comprehend
04:09 < hyper_ch> kill on your client the vpn
04:09 < hyper_ch> and connect to the server through it's public ip
04:09 < troulouliou_dev> hyper_ch, ha i have only openvpn listening on it
04:10 < hyper_ch> I have no idea what you're doing
04:10 < hyper_ch> so, I need configs
04:11 < troulouliou_dev> hyper_ch, after connectin the client here is my route -n : 0.0.0.0 192.168.115.1 0.0.0.0 UG 1024 0 0 tun0
04:11 < troulouliou_dev> normally it should stay to 0.0.0.0 192.168.1.1
04:11 < hyper_ch> as said, provide configs from server, client and if applicable ccd entries
04:11 < troulouliou_dev> hyper_ch, yeah but don't have the server conf here ;(
04:11 < troulouliou_dev> will do tommorow
04:12 < hyper_ch> just ssh into the server...
04:13 < troulouliou_dev> hyper_ch, no ssh there without openvpn
04:13 < hyper_ch> how do you administrate taht server???
04:19 -!- troulouliou_dev [~troulouli@unaffiliated/troulouliou-dev/x-4757952] has quit [Read error: Connection reset by peer]
04:30 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Ping timeout: 250 seconds]
04:31 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
04:36 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:40 -!- hypermist is now known as pcupgrades
04:44 -!- pcupgrades is now known as hypermist
04:51 -!- JackWinter [~jack@vodsl-10478.vo.lu] has quit [Quit: Konversation terminated!]
04:59 -!- JackWinter [~jack@vodsl-10478.vo.lu] has joined #openvpn
05:05 < hyper_ch> krzee: hmm, made progress now... I convert the ip addresses now in binary format.... now I just need some cool algorithm to convert the range into cidr
05:14 -!- mcp [~mcp@wolk-project.de] has quit [Ping timeout: 245 seconds]
05:23 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
05:44 * plaisthos still thinks that coding in shell is crazy
05:46 < hyper_ch> ?
05:46 < hyper_ch> why is that crazy?
05:57 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
06:05 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has quit [Ping timeout: 265 seconds]
06:09 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has joined #openvpn
06:27 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
06:27 -!- atyoung_ [~darkwurm@gateway/tor-sasl/darkwurm] has quit [Ping timeout: 250 seconds]
06:27 -!- K1rk [~Kirk@5.135.221.149] has quit [Ping timeout: 250 seconds]
06:27 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Ping timeout: 250 seconds]
06:27 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has quit [Ping timeout: 250 seconds]
06:28 -!- K1rk [~Kirk@5.135.221.149] has joined #openvpn
06:31 -!- Henryabcd [~Henryabcd@pD9E0995D.dip0.t-ipconnect.de] has joined #openvpn
06:32 -!- moparisthebest [~mitb@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
06:33 -!- moparisthebest [~mitb@unaffiliated/moparisthebest] has joined #openvpn
06:34 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
07:04 -!- xMopxShell [~xMopxShel@davepedu.com] has quit [Ping timeout: 245 seconds]
07:15 -!- Henryabcd [~Henryabcd@pD9E0995D.dip0.t-ipconnect.de] has quit [Quit: Leaving]
07:16 -!- Droolio [~drool@host86-134-61-249.range86-134.btcentralplus.com] has joined #openvpn
07:29 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
07:36 -!- moparisthebest [~mitb@unaffiliated/moparisthebest] has quit [Ping timeout: 256 seconds]
07:37 -!- PLOKIJ__ [c39a4463@gateway/web/freenode/ip.195.154.68.99] has joined #openvpn
07:38 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 244 seconds]
07:38 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
07:38 -!- mode/#openvpn [+o syzzer] by ChanServ
07:40 -!- JackWinter [~jack@vodsl-10478.vo.lu] has quit [Excess Flood]
07:40 -!- JackWinter [~jack@vodsl-10478.vo.lu] has joined #openvpn
07:40 < PLOKIJ__> Hi. There is a DNS service running on my OpenVPN server. This DNS server is not accessible from outside the VPN. I want to push my server in-VPN IP to the clients. The problem is (if I understood correctly) that the VPN server will have
07:41 < PLOKIJ__> a different IP for each client.
07:41 < PLOKIJ__> Is there a way to refer to the in-VPN server IP for each client ?
07:42 < PLOKIJ__> (Or am I doing everything wrong in which case a reference would help.)
07:43 -!- moparisthebest [~mitb@unaffiliated/moparisthebest] has joined #openvpn
07:55 < hyper_ch> no, vpn server has same ip for all clients
07:55 < PLOKIJ__> Oh nevermind vpn_gateway that is.
07:55 -!- PLOKIJ__ [c39a4463@gateway/web/freenode/ip.195.154.68.99] has quit []
08:00 < hyper_ch> krzee: http://venturebeat.com/2015/01/12/this-usb-wall-charger-secretly-logs-keystrokes-from-microsoft-wireless-keyboards-nearby/
08:00 <@vpnHelper> Title: This USB wall charger secretly logs keystrokes from Microsoft wireless keyboards nearby | VentureBeat | Security | by Emil Protalinski (at venturebeat.com)
08:12 < esde> also interesting, http://samy.pl/pwnat/
08:12 <@vpnHelper> Title: pwnat - NAT to NAT client-server communication (at samy.pl)
08:13 < esde> if i understand correctly it's a PoC similar to the idea being discussed in that wishlist thread
08:36 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
08:44 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
08:46 -!- Fusl [~Fusl@gateway/tor-sasl/fusl] has joined #openvpn
08:47 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Zzzzzz]
08:49 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
09:07 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
09:09 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:12 -!- two_oes [~orenoi@85.64.3.169.dynamic.barak-online.net] has quit [Ping timeout: 264 seconds]
09:19 -!- speaker1234 [~speaker12@173-14-129-9-NewEngland.hfc.comcastbusiness.net] has joined #openvpn
09:38 -!- elfixit [~Icedove@77-57-39-82.dclient.hispeed.ch] has joined #openvpn
10:01 -!- xMopxShell [~xMopxShel@198.27.127.96] has joined #openvpn
10:02 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
10:02 < masterkorp> hello
10:02 < masterkorp> ue Jan 13 16:01:25 2015 TCP connection established with [AF_INET]172.31.37.18:51289
10:02 < masterkorp> how cann limit the port that the server uses to connect to the client ???
10:08 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
10:27 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has quit [Ping timeout: 244 seconds]
10:27 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
10:28 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
10:29 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has joined #openvpn
10:30 < masterkorp> http://thread.gmane.org/gmane.network.openvpn.user/35538
10:30 <@vpnHelper> Title: Gmane Loom (at thread.gmane.org)
10:30 -!- Yoder [Yoda@unaffiliated/itsyoda] has quit [Quit: YourBNC - (https://yourbnc.co.uk)]
10:30 < masterkorp> shameless link for help
10:31 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
10:33 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
10:47 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:51 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
10:55 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:36 -!- nikgul [~nikgul@176.126.52.105] has joined #openvpn
11:38 < nikgul> hi, I'd like to get access to my home ubuntu lapton from office, I suppose tu use vpn, I have router d-link dir 300 and ext ip is dynamic white, can you help me with it?
11:39 < nikgul> !welcome
11:40 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
11:40 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:40 < nikgul> !goal I'd like to get access to my home ubuntu lapton from office
11:40 < nikgul> !goal
11:40 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:44 < hyper_ch> Mr. ecrist, when you peek into this channel, let me know
11:44 -!- singcat [~singcat@gateway/tor-sasl/singcat] has joined #openvpn
11:45 < singcat> I setup an openvpn server on my mikrotik router, and can succesfully connect to it using a windows openvpn client, but cannot connect to anything in the router's LAN. I do not receive any gateway from the router. What should I do?
11:45 < singcat> Router is running on routeros 6.24, and I am connecting from win7x64 with openvpn 2.3.6
11:46 < singcat> I receive correct ip address 172.16.0.2 netmask 255.255.255.252 on the client, but no default gateway
11:46 < hyper_ch> !lan
11:46 < singcat> My local network is 192.168.0.0/24, router's local network is 192.168.1.0/24
11:46 < esde> !lans
11:47 <@vpnHelper> "lans" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing
11:48 < hyper_ch> tststs.... those nerds have more than one lan.... :)
11:50 -!- nikgul [~nikgul@176.126.52.105] has quit []
11:54 < hyper_ch> krzee: I have my script almost hacked together :)
11:55 < singcat> the router has limited options - there is no standard openvpn server conf file - therefore I cannot push arbitrary routes from server
11:56 < hyper_ch> then let openvpn server run on a different computer in your lan and not on the router
11:56 < singcat> there is no computer in the router's lan, there are only ip cameras behind the router
11:59 < hyper_ch> krzee: http://wiki.snom.com/8.7.5.15_OpenVPN_Security_Update
11:59 <@vpnHelper> Title: 8.7.5.15 OpenVPN Security Update - Snom User Wiki (at wiki.snom.com)
12:00 < hyper_ch> krzee: openvpn client on snom is affected
12:07 < masterkorp> http://sourceforge.net/p/openvpn/mailman/message/33226669/
12:07 <@vpnHelper> Title: OpenVPN / Mailing Lists (at sourceforge.net)
12:07 < masterkorp> any ideas ?
12:17 < masterkorp> Why does the openvpn server connect to a ramdom port on the client ????????
12:17 -!- two_oes [~orenoi@85.64.3.169.dynamic.barak-online.net] has joined #openvpn
12:31 < masterkorp> Tue Jan 13 18:29:36 2015 TCP connection established with [AF_INET]172.31.37.18:51385
12:31 < masterkorp> how can i force the server to connect yo the same port back ??
12:33 < masterkorp> this does not make sense to me
12:33 < masterkorp> can anyone please help
12:33 < masterkorp> ?
12:42 -!- svm_invictvs [~svm_invic@unaffiliated/svminvictvs/x-938456] has joined #openvpn
12:44 < svm_invictvs> So OpenVPN clients in Windows are not able to connect to anything in the VPN.
12:44 < svm_invictvs> The identical configuration file works fine for OSX
12:44 < svm_invictvs> The Windows log shows no errors, and even shows the routing tables.
12:45 < svm_invictvs> I've also disabled windows firewall completley, rebooted, tried several times making sure it was really disabled.
12:45 < hyper_ch> actually, openvpn clients in widnows are able to connect to vpns.... works fine in my Windows 8.1 virtual machine
12:47 < singcat> svm_invictvs: what about the openvpn log?
12:47 -!- svm_invictvs [~svm_invic@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
12:48 < hyper_ch> real men don't need log files ;)
12:48 -!- pervy_sage [~svm_invic@unaffiliated/svminvictvs/x-938456] has joined #openvpn
12:49 -!- pervy_sage is now known as svm_invictvs
12:51 -!- le0 [~le0@unaffiliated/le0] has quit [Ping timeout: 244 seconds]
12:53 < esde> svm_invictvs, unfortunately, our collective crystal ball is on the fritz right now. If you could gather your uncommented configs, log files, routing and interface information, and share the pastebin links, that'd be great.
12:54 < singcat> esde: he's gone
12:54 < hyper_ch> svm_invictvs: why didn't you keep your pervy_sage nick? it was said he died :(
12:55 < esde> singcat, huh?
12:56 < svm_invictvs> esde, Sec
12:57 < masterkorp> any ideas ?
13:19 -!- Blue2000k [~chatzilla@67.208.108.228] has joined #openvpn
13:21 < KavanS> guys, I'm looking to route a certain local subnet to use my remote VPN endpoint as their internet gateway. Can anyone suggest a document/howto for someone who's not looking to become an expert in iptables-foo?
13:22 < esde> !howto
13:22 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
13:22 < esde> also, putting blinder on (so to speak) regarding iptables is the wrong attitude entirely.
13:23 < KavanS> esde: I feel you...
13:23 < KavanS> I'm mediocre at iptables
13:24 < KavanS> esde: I'm specifically looking to route a local subnet to a remote gateway which is a bit new for me topic wise
13:24 < esde> for forwarding there's nothing really difficult. the hard stuff is when you want to do weird stuff
13:24 < esde> what have you got so far?
13:24 < esde> !allinfo
13:24 <@vpnHelper> "allinfo" is Please type !configs !logs and !interface to see all the info we want to be able to help you
13:25 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 240 seconds]
13:25 < KavanS> esde: vpn is connected, can route back and forth
13:26 < KavanS> so like...I'd like a new subnet ex 192.168.4.x to be routed entirely over to the VPN
13:26 < KavanS> any internet request hits out the remote VPN endpoint
13:26 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Remote host closed the connection]
13:27 < KavanS> just not sure what I need to read to determine how to set it up
13:28 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
13:31 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
13:31 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Ping timeout: 245 seconds]
13:45 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Quit: Leaving]
13:46 -!- elfixit [~Icedove@77-57-39-82.dclient.hispeed.ch] has quit [Remote host closed the connection]
13:46 -!- Blue2000k [~chatzilla@67.208.108.228] has quit [Quit: ChatZilla 0.9.91.1 [Firefox 34.0.5/20141126041045]]
13:57 -!- svm_invictvs [~svm_invic@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
14:10 -!- atyoung [~darkwurm@gateway/tor-sasl/darkwurm] has joined #openvpn
14:24 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Ping timeout: 264 seconds]
14:28 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
14:39 -!- two_oes [~orenoi@85.64.3.169.dynamic.barak-online.net] has quit [Quit: Leaving]
14:41 -!- moparisthebest [~mitb@unaffiliated/moparisthebest] has quit [Ping timeout: 264 seconds]
14:41 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
14:44 -!- speaker1234 [~speaker12@173-14-129-9-NewEngland.hfc.comcastbusiness.net] has quit [Read error: Connection reset by peer]
14:47 -!- moparisthebest [~mitb@gateway/tor-sasl/moparisthebest] has joined #openvpn
14:55 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
14:56 -!- elfixit [~Icedove@77-57-39-82.dclient.hispeed.ch] has joined #openvpn
14:56 -!- `Yoda [Yoda@gateway/shell/yourbnc/x-ifftiopviorfsduj] has joined #openvpn
14:59 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
15:10 -!- mattock is now known as mattock_afk
15:22 -!- singcat [~singcat@gateway/tor-sasl/singcat] has quit [Ping timeout: 250 seconds]
15:26 -!- linton [~linton@96-18-216-10.cpe.cableone.net] has joined #openvpn
15:27 -!- shadok [~muaddib@unaffiliated/shadok] has joined #openvpn
15:30 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.91.1 [Firefox 34.0.5/20141126041045]]
15:32 -!- Netsplit *.net <-> *.split quits: @Dougy, jeev, Mike--, AsadH, Chais, deviantintegral, typ, mirco, thumbs, Reventlov, (+40 more, use /NETSPLIT to show all of them)
15:34 -!- Netsplit *.net <-> *.split quits: nsrafk, tapout, u0m3_, @dazo_afk, mcp, novae, ExtraCarpety, Jeroen52, kossy, bakhtiya, (+1 more, use /NETSPLIT to show all of them)
15:34 -!- Netsplit over, joins: doop, deviantintegral, thumbs, jeev, @novaflash, Pandemic_Force, CGML, yoavz, airking, @Dougy (+49 more)
15:34 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded]
15:35 -!- bakhtiya [~me@office.addictivemobility.com] has quit [Max SendQ exceeded]
15:35 -!- Netsplit over, joins: tapout
15:35 -!- Netsplit *.net <-> *.split quits: atyoung, Fusl, moparisthebest, DrCode, Shiftos
15:35 -!- Latrina [~Latrina@ppp-170-5.26-151.libero.it] has quit [Max SendQ exceeded]
15:35 -!- Netsplit over, joins: moparisthebest, atyoung, DrCode, Fusl, Shiftos
15:36 -!- Netsplit *.net <-> *.split quits: K1rk
15:36 -!- Netsplit over, joins: K1rk
15:36 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Max SendQ exceeded]
15:36 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Max SendQ exceeded]
15:36 -!- moparisthebest [~mitb@gateway/tor-sasl/moparisthebest] has quit [Max SendQ exceeded]
15:36 -!- K1rk [~Kirk@5.135.221.149] has quit [Max SendQ exceeded]
15:36 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has quit [Max SendQ exceeded]
15:36 -!- Netsplit *.net <-> *.split quits: badon, Droolio
15:36 -!- Netsplit over, joins: kossy
15:36 -!- Netsplit *.net <-> *.split quits: master_o1_master, ShadniX, shivanshu, julieeharshaw, haasn, james41382
15:36 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has joined #openvpn
15:36 -!- K1rk [~Kirk@5.135.221.149] has joined #openvpn
15:36 -!- bakhtiya [~me@office.addictivemobility.com] has joined #openvpn
15:37 -!- Latrina [~Latrina@ppp-170-5.26-151.libero.it] has joined #openvpn
15:37 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
15:37 -!- Netsplit over, joins: badon, Droolio, master_o1_master, ShadniX, haasn, james41382, shivanshu, julieeharshaw
15:37 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 245 seconds]
15:37 -!- moparisthebest [~mitb@unaffiliated/moparisthebest] has joined #openvpn
15:38 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Max SendQ exceeded]
15:38 -!- Netsplit *.net <-> *.split quits: burp_, Slippern, mete, Adian, ratsupremacy, zalami, jl-, D-Boy, nlb, Zimsky, (+6 more, use /NETSPLIT to show all of them)
15:39 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
15:39 -!- mode/#openvpn [+v hazardous] by ChanServ
15:39 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
15:39 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 244 seconds]
15:40 -!- Netsplit over, joins: lbft, Left_Turn, Slippern, Adian, D-Boy, masterkorp, ratsupremacy, jl-, Zimsky
15:40 -!- mete [~mete@91.247.253.160] has joined #openvpn
15:40 -!- Netsplit over, joins: jgeboski, burp_, zalami, Papey, TheEternalAbyss, nlb
15:42 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:42 -!- Netsplit *.net <-> *.split quits: marlinc, BtbN, Exagone313
15:42 -!- Netsplit over, joins: BtbN, marlinc, Exagone313
15:42 -!- Exagone313 [exa@ewd.ovh] has quit [Max SendQ exceeded]
15:43 -!- Netsplit *.net <-> *.split quits: keatont, Kephael, @mattock_afk, phunyguy, MogDog, cyberspace-
15:43 -!- Exagone313 [exa@ewd.ovh] has joined #openvpn
15:43 -!- Netsplit over, joins: Kephael, phunyguy, cyberspace-, keatont, MogDog, @mattock_afk
15:43 -!- Netsplit *.net <-> *.split quits: MatToufoutu
15:44 -!- Netsplit over, joins: MatToufoutu
15:46 -!- Netsplit *.net <-> *.split quits: Denial, KavanS, DonRichie, APTX, d10n, Synced, MatToufoutu, @raidz, Papey, Zimsky, (+158 more, use /NETSPLIT to show all of them)
15:48 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Read error: Network is unreachable]
15:51 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:51 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
15:51 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
15:51 -!- Netsplit over, joins: Thermi
15:51 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
15:51 -!- Netsplit over, joins: mattock_afk, MatToufoutu, MogDog, keatont, cyberspace-, phunyguy, Kephael, Exagone313, marlinc, BtbN (+6 more)
15:51 -!- mete [~mete@91.247.253.160] has joined #openvpn
15:51 -!- Netsplit over, joins: shivanshu, Zimsky, jl-, ratsupremacy, masterkorp, Adian, Slippern, Left_Turn, lbft, badon (+14 more)
15:51 -!- ServerMode/#openvpn [+vo hazardous mattock_afk] by sendak.freenode.net
15:51 -!- Netsplit over, joins: @dazo_afk, @vpnHelper, riddle, @novaflash, roentgen_, pekster, Haigha, lev__, ender|, atyoung (+101 more)
15:51 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
15:51 -!- Netsplit over, joins: architekt, Esya, Fiouz, boypussy, gardar, hydrajump, early
15:51 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has quit [Max SendQ exceeded]
15:51 -!- esde [~esde@unaffiliated/esde] has quit [Max SendQ exceeded]
15:51 -!- TonyL [~Tony@unaffiliated/darkg] has quit [Max SendQ exceeded]
15:51 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Max SendQ exceeded]
15:51 -!- elfixit [~Icedove@77-57-39-82.dclient.hispeed.ch] has quit [Ping timeout: 288 seconds]
15:52 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
15:52 -!- TonyL [~Tony@unaffiliated/darkg] has joined #openvpn
15:53 -!- Netsplit *.net <-> *.split quits: MacGyver, markelite, Brando753, DArqueBishop, hyper_ch, pekster, jareth_, Anoniem4l, Orbixx, Drustan, (+4 more, use /NETSPLIT to show all of them)
15:53 -!- TonyL [~Tony@unaffiliated/darkg] has quit [Max SendQ exceeded]
15:53 -!- Netsplit over, joins: Anoniem4l, Orbixx, pekster, DArqueBishop, seba, SushiDude, MacGyver, lachesis, Drustan, hyper_ch (+2 more)
15:54 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
15:54 -!- AL13N_work [~alien@91.183.52.232] has joined #openvpn
15:54 -!- justinzane [~justinzan@67.21.190.132] has joined #openvpn
15:54 -!- KavanS [~quassel@LINBIT/KavanS] has joined #openvpn
15:54 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
15:54 -!- someone [~someone@sonoshee.chronostasis.net] has joined #openvpn
15:54 -!- Synced [~Synced@unaffiliated/synced] has joined #openvpn
15:54 -!- ServerMode/#openvpn [+o raidz] by sendak.freenode.net
15:54 -!- gffa_ [~unknown@unaffiliated/gffa] has joined #openvpn
15:54 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
15:54 -!- Netsplit over, joins: Brando753
15:54 -!- Netsplit *.net <-> *.split quits: kloeri, Y0sh1, ender|, Fiouz, kef, obscurehero, pythonsnake1, deranged, Haigha, busch, (+9 more, use /NETSPLIT to show all of them)
15:54 -!- Netsplit over, joins: Haigha, ender|, Y0sh1, halothe23, maxiepax, ketas, deranged, obscurehero, pythonsnake1, Matir_ (+5 more)
15:54 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
15:54 -!- Netsplit over, joins: architekt, Fiouz, hydrajump
15:54 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded]
15:54 -!- pythonsnake1 [~pythonsna@fedora/pythonsnake] has quit [Max SendQ exceeded]
15:54 -!- ketas [~ketas@65-38-190-90.dyn.estpak.ee] has quit [Max SendQ exceeded]
15:55 -!- Netsplit *.net <-> *.split quits: lev__, JackWinter, Eagleman, bakhtiya, boypussy, RGamma, XJR-9, badon, +RBecker, almostworking, (+7 more, use /NETSPLIT to show all of them)
15:55 -!- Guest77113 [~Tony@unaffiliated/darkg] has joined #openvpn
15:55 -!- ketas [~ketas@65-38-190-90.dyn.estpak.ee] has joined #openvpn
15:55 -!- gffa [~unknown@unaffiliated/gffa] has quit [Max SendQ exceeded]
15:55 -!- KavanS [~quassel@LINBIT/KavanS] has quit [Max SendQ exceeded]
15:55 -!- someone [~someone@sonoshee.chronostasis.net] has quit [Max SendQ exceeded]
15:55 -!- justinzane [~justinzan@67.21.190.132] has quit [Remote host closed the connection]
15:56 -!- pythonsnake1 [~pythonsna@fedora/pythonsnake] has joined #openvpn
15:57 -!- markelite [croftworth@gateway/shell/yourbnc/x-vjuydoaqeudxtzon] has joined #openvpn
15:57 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
15:58 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
15:59 -!- Netsplit over, joins: badon, bakhtiya, Reventlov, roentgen_, XJR-9, +RBecker, dkr, Eagleman, Arr0way, RGamma (+6 more)
16:01 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Max SendQ exceeded]
16:01 -!- JackWinter [~jack@vodsl-10478.vo.lu] has joined #openvpn
16:01 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
16:03 -!- Netsplit *.net <-> *.split quits: Denial, nullie, shadok, badon, Nothing4You, early, boypussy, dkr, Six6siX, kloeri, (+53 more, use /NETSPLIT to show all of them)
16:04 -!- Netsplit *.net <-> *.split quits: Synced, MatToufoutu, @raidz, Adian, +hazardous, Poster, BtbN, cyberspace-, Slippern, lbft, (+12 more, use /NETSPLIT to show all of them)
16:04 -!- Netsplit *.net <-> *.split quits: Papey, Zimsky, DrCode, master_o1_master, Brando753, julieeharshaw, K1rk, shivanshu, jl-, ratsupremacy, (+15 more, use /NETSPLIT to show all of them)
16:05 -!- Netsplit *.net <-> *.split quits: d10n, DonRichie, arkie, Magiobiwan, @novaflash, riddle, APTX, `Yoda, mcp, Jeroen52, (+50 more, use /NETSPLIT to show all of them)
16:05 -!- markelite [croftworth@gateway/shell/yourbnc/x-vjuydoaqeudxtzon] has quit [Excess Flood]
16:06 -!- Netsplit over, joins: badon, JackWinter, early, gardar, boypussy, lev__, almostworking, asper, RGamma, Arr0way (+160 more)
16:09 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
16:09 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Remote host closed the connection]
16:09 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 241 seconds]
16:09 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
16:09 -!- markelite [~croftwort@gateway/shell/yourbnc/x-rziadwgwujgwgecs] has joined #openvpn
16:11 -!- hypermist [hypermist@unaffiliated/hypermist] has quit [Quit: Consider Donating - http://nzminers.pw/]
16:11 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
16:12 -!- mode/#openvpn [+o syzzer] by ChanServ
16:12 -!- hypermist [hypermist@unaffiliated/hypermist] has joined #openvpn
16:15 -!- KavanS [~quassel@LINBIT/KavanS] has joined #openvpn
16:15 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded]
16:19 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
16:29 -!- Dougy [~dhaber@openvpn/community/support/Dougy] has quit [Quit: WeeChat 0.3.8]
16:31 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Disconnected by services]
16:31 -!- badon_ [~badon@pdpc/supporter/active/badon] has joined #openvpn
16:32 -!- badon_ is now known as badon
16:38 -!- hyper_ch [~hyper_ch@unaffiliated/hyper-ch/x-5230410] has left #openvpn ["Konversation terminated!"]
16:38 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Remote host closed the connection]
16:38 -!- hyper_ch [~hyper_ch@unaffiliated/hyper-ch/x-5230410] has joined #openvpn
16:44 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 244 seconds]
16:48 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
16:48 -!- mode/#openvpn [+o syzzer] by ChanServ
16:58 -!- linton [~linton@96-18-216-10.cpe.cableone.net] has quit [Ping timeout: 244 seconds]
17:04 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:05 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
17:23 -!- gffa_ [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:28 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Read error: Connection reset by peer]
17:32 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
17:36 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
17:36 -!- someone [~someone@sonoshee.chronostasis.net] has joined #openvpn
17:38 -!- carlcrack [~carlcrack@gateway/vpn/privateinternetaccess/carlcrack] has joined #openvpn
17:40 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
17:42 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
17:42 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has quit [Ping timeout: 244 seconds]
17:45 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
17:50 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has joined #openvpn
18:03 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
18:09 -!- ShadniX [dagger@p5481DB6D.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
18:09 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has quit [Ping timeout: 264 seconds]
18:09 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Ping timeout: 264 seconds]
18:09 -!- Droolio [~drool@host86-134-61-249.range86-134.btcentralplus.com] has quit [Ping timeout: 264 seconds]
18:09 -!- master_o1_master [~master_of@p4FD7B4C2.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
18:09 -!- haasn [~haasn@static.102.126.46.78.clients.your-server.de] has quit [Ping timeout: 264 seconds]
18:09 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Ping timeout: 264 seconds]
18:09 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 264 seconds]
18:09 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
18:09 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
18:10 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
18:10 -!- ShadniX [dagger@p5481DB6D.dip0.t-ipconnect.de] has joined #openvpn
18:20 <@ecrist> hyper_ch: ping
18:25 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
18:28 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
18:36 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
18:55 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
19:06 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Read error: Connection reset by peer]
19:06 -!- trumee [~parul@2601:e:1580:799::c64] has quit [Ping timeout: 244 seconds]
19:08 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
19:09 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 244 seconds]
19:10 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
19:10 -!- mode/#openvpn [+o syzzer] by ChanServ
19:14 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 244 seconds]
19:19 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
19:23 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
19:25 -!- MrWhoo [4c0ab658@gateway/web/freenode/ip.76.10.182.88] has joined #openvpn
19:26 < MrWhoo> Hello @ll
19:27 < esde> ecrist, may I have an openvpn user cloak to replace my unaffiliated one?
19:28 < MrWhoo> I'm trying to do selective routing but not having any luck, I tried the "route" xx.xx.xx.xx xx.xx.xx.xx dev tap0
19:28 < MrWhoo> http://pastebin.com/vw6C07kM
19:29 < pekster> MrWhoo: MIPS, as in embedded, like OpenWRT?
19:30 < MrWhoo> yes sir, its an DD-Wrt actually
19:30 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 244 seconds]
19:30 < pekster> Ugh, they're full of much fail and you might reconsider
19:30 < pekster> !dd-wrt
19:30 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783 or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536
19:30 < MrWhoo> I got it working with another VPN provider but for some reason its not working.
19:31 < MrWhoo> ha! good to know.
19:31 < pekster> fwiw, for advancd routing you generally want real tooling, which dd-wrt may/may-not actually give you. Namely proper Netfilter userland tooling (specifically iptables-save & iptables-restore frontends to xtables-multi) and iproute2
19:31 < pekster> the busybox implementation/interface to `ip` works well fwiw, at least on a more hacker-friendly distro like openwrt provided it's built with the right support (no clue how dd-wrt builds things, and they have a very hostile build system that I care very little for)
19:32 < pekster> MrWhoo: What's the goal here though? Just route a particular IP/CIDR block via the VPN?
19:32 < MrWhoo> Sounds complicated :), But let me ask you this, I would like to have 2 VPN connections UP and route traffic based on destination IP to my IPS or via tap0 and tap1 is that doable ?
19:32 < pekster> Basic routing tables will do that, even via openvpn using the --route command
19:32 < pekster> Destination IP, yes. But not DNS names, if that's what you're really trying to do and failed to say so
19:32 < pekster> And no, "figuring out the IPs based on DNS names" is very likely to break, so don't try that
19:33 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
19:33 -!- mode/#openvpn [+o syzzer] by ChanServ
19:34 < MrWhoo> sorry for not being clear, Pretty much trying to route traffic EU via EU VPN and NA via NA VPN all other via ISP, I do have full IP ranges of the servers.
19:35 * pekster doesn't really understand your use-case, but it sounds to me like you just want to read about the --route directive in the openvpn manpage and set these destination networks you already have a list of, and place them in each of your VPN configs
19:35 -!- u0m3_ [~u0m3@92.80.89.9] has quit [Read error: Connection reset by peer]
19:35 < MrWhoo> route-nopull route xx.xxx.xx.xx 255.255.255.0 net_gateway route xx.xx.xx.0 255.255.240.0 vpn_gateway
19:36 < pekster> You shouldn't need that net_gateway bit with --route-nopull
19:36 < MrWhoo> and this does the trick with one VPN provider but not with other.
19:36 < pekster> (that's because without pulling routes, everything already goes via the net_gateway)
19:36 < MrWhoo> good to know.
19:36 < pekster> You also must verify you're not attempting to route the traffic to the VPN server over the VPN for what should be obvious reasons
19:37 < pekster> Otherwise, check logs at --verb 4 for clues if the route isn't getting added. It'll either be in your routing table or it won't
19:38 < MrWhoo> thank you, I will go and poke around :)
19:39 < MrWhoo> I had verbose at 3
19:39 < MrWhoo> instead of 4 maybe that's why I couldn't see what is going on.
19:39 < pekster> Yea, best to use 4, at least until you're done tracking down issues
19:39 < pekster> !verb
19:39 <@vpnHelper> "verb" is (#1) verb command is for setting log verbosity, see --verb in the manual (!man) for more info or (#2) verb 5 is good for finding firewall problems, verb 4 for troubleshooting anything else, and 3 is good for every day usage. or (#3) Anything more than 5 is for developer debugging only
19:39 -!- trumee [~parul@2601:e:1580:799::c64] has quit [Ping timeout: 244 seconds]
19:42 < MrWhoo> thank you, its weird log does not even show a record for trying to add route :(
19:43 < MrWhoo> I'm blind
19:43 < MrWhoo> OpenVPN ROUTE: failed to parse/resolve route for host/network: 141.101.120.14
19:43 < pekster> Sounds like a config mistake; verified your config file syntax against the manpage requirements?
19:45 < MrWhoo> I did look at the manpage but let me double check,:)
19:45 < pekster> Otherwise, a pastebin of your openvpn configs (comments/blanks removed, we've grep for that at !configs) would help
19:46 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
19:47 < MrWhoo> !configs
19:47 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
19:48 < MrWhoo> http://pastebin.com/rWY29bcw
19:49 < MrWhoo> thank you for looking it over
19:52 < pekster> line 48 is incorrect; you only get a single route target. If you want it via the VPN, this is the default (assuming everything else is properly set up) and you may omit the 3rd argument to --route
19:52 < MrWhoo> no OpenWrt support for my router :(
19:52 < pekster> You can't treat it like the `ip route` command here
19:54 < pekster> vpn_gateway might be the only possible value you'd need for the 3rd argument, but you may not need that unless it's dropped by --route-nopull (I don't recall offhand if it does or not)
19:55 < MrWhoo> I will drop the vpn_gateway I actually already did when you mentioned it 1st :)
19:56 < pekster> You don't have it in that config paste
19:56 < MrWhoo> This was local backup, I updated directly on router via ssh.
19:56 < pekster> I'm not taling about line 47 (which you don't need, unless that's part of a supernet you're otherwise attempting to route and need to sent it out your real egress route here.)
19:56 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
19:57 < MrWhoo> dev tun0
19:57 < pekster> Yea, either remove that, or replace it with vpn_gateway if that's not implied for some reason
19:57 < MrWhoo> let me re test
19:58 < pekster> Do be warned that IP you're attempting to route might be part of a CDN, which may not be doing what you expect when you muck with routing those uniquely
19:59 < pekster> YMMV based on what it's actually used for
20:00 -!- svm_invi1tvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
20:00 < svm_invi1tvs> Heya
20:00 < svm_invi1tvs> So I finally go around to getting my log/config
20:00 < svm_invi1tvs> Basically with this server config everything works fine on OSX, but fails on Windows.
20:00 < svm_invi1tvs> http://mysticpaste.com/view/XMjk4JMoje;jsessionid=1m1m2drf1oz201cazcnjw7m1ce?2
20:02 < MrWhoo> @pekster, I did notice that it was CloudFare.
20:02 < MrWhoo> this was actually Website that checks IP
20:03 < svm_invi1tvs> (I've already verified the Windows Firewall is not the issue)
20:03 < MrWhoo> I will find another one that is not using CDN.
20:03 < pekster> Not just that, but it's listed as a CDN block (see the public whois info.) It may/may-not be the same query to query, client to client
20:04 < pekster> svm_invi1tvs: Best to avoid those networks you're using, since 10.0.0/24 is very often used by client networks (default routers, etc.) If your client is connecting from them, that'll cause issues. Same with 10.0.1/24, which might be slightly less common. Best to use a !randomsubnet
20:04 < svm_invi1tvs> !randomsubnet
20:04 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
20:05 < pekster> line 33 is unnecessary (implied by line 23 already)
20:05 < svm_invi1tvs> pekster: Yeah, but I know the client is using 192.168.1.1
20:05 < pekster> Not broken in that case, anyway
20:05 < svm_invi1tvs> pekster: Trying to elimiate hte problem, and as I said works fine with OSX from the same client network.
20:06 < pekster> Then you'll need logs and a better description of "fails"
20:07 < svm_invi1tvs> pekster: well in mac I can establish a socket with a box inside the VPN. ssh foo@somebox.mydomain.com
20:07 < svm_invi1tvs> pekster: When I try to do that in putty on Windows (from the same network) no dice
20:07 < svm_invi1tvs> pekster: connection times out
20:07 < svm_invi1tvs> pekster: I'm digging up logs right now
20:08 < MrWhoo> ha, some progress once I added "vpn_gateway" route was added
20:08 -!- pipi- [~pipi-@unaffiliated/pipi-] has quit [Ping timeout: 256 seconds]
20:08 < MrWhoo> but I can't reach the website .. it times out :(
20:09 -!- shadok [~muaddib@unaffiliated/shadok] has quit [Quit: Konversation terminated!]
20:09 < MrWhoo> http://pastebin.com/inHAFxxL - routing table
20:10 < MrWhoo> 66.171.248.172 - is the new IP
20:10 < MrWhoo> and looks like its pointing to tun0
20:10 -!- pipi- [~pipi-@unaffiliated/pipi-] has joined #openvpn
20:11 < pekster> Either your connecting to the UK Ministry Of Defense as your VPN provider, or they're doing very silly/stupid things (and not all that clever, but that's besides the point and not really important)
20:12 < pekster> But yes, that IP is listed as routed via the "UK MOD" (aka, whatever 25.0.8.1 really is, since the MOD doesn't route publicly)
20:13 < MrWhoo> VPN provider is Ironsocket
20:13 < pekster> Also, wtf is up with your 1.0/16 route? Also very odd, and belongs to APNIC
20:14 < MrWhoo> :) I just like how easy it was ... :)
20:17 < MrWhoo> Is that Gateway being 25.0.8. being pushed by Iron Socket ?
20:20 < MrWhoo> PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology-subnet,mssfix 1400,comp-lzo adaptive,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,dhcp-option DNS 25.0.0.1,dhcp-option DISABLE-NBT,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,register-dns,block-ipv6,route-gateway 25.0.8.1,topology subnet,ping 12,ping-restart 50,ifconfig 25.0.8.4 255.255.255.0'
20:20 < MrWhoo> it is, very strange
20:20 < pekster> That's the network they don't own that they're pushing. Unless it really is the UK MoD, in which case all your base are belong to the Queen.
20:21 -!- svm_invi1tvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 245 seconds]
20:22 < MrWhoo> haha :) I hope that I don't get in trouble for trying to push traffic there ... as its not taken as attack or something.
20:23 < MrWhoo> I guess I have to reach out to them and ask to fix this ? I assume this is server config issues ?
20:23 < pekster> Lots of fools use that IP space, plus bunches of other quasi-bogon space. It's usually an indicating the party using it isn't all that aware what they're doing, but it's not "broken" so much as something they ought not to be doing
20:23 < pekster> indication*
20:24 < MrWhoo> good to know, I was getting concerned.
20:25 < MrWhoo> any recommendations for good VPN provider ?
20:25 < esde> yourself
20:25 < pekster> !learn 25/8 As God Save the Queen! This IP block is assigned for use by the UK Ministry of Defense. If it's used by someone not the UK MoD, they're probably trying (and failing) to be clever. If you're doing this, use RFC1918 space (see: !randomsubnet for ideas.) Or better, use IPv6.
20:25 <@vpnHelper> (learn [] as ) -- Associates with . is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
20:26 < pekster> !learn 25/8 as God Save the Queen! This IP block is assigned for use by the UK Ministry of Defense. If it's used by someone not the UK MoD, they're probably trying (and failing) to be clever. If you're doing this, use RFC1918 space (see: !randomsubnet for ideas.) Or better, use IPv6.
20:26 <@vpnHelper> Joo got it.
20:26 < MrWhoo> !randomsubnet
20:27 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
20:27 < MrWhoo> http://scarydevilmonastery.net/subnet.cgi < Dead Link
20:27 < MrWhoo> or actually 502 Bad Gateway
20:27 < pekster> Good thing that shell snippit works under zsh, bash, and mksh (and likely many others) then
20:29 < MrWhoo> :)
20:29 < MrWhoo> As for setting up my own OpenVPN server to expensive :(
20:29 < MrWhoo> even with cheap VPS's
20:29 < pekster> !learn randomsubnet Or try this perl oneliner: `perl -e 'printf "10.%d.%d.0/24\n", int(rand(256)), int(rand(256));'`
20:29 <@vpnHelper> (learn [] as ) -- Associates with . is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
20:30 < pekster> !learn randomsubnet as Or try this perl oneliner: `perl -e 'printf "10.%d.%d.0/24\n", int(rand(256)), int(rand(256));'`
20:30 <@vpnHelper> Joo got it.
20:30 < esde> you can get an okay vps for around $3.50/m
20:30 < MrWhoo> really ? any examples
20:30 < esde> last paid vpn i used was years ago and ~$15/m
20:30 < esde> ramnode
20:30 < MrWhoo> I will check them out, thx
20:31 < esde> there's plenty at the $5 price point too, DigitalOcean, Vultr, are the first couple that come to mind
20:31 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
20:31 < KavanS> if you want a really cheap one check out buyvm.net, cheaper than $5 a month
20:32 -!- testerbit [~testerbit@unaffiliated/testerbit] has joined #openvpn
20:32 < MrWhoo> thx guys.
20:33 -!- testerbit [~testerbit@unaffiliated/testerbit] has left #openvpn []
20:34 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has quit [Ping timeout: 244 seconds]
20:36 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has joined #openvpn
20:39 -!- MrWhoo [4c0ab658@gateway/web/freenode/ip.76.10.182.88] has quit [Ping timeout: 246 seconds]
20:40 -!- MrWhoo [4c0ab658@gateway/web/freenode/ip.76.10.182.88] has joined #openvpn
20:40 < MrWhoo> I sent email to Ironsocket.com to let them know about the gateway problem :)
20:41 < MrWhoo> as for the routers any better alternatives then DD-Wrt / beside OpenWrt ( no support )
20:41 < pekster> Buy one that is supported, would be my suggestion
20:42 < pekster> Or some low profile/powerdraw mini/cube PC for a bit more computing power, and the possibility of AES-NI instructions if you want more performance
20:42 < MrWhoo> That is always an option, I have some other ones but looks like they just don't support Broadcom in general :(
20:42 < pekster> broadcom is well-known for not being friendly to open-source
20:42 < MrWhoo> :)
20:42 < pekster> Then again, so is dd-wrt, which is why hackers tend to avoid both
20:42 < MrWhoo> How about Raspberry PI with USB lan ?
20:43 < pekster> I've heard of that being done; they CPU on that thing is very minimal, but it seems to work for folks where performance isn't an issue
20:43 < pekster> Probably on-par with MIPS though
20:44 < MrWhoo> I see, I might look at PfSense boxes on ebay .. this all is really just something new to learn .. whole VPN
20:44 < MrWhoo> its kinda cool to learn new stuff and be back on IRC, last time it was about 1997 :)
20:45 < MrWhoo> one more question, once I get the VPN sorted out and I connect to 2 providers
20:46 < MrWhoo> how I can use "route" command to to point traffic to tap0 and tap1
20:46 < MrWhoo> vpn_gateway = tap0 ?
20:46 < MrWhoo> I know that I can't use "dev tap1"
20:46 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 265 seconds]
20:47 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
20:48 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 265 seconds]
20:48 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has quit [Ping timeout: 265 seconds]
20:48 -!- Orbixx [~orbixx@freenode/sponsor/orbixx] has quit [Ping timeout: 265 seconds]
20:48 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 265 seconds]
20:49 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 244 seconds]
20:49 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has quit [Quit: Leaving]
20:50 -!- Orbixx [~orbixx@freenode/sponsor/orbixx] has joined #openvpn
20:52 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Excess Flood]
20:52 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 244 seconds]
20:52 -!- Neal_ [neal@felix.ineal.me] has quit [Ping timeout: 244 seconds]
20:53 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 244 seconds]
20:53 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
20:53 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
20:53 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has quit [Ping timeout: 244 seconds]
20:55 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has joined #openvpn
20:58 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
20:58 -!- mode/#openvpn [+o krzee] by ChanServ
20:58 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
21:00 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
21:02 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has quit [Remote host closed the connection]
21:02 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
21:07 -!- Neal_ [neal@felix.ineal.me] has joined #openvpn
21:07 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has quit [Ping timeout: 245 seconds]
21:07 -!- trumee [~parul@2601:e:1580:799::c64] has quit [Ping timeout: 245 seconds]
21:08 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
21:09 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
21:10 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
21:13 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has joined #openvpn
21:13 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has quit [Ping timeout: 244 seconds]
21:15 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
21:15 -!- mode/#openvpn [+o syzzer] by ChanServ
21:15 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
21:25 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
21:27 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 244 seconds]
21:30 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
21:30 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
21:30 -!- mode/#openvpn [+o syzzer] by ChanServ
21:35 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 244 seconds]
21:35 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
21:39 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 245 seconds]
21:43 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has quit [Ping timeout: 244 seconds]
21:43 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 244 seconds]
21:47 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
21:49 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
21:49 -!- mode/#openvpn [+o syzzer] by ChanServ
21:50 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Quit: Reconnecting]
21:51 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
21:56 -!- james41382 [~James@unaffiliated/james41382] has joined #openvpn
21:59 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
22:02 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 244 seconds]
22:04 -!- james41382 [~James@unaffiliated/james41382] has quit [Quit: Leaving]
22:04 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn
22:06 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
22:10 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 244 seconds]
22:10 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:10 -!- mode/#openvpn [+o syzzer] by ChanServ
22:10 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
22:12 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
22:12 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has quit [Ping timeout: 244 seconds]
22:13 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Client Quit]
22:13 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
22:19 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
22:19 -!- james41382 [~james4138@gateway/vpn/privateinternetaccess/james41382] has joined #openvpn
22:23 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 244 seconds]
22:24 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:25 -!- mode/#openvpn [+o syzzer] by ChanServ
22:28 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has quit [Ping timeout: 244 seconds]
22:28 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
22:31 -!- MrWhoo [4c0ab658@gateway/web/freenode/ip.76.10.182.88] has quit [Ping timeout: 246 seconds]
22:41 -!- MrWhoo [4c0ab658@gateway/web/freenode/ip.76.10.182.88] has joined #openvpn
22:42 < MrWhoo> @pekster are you still around ?
22:42 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 244 seconds]
22:44 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
22:45 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:45 -!- mode/#openvpn [+o syzzer] by ChanServ
22:47 -!- trumee [~parul@2601:e:1580:799::c64] has quit [Ping timeout: 243 seconds]
22:47 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
22:51 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
22:52 -!- svm_invictvs [~svm_invic@unaffiliated/svminvictvs/x-938456] has joined #openvpn
22:57 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 244 seconds]
22:57 -!- svm_invictvs [~svm_invic@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
22:58 -!- james41382 [~james4138@gateway/vpn/privateinternetaccess/james41382] has quit [Ping timeout: 244 seconds]
22:59 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 244 seconds]
23:00 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
23:00 -!- mode/#openvpn [+o syzzer] by ChanServ
23:01 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
23:03 < hyper_ch> ecrist:
23:08 -!- svm_invictvs [~svm_invic@unaffiliated/svminvictvs/x-938456] has joined #openvpn
23:08 < svm_invictvs> Hello
23:09 -!- MrWhoo [4c0ab658@gateway/web/freenode/ip.76.10.182.88] has quit [Ping timeout: 246 seconds]
23:09 < svm_invictvs> So I fiddled with my configuration a bit more, removed all the stuff that seemed extraneous
23:11 < svm_invictvs> When it connects, this appears int he log
23:11 < svm_invictvs> http://mysticpaste.com/view/i5I8hcwTlY;jsessionid=1ukhe06f7vasca18nxq75i3ua?2
23:11 < svm_invictvs> And when I do tracert somehost it looks like it's routed not through the tunneled device
23:11 < svm_invictvs> Which is weird
23:14 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 244 seconds]
23:14 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has quit [Ping timeout: 244 seconds]
23:15 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
23:15 -!- mode/#openvpn [+o syzzer] by ChanServ
23:17 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has joined #openvpn
23:26 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Ping timeout: 244 seconds]
23:29 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
23:32 -!- ShadniX [dagger@p5481DB6D.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
23:33 -!- ShadniX [dagger@p579410E0.dip0.t-ipconnect.de] has joined #openvpn
23:33 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
23:35 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 244 seconds]
23:36 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has quit [Ping timeout: 244 seconds]
23:38 -!- lxusrbin [~lxusrbin@han.solo.atw0rk.net] has quit [Ping timeout: 244 seconds]
23:38 -!- lxusrbin [~lxusrbin@han.solo.atw0rk.net] has joined #openvpn
23:38 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has joined #openvpn
23:40 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
23:42 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Read error: Connection reset by peer]
23:42 -!- MrsSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
23:42 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 244 seconds]
23:43 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
23:43 -!- mode/#openvpn [+o syzzer] by ChanServ
23:48 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 244 seconds]
23:53 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
23:59 -!- svm_invictvs [~svm_invic@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
--- Day changed Wed Jan 14 2015
00:21 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 244 seconds]
00:27 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
00:30 -!- MrsSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
00:40 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 244 seconds]
00:52 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
00:56 -!- mattock_afk is now known as mattock
00:58 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 244 seconds]
01:06 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
01:06 -!- mode/#openvpn [+o syzzer] by ChanServ
01:12 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has quit [Ping timeout: 244 seconds]
01:12 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 244 seconds]
01:14 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:e051:1773:8bb:8586] has quit [Read error: Connection reset by peer]
01:14 -!- akamaru217 [~akamaru21@67.191.183.251] has joined #openvpn
01:18 -!- nullm0dem [~kaiju@ip24-254-180-150.rn.hr.cox.net] has joined #openvpn
01:19 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 244 seconds]
01:22 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
01:23 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
01:24 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 244 seconds]
01:29 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
01:29 -!- mode/#openvpn [+o syzzer] by ChanServ
01:50 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has quit [Ping timeout: 244 seconds]
01:52 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has quit [Ping timeout: 244 seconds]
01:56 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
01:56 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has joined #openvpn
02:09 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has quit [Ping timeout: 244 seconds]
02:10 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
02:12 -!- le0 [~le0@unaffiliated/le0] has joined #openvpn
02:14 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
02:31 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 244 seconds]
02:34 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
02:35 -!- mode/#openvpn [+o syzzer] by ChanServ
02:46 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 244 seconds]
02:47 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
02:47 -!- mode/#openvpn [+o syzzer] by ChanServ
03:03 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 244 seconds]
03:04 -!- Latrina [~Latrina@ppp-170-5.26-151.libero.it] has quit [Ping timeout: 255 seconds]
03:04 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
03:05 -!- mode/#openvpn [+o syzzer] by ChanServ
03:05 -!- Latrina [~Latrina@adsl-ull-159-179.50-151.net24.it] has joined #openvpn
03:10 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
03:20 -!- lxusrbin [~lxusrbin@han.solo.atw0rk.net] has quit [Ping timeout: 244 seconds]
03:26 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
03:50 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 244 seconds]
03:56 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
04:00 -!- two_oes [orenoi@nat/redhat/x-giwjkmtizxwfigtu] has joined #openvpn
04:06 -!- nullm0dem [~kaiju@ip24-254-180-150.rn.hr.cox.net] has quit [Quit: Lost terminal]
04:20 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 244 seconds]
04:26 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:27 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
04:35 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 244 seconds]
04:37 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 244 seconds]
04:41 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
04:41 -!- hypermist is now known as pcupgrades
04:42 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
04:42 -!- mode/#openvpn [+o syzzer] by ChanServ
04:44 -!- pcupgrades is now known as hypermist
04:52 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has quit [Ping timeout: 244 seconds]
04:55 -!- kexmex [~kexmex@195.42.130.233] has joined #openvpn
05:02 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
05:11 -!- trumee [~parul@2601:e:1580:799::c64] has quit [Ping timeout: 244 seconds]
05:17 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
05:26 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 240 seconds]
05:32 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
05:45 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
05:55 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
06:22 -!- lxusrbin [~lxusrbin@han.solo.atw0rk.net] has joined #openvpn
06:36 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
07:00 -!- two_oes [orenoi@nat/redhat/x-giwjkmtizxwfigtu] has quit [Quit: Leaving]
07:02 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn
07:04 < hyper_ch> hi ecrist
07:14 -!- hypermist is now known as hypermistbot
07:14 -!- hypermistbot [hypermist@unaffiliated/hypermist] has quit [Changing host]
07:14 -!- hypermistbot [hypermist@unaffiliated/hypermist/bot/hypermistbot] has joined #openvpn
07:15 -!- hypermistbot is now known as uno
07:15 -!- uno is now known as hypermistbot
07:16 -!- hypermistbot is now known as UnoBot
07:16 -!- UnoBot is now known as hypermistbot
07:18 -!- hypermistbot is now known as unob0t
07:38 -!- unob0t is now known as hypermist
07:38 -!- hypermist [hypermist@unaffiliated/hypermist/bot/hypermistbot] has quit [Changing host]
07:38 -!- hypermist [hypermist@unaffiliated/hypermist] has joined #openvpn
07:49 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:13 -!- moparisthebest [~mitb@unaffiliated/moparisthebest] has quit [Ping timeout: 256 seconds]
08:17 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has quit [Ping timeout: 244 seconds]
08:19 -!- kexmex [~kexmex@195.42.130.233] has quit [Quit: Computer has gone to sleep.]
08:20 -!- moparisthebest [~mitb@gateway/tor-sasl/moparisthebest] has joined #openvpn
08:25 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has joined #openvpn
08:37 -!- u0m3 [~u0m3@92.80.89.9] has joined #openvpn
08:37 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
08:46 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
08:49 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: leaving]
09:00 <@ecrist> hyper_ch: what di dyou need yesterday?
09:00 <@ecrist> you asked me to ping you
09:01 -!- kexmex [~kexmex@195.42.130.233] has joined #openvpn
09:03 < hyper_ch> could you give me one of those awesome openvpn cloaks?
09:03 < hyper_ch> I was told your the Master of Cloaks
09:04 <@ecrist> oh, yeah, I am.
09:05 <@ecrist> what cloak do you want?
09:06 < hyper_ch> what cloaks can I have?
09:06 < esde> I too am interested
09:06 < hyper_ch> esde: you need to be registered for at least 8 years on freenode to get one....
09:06 <@ecrist> openvpn/user/ we give to anyone
09:07 < hyper_ch> sounds good :)
09:07 <@ecrist> support folks get openvpn/community/support/
09:07 <@ecrist> ok, esde, you want a user cloak as well?
09:07 < esde> please
09:12 < hyper_ch> do I need to reconnect?
09:12 < hyper_ch> if ecrist handles the cloaks, who handles the daggers?
09:13 -!- kexmex [~kexmex@195.42.130.233] has quit [Quit: Computer has gone to sleep.]
09:14 <@ecrist> working on it now, folks
09:14 < esde> i do
09:14 * esde shanks hyper_ch
09:14 -!- esde [~esde@unaffiliated/esde] has quit [Changing host]
09:14 -!- esde [~esde@openvpn/user/esde] has joined #openvpn
09:14 -!- mode/#openvpn [+v esde] by ChanServ
09:15 < hyper_ch> ecrist just offloads the cloaking work to others....
09:15 -!- hyper_ch [~hyper_ch@unaffiliated/hyper-ch/x-5230410] has quit [Changing host]
09:15 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
09:15 -!- mode/#openvpn [+v hyper_ch] by ChanServ
09:18 <+hyper_ch> shanks? as in Red-hair Shanks?
09:32 -!- kexmex [~kexmex@195.42.130.233] has joined #openvpn
09:33 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 272 seconds]
09:50 < masterkorp> https://www.ab9il.net/crypto/openvpn-cloaking.html
09:50 <@vpnHelper> Title: OpenVPN Cloaking (at www.ab9il.net)
09:51 < masterkorp> can anyone explain me this line route your.vpn.server’s.IP 255.255.255.255 net_gateway
09:51 < masterkorp> why is needed on that article ?
09:55 <@ecrist> because they're not using the def1 option
09:55 <@ecrist> !def1
09:55 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
09:55 <@ecrist> if you route ALL, that will lump your local path to your VPN server over itself, which doesn't work. It's like a snake eating it's own tail.
09:55 < masterkorp> ecrist: so its basically to access the internet trough the gateway ?
09:55 <@ecrist> kinda, almost
09:56 <@ecrist> it's so your openvpn connection, itself, still goes over the internet (and knows how to) but you're other traffic will all try to use the VPN.
09:56 < masterkorp> I am currently having a problem on the VPN server connecting back to the client trogh obfsproxy
09:58 < masterkorp> just posted to the OpenVPN forums
10:00 < masterkorp> waiting approval
10:05 -!- MrSparkle [~MrSparkle@cpe-74-69-103-73.rochester.res.rr.com] has left #openvpn []
10:12 <@ecrist> I'll approve it now.
10:12 < masterkorp> thanks !
10:13 < masterkorp> Off all the searches I did, I could not find with with anyone same problem
10:13 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
10:19 -!- l3g3nd [~l3g3nd@unaffiliated/l3g3nd] has joined #openvpn
10:19 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
10:20 < l3g3nd> !welcome
10:20 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
10:20 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:20 < l3g3nd> !goal
10:20 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:21 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
10:23 < l3g3nd> alright, i'm attempting to assign static ip addresses on connection to my vpn server. i have to use 'client-cert-not-required' and 'username-as-common-name'. I have a 'ccd' directory with usernames that are used for login (I use PAM), but I keep getting handed dynamic ips
10:23 < masterkorp> deep packet inspection
10:23 < masterkorp> https://forums.openvpn.net/topic17960.html
10:23 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN and obfsproxy : Server Administration (at forums.openvpn.net)
10:24 < masterkorp> shanmeless link for help
10:24 < masterkorp> :)
10:25 < l3g3nd> i'm not sure that's what is going on...
10:26 < l3g3nd> i don't have any need for proxy's and avoiding censorship, so i'm not sure what to pull from that
10:29 < masterkorp> Deep packet Inspection
10:29 < masterkorp> aka some countries that block OpenVPN traffic based on this technique
10:31 <+hyper_ch> blocking openvpn is just plain evil
10:34 < masterkorp> "If we can't see what you're doing, then you not doing anything."
10:34 < masterkorp> i would love some insight please
10:45 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
10:50 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has joined #openvpn
11:00 -!- l3g3nd [~l3g3nd@unaffiliated/l3g3nd] has left #openvpn ["and suddenly, boredom overtook me"]
11:03 -!- moparsthbest [~mitb@unaffiliated/moparisthebest] has joined #openvpn
11:04 -!- moparisthebest [~mitb@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
11:11 -!- kexmex [~kexmex@195.42.130.233] has quit [Quit: Computer has gone to sleep.]
12:12 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:12 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
12:16 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:33 -!- hypermist is now known as pcupgrades
12:35 < masterkorp> https://community.openvpn.net/openvpn/wiki/325-openvpn-as-a--forking-tcp-server-which-can-service-multiple-clients-over-a-single-tcp-port
12:35 <@vpnHelper> Title: 325-openvpn-as-a--forking-tcp-server-which-can-service-multiple-clients-over-a-single-tcp-port – OpenVPN Community (at community.openvpn.net)
12:35 < masterkorp> hmmmm
12:36 < masterkorp> i want to use single TCP port
12:46 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has quit [Ping timeout: 255 seconds]
12:47 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has joined #openvpn
12:49 < masterkorp> ok, I found why the proxy wasn't workingggg
12:50 < masterkorp> obfsproxy needs to running on the same machien as the vpn server
13:01 -!- intransit [~intransit@69.46.234.21] has joined #openvpn
13:01 < intransit> !welcome
13:01 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
13:01 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:01 < intransit> !goal
13:01 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:03 < intransit> I have an openvpn server running in EC2. I can connect to the VPN successfully, but once I'm connected I can't connect to instances inside of my VPC unless I open up port 22 to everything, which impllies to me that I'm not picking up the local IP to be allowed by my security groups. How can I troubleshoot that I'm picking up the correct VPN IP?
13:03 < intransit> My local IP doesn't change from a corp network to the local IP when I'm attached to the VPN.
13:03 < intransit> !route
13:03 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
13:03 <@vpnHelper> client
13:25 <+hyper_ch> krzee: why does systemd need ip forwarding, ip masquerading and other firewall stuff?
13:28 <+hyper_ch> krzee: http://falkvinge.net/2015/01/14/hilarious-activists-turn-tables-on-political-surveillance-hawks-wiretaps-them-with-honeypot-open-wi-fi-at-security-conference/
13:28 <@vpnHelper> Title: Hilarious: Activists Turn Tables On Political Surveillance Hawks, Wiretap Them With Honeypot Open Wi-Fi At Security Conference - Falkvinge on Infopolicy (at falkvinge.net)
13:41 -!- ImDevinC [~ImDevinC@c-50-188-37-42.hsd1.mn.comcast.net] has joined #openvpn
13:42 < ImDevinC> !welcome
13:42 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
13:42 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:42 < ImDevinC> !route
13:42 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
13:42 <@vpnHelper> client
13:43 -!- ImDevinC [~ImDevinC@c-50-188-37-42.hsd1.mn.comcast.net] has left #openvpn []
13:51 -!- intransit [~intransit@69.46.234.21] has quit [Ping timeout: 264 seconds]
13:55 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Ping timeout: 245 seconds]
13:55 < hydrajump> in order to write an ubuntu indicator to show the connection status on an openvpn client I need to use the management interface and get the connection status via telnet is that correct?
13:57 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
13:59 <+hyper_ch> why not just check if the tun device is listed in ifconfig ?
14:04 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
14:08 < hydrajump> hyper_ch: that's a good idea thanks
14:08 < ayaka> When and where should I use DIT Content Rules? I think the object class have define the MUST fields
14:08 < ayaka> I don't think I could add new attribute to a object class if it is not in MUST or MAY?
14:10 <+hyper_ch> hydrajump: there's probably better ways.... but that should work.. depends what you all want to do
14:26 -!- Manis [~Manis@gateway/tor-sasl/manis] has joined #openvpn
14:49 -!- mattock is now known as mattock_afk
15:11 -!- yeik [~jeff@2601:7:6881:4700:15f5:9d14:7a65:6827] has joined #openvpn
15:12 < yeik> Question for everybody here, has anybody seen performance issues with the windows openvpn client?
15:12 < yeik> by about 4x slower?
15:19 -!- You're now known as resource
15:19 <+hyper_ch> no
15:22 < yeik> so is there a configuration difference that would need to be done between windows and linux to get them to run at the same speeds? I have identical openvpn client configs for windows and linux, connecting to the same box, doing identical things, linux speed is about the same with and without openvpn, windows with vpn is 4x slower than without openvpn
15:22 < yeik> using aes-256-cbc encryption
15:23 <+hyper_ch> why not just upgrade to linux?
15:24 < yeik> that isn't really an option.
15:24 <+hyper_ch> it's a real option... maybe just not a confortable one
15:25 < yeik> maybe i should say that really isn't an optioin
15:25 < yeik> option*
15:25 < yeik> and no, it isn't a real option, not possible for an option in my use case.
15:29 -!- two_oes [~orenoi@85.64.3.169.dynamic.barak-online.net] has joined #openvpn
15:52 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Quit: Ride fast. Take chances.]
15:55 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
16:09 -!- two_oes [~orenoi@85.64.3.169.dynamic.barak-online.net] has quit [Quit: Leaving]
16:19 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
16:20 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:32 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
16:33 -!- _FBi [~B@Aircrack-NG/User] has quit [Excess Flood]
16:34 -!- _FBi [~B@Aircrack-NG/User] has joined #openvpn
16:35 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:54 -!- yeik [~jeff@2601:7:6881:4700:15f5:9d14:7a65:6827] has quit [Ping timeout: 245 seconds]
17:01 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
17:04 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
17:05 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
17:22 -!- Exagone313 [exa@ewd.ovh] has quit [Remote host closed the connection]
17:23 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
17:26 < zoredache> Have you done any performance monitoring on the Windows box to see if you can get any ideas why it is slower for you? Is a CPU core maxing out or something.. Is OpenVPN using a lot of RAM.
17:26 < zoredache> If that doesn't lead anywhere, then fireup your favorite packet capture tool and see if you can see any obvious errors related to the VPN or something.
17:30 -!- Exagone313 [exa@ewd.ovh] has joined #openvpn
17:40 -!- swebb [~swebb@8.36.226.184] has quit [Remote host closed the connection]
17:43 -!- swebb [~swebb@8.36.226.184] has joined #openvpn
17:48 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Quit: Ride fast. Take chances.]
17:50 -!- Manis [~Manis@gateway/tor-sasl/manis] has quit [Remote host closed the connection]
18:00 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
18:08 <@krzee> hyper_ch, i dont understand your question
18:19 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
18:41 -!- cpt-oblivious [~quassel@freebsd/user/cpt-oblivious] has quit [Remote host closed the connection]
18:45 -!- pcupgrades is now known as hypermist
18:48 -!- dvl_ [~dvl@freebsd/developer/dvl] has joined #openvpn
18:53 -!- deskjob [b32b8502@gateway/web/freenode/ip.179.43.133.2] has joined #openvpn
19:04 < deskjob> hello
19:05 < deskjob> I am having tls handshake failures and I have no idea why
19:05 <+esde> !logs
19:05 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
19:05 <+esde> !configs
19:05 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
19:06 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
19:11 < deskjob> sorry
19:11 < deskjob> thanks esde
19:12 < deskjob> https://pastee.org/vzpd
19:12 < deskjob> https://pastee.org/es4ht
19:12 < deskjob> https://pastee.org/2vccv
19:13 <@krzee> log from other side?
19:13 <@krzee> also, use verb 5 on both sides and repaste please
19:13 <+esde> mtu looks odd to me. 1570 and 1500??
19:13 < deskjob> I didn't realize I could use verb 5
19:14 < deskjob> is that the most verbose?
19:14 <+esde> 9000
19:14 <@krzee> verb can be higher than 5, please dont use higher than 5 for this post
19:14 <@krzee> you'll likely never ever need more than 5 (i never have)
19:15 <@krzee> higher than 5 is for devs
19:15 < deskjob> 3 is fine for me, but this is nice to know
19:15 < deskjob> thank you
19:15 <+esde> . .
19:15 <@krzee> 3 is not fine right now
19:15 <@krzee> need 5
19:15 < deskjob> by other side, do you mean windows?
19:16 <@krzee> 3 is for everyday usage, 5 for debugging where firewall could be at fault
19:16 <@krzee> im guessing yes, but my crystal ball is broken so i dont know if you're using windows on the other side
19:16 <@krzee> !crystal
19:16 < deskjob> I am trying to connect a windows desktop to a debian server
19:16 <@vpnHelper> "crystal" is (#1) Our crystal ball is out of service. Try explaining your !goal, a description of your problem, and relevant !configs and !logs. See also: !welcome. or (#2) unless reiffert is here, his crystal ball is functional again
19:16 < deskjob> sorry
19:16 <@krzee> no problem ;]
19:18 <@krzee> esde, ya that mtu thing looks weird to me too, not sure what it really means, but since it is output from before a client even tried to connect i figure it's safe to ignore
19:22 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
19:23 -!- deskjob [b32b8502@gateway/web/freenode/ip.179.43.133.2] has quit [Ping timeout: 246 seconds]
19:27 -!- dvl_ [~dvl@freebsd/developer/dvl] has quit [Quit: Ride fast. Take chances.]
19:34 -!- deskjob [b32b9442@gateway/web/freenode/ip.179.43.148.66] has joined #openvpn
19:34 < deskjob> sorry, I got disconnected
19:34 -!- dvl_ [~dvl@freebsd/developer/dvl] has joined #openvpn
19:38 < deskjob> I don't see any difference with verb 5 on except for the tail end of the negotiation
19:38 < deskjob> https://pastee.org/tnmha
19:38 < deskjob> but it makes no sense to me
19:41 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Read error: Connection reset by peer]
19:42 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
19:43 -!- dvl_ [~dvl@freebsd/developer/dvl] has quit [Quit: Ride fast. Take chances.]
19:44 < deskjob> here is the windows log https://pastee.org/2r8cj
19:44 < deskjob> do you see anything I am missing esde?
19:46 -!- dvl_ [~dvl@freebsd/developer/dvl] has joined #openvpn
19:52 < deskjob> krzee?
19:57 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has left #openvpn ["Leaving"]
19:59 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
20:05 -!- pipi- [~pipi-@unaffiliated/pipi-] has quit [Ping timeout: 256 seconds]
20:05 -!- pipi- [~pipi-@unaffiliated/pipi-] has joined #openvpn
20:24 -!- MrWhoo [b8af07c1@gateway/web/freenode/ip.184.175.7.193] has joined #openvpn
20:24 < MrWhoo> hello @ll
20:25 < MrWhoo> perkster are you around ?
20:27 < MrWhoo> anyone familiar with "route" - it does use "vpn_gateway" alias ... and "net_gateway"
20:28 < MrWhoo> and it works but what if I have second tunnel on tap0 how can I route that ?
20:28 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has joined #openvpn
20:31 -!- david_dionne [32820fab@gateway/web/freenode/ip.50.130.15.171] has joined #openvpn
20:31 -!- cpt-oblivious [~quassel@freebsd/user/cpt-oblivious] has joined #openvpn
20:32 < david_dionne> greetings
20:32 < david_dionne> anyone up for chatting about running layer 2 mode?
20:33 < david_dionne> i connect but im not seeing any bootpc or bootps frames
20:33 -!- phix [~threat@123-243-44-131.static.tpgi.com.au] has joined #openvpn
20:33 < phix> local/remote TLS keys are out of sync
20:34 < phix> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20:34 < david_dionne> iptables shows an filter input for 67 and 68 on interface virbr0
20:34 < david_dionne> thanks phix, how can i fix that?
20:35 < david_dionne> reinstall the client?
20:36 < phix> TLS Error: TLS handshake failed
20:36 < phix> david_dionne: i just joined, that is the error i am getting
20:37 < david_dionne> OHHHH, im sorry man
20:37 < phix> the time is synved, the ports ate not being filteted
20:38 < david_dionne> do you get this error with both tcp and udp?
20:41 < david_dionne> i looked that up and it sounds like 99% of the time, that error is associated with udp
20:41 < david_dionne> if ur using udp (1194), try switching to tcp just as a test
20:44 -!- david_dionne [32820fab@gateway/web/freenode/ip.50.130.15.171] has quit [Quit: Page closed]
20:46 -!- dvl_ is now known as dvl
20:49 <@krzee> deskjob, you didnt use verb 5 on EITHER log
20:49 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has quit [Quit: ZNC - http://znc.in]
20:50 < deskjob> krzee yes sir I did
20:51 <@krzee> that log was not verb 5
20:51 <@krzee> nor was the first one
20:51 < deskjob> https://pastee.org/zctd2
20:52 < deskjob> same verb 5 for server conf
20:52 < MrWhoo> I'm trying to establish to OpenVPN tunnels on MIPS device as soon as I start second one, 1st gets killed ?
20:52 < MrWhoo> any ideas
20:52 <@krzee> deskjob, now start the client over again, and paste the new log
20:52 <@krzee> i just saw the re-paste of server log, that was verb 5 =]
20:52 < deskjob> I restarted openvpn on my server, but not the client
20:53 < deskjob> didn't think restarting the gui would matter
20:53 <@krzee> well when you update configs you must restart the process to read the new config
20:53 <@krzee> didnt need to restart the gui, needed to restart the vpn from within the gui
20:53 <@krzee> but ya, restarting the gui works too
20:53 <@krzee> (assuming your vpn process was started via gui)
20:56 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has joined #openvpn
20:58 < deskjob> krzee: https://pastee.org/b9g7q
20:58 < deskjob> that is my client
20:58 < deskjob> the only differences I see is all of those WW
20:59 <@krzee> windows firewall (or some other filtering software on that machine) is your problem
20:59 < deskjob> the server log shows W and R
20:59 <@krzee> turn off windows firewall on your tap device
21:00 < deskjob> windows firewall is completely turned off
21:00 < deskjob> comodo is in use
21:00 <@krzee> well something is blocking packets on the tap device.
21:00 < deskjob> openvpn gui and .exe is approved
21:05 < deskjob> well I just allowed every file in the openvpn bin directory, and I still cannot connect
21:06 -!- Dougy [~dhaber@openvpn/community/support/Dougy] has joined #openvpn
21:06 < Dougy> stupid auto rejoin didnt work
21:06 * Dougy grunts
21:06 < deskjob> krzee: my vpn service works fine
21:06 < deskjob> >.>
21:07 < deskjob> I have been trying to figure this out for days
21:07 <@krzee> congrats
21:07 < Dougy> helo krzee
21:07 < Dougy> or, hello too
21:07 <@krzee> sup Dougy
21:07 < Dougy> helo dougy
21:07 <@krzee> how you doing
21:07 < Dougy> rcpt to:krzee
21:07 < Dougy> i am ok
21:07 < Dougy> i guess
21:07 < deskjob> krzee: no I meant my paid service works fine, but openvpn is still doing that
21:07 < Dougy> how are you
21:08 * Dougy is upgrading xenservers
21:08 <@krzee> deskjob, fix your packet filter!
21:08 <@krzee> :/
21:08 < deskjob> I don't know what more I can do
21:08 <@krzee> you're messing with "allowing files" after i told you that something is blocking your packets on the windows machine
21:08 <@krzee> an anti-virus or something else that filters packets
21:09 <@krzee> i cant help you with your windows setup, but its that.
21:09 < deskjob> I allowed all files in the bin directory in kaspersky too
21:09 <@krzee> its not a matter of allowing files
21:09 <@krzee> lol
21:09 < deskjob> I don't know what else I can do
21:09 < Dougy> turn it off
21:09 < Dougy> temporarily
21:09 <@krzee> how do you hear "allow files" when i say "stop filtering internet"
21:10 < deskjob> you want me to turn my firewall off completely?
21:10 <@krzee> or get an OS that you understand?
21:10 <@krzee> openvpn is not your problem
21:11 <@krzee> your packet filtering in windows is your problem.
21:11 < deskjob> why isn't it filtering my paid vpn service which is also using openvpn?
21:12 <@krzee> !crystal
21:12 <@vpnHelper> "crystal" is (#1) Our crystal ball is out of service. Try explaining your !goal, a description of your problem, and relevant !configs and !logs. See also: !welcome. or (#2) unless reiffert is here, his crystal ball is functional again
21:12 <@krzee> i can see your issue, not your non-issues
21:12 < deskjob> well I turned off anti-virus and my firewall
21:12 < deskjob> idk what else could be blocking packets
21:13 <@krzee> me neither, but your server is recieving and responding to packets, and your client is only sending, no recieving
21:13 <@krzee> W is write, R is read
21:13 < deskjob> I figured that
21:14 <@krzee> Output R and W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.
21:15 <@krzee> !learn verb5 as the WRWRwrwr is explained in !man at --verb : Output R and W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.
21:15 <@vpnHelper> Joo got it.
21:17 < Dougy> krzee: can i has my ops back? :D
21:18 < deskjob> well, thank you krzee
21:18 < deskjob> but this is insane
21:18 < Dougy> hmm online pfsense university is online now, neato
21:18 -!- mode/#openvpn [+o Dougy] by krzee
21:18 <@krzee> Dougy, www.coursera.org
21:18 < deskjob> the windows firewall is off, my firewall is off, no anti-virus is on, yet it's still screwed
21:18 < deskjob> >.>
21:19 <@Dougy> krzee: im decently versed in pfsense
21:19 <@krzee> deskjob, break out wireshark and do some packet dumps, something somewhere is blocking stuff
21:19 <@Dougy> just got an email bout it
21:19 <@krzee> Dougy, unrelaed to the link i gave… the link i gave is university classes from all over about all sorts of stuff
21:20 <@krzee> im currently taking cryptography 1 from stanford
21:20 <@krzee> also took a python class and surveillance law
21:20 <@krzee> great stuff!
21:20 < deskjob> all free?
21:21 <@Dougy> krzee: awesome
21:21 <@Dougy> that's pretty leet
21:21 <@krzee> yes, all free
21:21 <@Dougy> every time i hear the phrase patriot act, i think of you krzee
21:21 < deskjob> nice
21:21 <@krzee> well you can pay if you like, if you want to prove you took it and whatnot
21:21 < deskjob> lol
21:21 < deskjob> why?
21:21 <@krzee> personally im just there for the knowledge so i take it free
21:23 < deskjob> well, hopefully I can figure this out
21:23 < deskjob> thanks for the help krzee
21:23 < deskjob> I'll probably be back, wish me luck
21:24 <@krzee> gl
21:24 < deskjob> thank you to esde
21:24 < deskjob> *too
21:24 < deskjob> have a good night krzee
21:24 <@krzee> thanks i will, you do the same
21:25 <@krzee> first night of vacation and im in vegas… i'll be fine :D
21:27 <@Dougy> krzee: welcome back to the continental US
21:27 <@Dougy> but i must ask
21:27 <@Dougy> what the hell are you doing in here, if you are in Vegas
21:27 <@krzee> thx
21:27 * Dougy smacks krzee around with a large trout
21:27 <@krzee> i been to vegas way too much to make it a big deal
21:27 <+esde> good luck deskjob!
21:27 <@krzee> im just passing through on my way to california
21:27 <@Dougy> o
21:27 <@Dougy> whats there? 420?
21:27 <@Dougy> err, business?
21:27 <@krzee> just people i know
21:28 <@Dougy> ah
21:28 <@krzee> i should prolly call for some 420 tho
21:28 <@Dougy> are you still in island paradise usually?
21:28 <@krzee> yes
21:28 <@Dougy> one of my dudes moved to St Croix last week
21:28 <@Dougy> well, i call her my dude. because she is a lesbian and sits around with us and drinks budweiser in wifebeaters
21:28 * Dougy wnats to go visit
21:28 <@Dougy> wants
21:29 -!- deskjob [b32b9442@gateway/web/freenode/ip.179.43.148.66] has quit [Ping timeout: 246 seconds]
21:32 -!- swebb_ [~swebb@8.36.226.184] has joined #openvpn
21:34 -!- swebb [~swebb@8.36.226.184] has quit [Quit: ZNC - http://znc.in]
21:34 -!- swebb_ is now known as swebb
21:36 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Read error: Connection reset by peer]
21:36 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
21:48 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
21:59 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 244 seconds]
22:01 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:01 -!- mode/#openvpn [+o syzzer] by ChanServ
22:02 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:31 -!- MrWhoo [b8af07c1@gateway/web/freenode/ip.184.175.7.193] has quit [Ping timeout: 246 seconds]
23:04 <+hyper_ch> krzee: just read that systemd got basic firewall functions and stuff... and I wonder why an init system needs that
23:05 <@krzee> prolly better for #ubuntu no idea
23:07 <@krzee> you might like uselessd
23:07 <@krzee> https://en.wikipedia.org/wiki/Systemd#Forks_and_alternative_implementations
23:07 <@vpnHelper> Title: systemd - Wikipedia, the free encyclopedia (at en.wikipedia.org)
23:07 <@krzee> In 2014, uselessd, a lightweight fork of systemd was created. The project seeks to remove features and programs deemed unnecessary for an init system, increase implementation modularity, improve portability across platforms, as well as address other perceived faults.
23:08 <+hyper_ch> krzee: :)
23:09 <@krzee> Dougy, got my herb getting delivered :D
23:09 <@krzee> you know how krzee rolls!
23:09 <@krzee> !krzee
23:09 <@vpnHelper> "krzee" is (#1) krzee says happy 4/20 or (#2) http://www.ircpimps.org/pics/krzee/blunt.jpg or (#3) location: moon base where he smokes moonajuana or (#4) takes bonghits on the freeswitch teleconference
23:09 <@krzee> oh god lol i still havnt put that webserver back up
23:10 <@krzee> i should do that sometime lol
23:14 -!- car [~car@101.98.155.139] has joined #openvpn
23:15 < car> !welcome
23:15 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
23:15 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:19 < car> Hi. Does openvpn use DH for key exchange (and only DH)? So certificates are "only" for authentication? Or does openvpn use certificates (public key) for keyexchange as well, when the session renews?
23:19 <+esde> !keys
23:19 <@vpnHelper> "keys" is http://openvpn.net/howto#pki
23:19 < car> !keys
23:19 <@vpnHelper> "keys" is http://openvpn.net/howto#pki
23:20 < car> thx
23:21 < KavanS> !hotwo
23:21 < KavanS> !howto
23:22 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
23:31 -!- ShadniX [dagger@p579410E0.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
23:31 < car> ok. as far as i understand, keyexchange is done by DH. And only by DH. Even if the session is renewd key exhange is done by DH. That implies that Openvpn does not work without DH - Except your using a static key?
23:33 -!- ShadniX [dagger@p5481D726.dip0.t-ipconnect.de] has joined #openvpn
23:33 < car> (or if you skip encryption at all)
23:37 <@krzee> car, you are correct
23:37 < car> krzee, cool thank you
23:38 <@krzee> yw
23:38 <@krzee> any specific reason you were wondering?
23:38 < car> no, just a technical question :)
23:38 <@krzee> cool
23:38 <@krzee> more in depth answers may come from syzzer if he has anything to add
23:39 <@krzee> and if he says im wrong, then i am ;]
23:39 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Ping timeout: 245 seconds]
23:40 < car> so the "only" reason using DH is PFS. Otherwise i could use cert+key for keyexchange. i guess.
23:41 <@krzee> but theres no setting to do that
23:41 <@krzee> or you're designing a crypto system?
23:42 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Quit: Turning IRC client off]
23:42 < car> yes true there is no setting. and no i am not designing a crypto system, which would be a bad idea , i think
23:43 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
23:43 < car> krzee, thank you again ;-)
23:43 <@krzee> yw
23:45 <@krzee> "That implies that Openvpn does not work without DH - Except your using a static key?"
23:46 <@krzee> i understood what you meant. it was "openvpn in server mode while using encryption does not work without dh"
23:49 -!- MrsSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
23:53 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Ping timeout: 245 seconds]
23:55 < KavanS> I've got 2 subnets, on 1 side of my VPN. I'd like 1 subnet to act normally, using default gateway....the other subnet I'd like to redirect gateway to other side of VPN. Any suggestions?
23:55 < KavanS> all linux of course
23:57 < KavanS> in abstract, I'd like to "take everything from 192.168.5.x and throw it over the VPN as default gw, my regular subnet 192.168.4.x, I want to act normal sending traffic over the local default gateway"
23:58 < KavanS> any links/docs would be awesome. I've read the howto and am not finding anything on this adv. routing topic
23:59 <+hyper_ch> so the vpn server run on 192.168.5.1?
--- Day changed Thu Jan 15 2015
00:00 < KavanS> vpn server 1 has two subnets, 192.168.5.1/192.168.4.1 on eth0 and eth0:0 respectively
00:00 <+hyper_ch> !lans
00:00 <@vpnHelper> "lans" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing
00:00 < KavanS> I'd like to take one of those subnets (192.168.5.x) and force it over the tunnel, using the remote eth0 as my exit point
00:00 < KavanS> well...not sure if that will do it, but I'll read now
00:01 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
00:02 < KavanS> yeah that doesn't help
00:02 < KavanS> routing isn't the issue...
00:02 < KavanS> at least I don't think so...
00:02 < KavanS> I need to redirect everything headed to 192.168.5.1 (default gateway for the 192.168.5.x subnet)
00:02 < KavanS> and throw it over the VPN, and pipe it out eth0 on vpn server 2
00:03 <+hyper_ch> !def1
00:03 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
00:04 < KavanS> ok
00:04 < KavanS> still don't think that will help...
00:04 <+hyper_ch> I have no idea what you're trying to do
00:05 < KavanS> I only want 1 single subnet on vpn server 1, to have redirect default gw
00:05 < KavanS> I don't want it to apply for the other subnet
00:05 <+hyper_ch> not getting what you wnat
00:05 < KavanS> basically anything on X subnet goes over VPN, everything on Y subnet stays on LAN uses normal ISP default gateway
00:06 <+hyper_ch> but it's way too early here anyway
00:06 < KavanS> same LAN, same physical hardware
00:06 < KavanS> just different subnets :)
00:06 < KavanS> I want redirect-gateway to only apply to 1 subnet
00:07 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
00:07 < KavanS> so I might have my question incorrectly formed
00:07 < KavanS> I want the source subnet to define which gateway it goes to
00:17 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Ping timeout: 245 seconds]
00:18 -!- MrsSavage [~MrSavage@unaffiliated/mrsavage] has quit [Ping timeout: 264 seconds]
00:19 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
00:19 <@krzee> thats called policy routing
00:19 < KavanS> there we go...
00:19 <@krzee> !factoids search --values policy
00:19 <@vpnHelper> 'policy', 'someclient2client', 'win2k8', 'current', 'policy', 'lartc', 'routebyapp', 'iptables', 'redirect-policy', and 'lartc'
00:19 < KavanS> sorry I'm an idiot.
00:20 <@krzee> !redirect-policy
00:20 <@vpnHelper> "redirect-policy" is If you are using --redirect-gateway and wish to maintain external access to the same system, you need Policy Routing. If using Linux, see !lartc for reading on the subject. Note that this is a somewhat advanced networking topic.
00:20 <@krzee> !lartc
00:20 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
00:20 <@krzee> there ya goes
00:20 < KavanS> thanks for the direction krzee, searching now. definitely appreciate
00:20 <@krzee> yw
00:20 <@krzee> in linux thats ip route + ip rule
00:20 <@krzee> in freebsd you'll need multiple routing tables (enabled in kernel) and use setfib
00:21 <+hyper_ch> sounds easier on linux
00:21 <+hyper_ch> and I still don't get what he wants though
00:21 <@krzee> he wants routing to take source address into account
00:22 <+hyper_ch> ah
00:22 <@krzee> so 2 packets going to same destination from different source can go to different gateways
00:22 <@krzee> aka, policy routing
00:22 <+hyper_ch> why didn't he say so?
00:22 <@krzee> he did
00:22 <@krzee> " I want the source subnet to define which gateway it goes to"
00:22 <@krzee> thats all i saw, all i needed to see
00:22 <+hyper_ch> well, you're the smart one regarding routing and stuff
00:23 <@krzee> plus my weed just arrived
00:23 <+hyper_ch> I just see packets entering the router and exiting it somewhere :)
00:23 <+hyper_ch> pretty sure it's medical weed, right?
00:24 <@krzee> nah
00:24 <+hyper_ch> you're supposed to answer with yes ;)
00:24 <+hyper_ch> anyway, gotta go to work
00:28 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has left #openvpn ["离开"]
00:29 <@krzee> hyper_ch, well i am medical, but thats in california
00:29 <@krzee> im currently in vegas
00:30 <@krzee> it was dropped off by a friend, he was nice enough to come like 30min out of his way to drop it off, you *know* he got a nice tip ;]
00:33 <@krzee> i've had my medical in california since the 90s
00:33 <@krzee> cause thats how krzee rolls ;]
00:34 <@krzee> oh KavanS you can also mark things in the firewall for policy routing, so you can even route by app
00:35 <@krzee> or port
00:35 <@krzee> or whatev
00:37 < KavanS> nice
00:37 < KavanS> reading now on iproute2, definitely the way to go
00:37 <@krzee> yepyep
00:37 < KavanS> thanks for the pro tips, I'm sure I'll be back during testing :)
00:38 <@krzee> no problem, you will find #networking helpful as well
00:38 < KavanS> I'll pop in there now, bam
00:39 <@krzee> but for now
00:39 <@krzee> did you setup redirect-gateway first and get it working, then simply remove the call for redirect-gateway?
00:39 <@krzee> because if not, you should. you need to do as much seperately as possible
00:40 < KavanS> yep
00:40 < KavanS> already tested
00:40 <@krzee> oh you did, nice
00:40 <@krzee> proceed ;]
00:40 < KavanS> I've got nat working
00:40 < KavanS> so we're good :)
00:42 <@krzee> i have a openwrt setup which joins 2 lans, has 2 gateways, routes 1 lan out a gateway on the other lan and visa versa, runs a openvpn server on 2 addresses with --multihome
00:42 <@krzee> so imagine my policy routing craziness
00:44 <@krzee> oh and it sometimes needs to nat some addresses, and other times needs to not nat those same addresses :D
00:45 <@krzee> once i got that all working, i got another identical router and cloned the thing for a cold spare, i am *NOT* doing that again from scratch
00:49 -!- Nothing_Much [~nothing_m@unaffiliated/nothing-much/x-2931824] has joined #openvpn
00:50 < Nothing_Much> I'm a bit frustrated trying to get OpenVPN working on Ubuntu 14.10
00:50 <+hyper_ch> so, NV allows gambling but not medical treatment and CA allows medial treatment but not gambling?
00:50 < Nothing_Much> It pops up immediately after clicking to connect to the vpn: "The VPN connection [connection] failed"
00:50 < Nothing_Much> Can I get some help?
00:51 < Nothing_Much> !welcome
00:51 <+hyper_ch> do you want always to establish the vpn connection?
00:51 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
00:51 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:51 < Nothing_Much> !howto
00:51 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
00:52 -!- mattock_afk is now known as mattock
00:52 <+hyper_ch> krzee: so, NV allows gambling but not medical treatment and CA allows medial treatment but not gambling?
00:52 <+hyper_ch> Nothing_Much: do you want always to establish the vpn connection?
00:53 <@krzee> hyper_ch, actually theres tons of casinos in california, they're all over
00:53 < Nothing_Much> hyper_ch: Yeah, mostly for privacy concerns and stuff
00:53 <@krzee> they are "indian casinos"
00:53 <@krzee> but they are everywhere
00:53 <+hyper_ch> Nothing_Much: then why not install openvpn client and make a client.conf in /etc/openvpn/ ?
00:53 <+hyper_ch> krzee: but thats sovereign territory or something, right?
00:53 <@krzee> or something
00:53 < Nothing_Much> I don't have my own rented server, I'm using a website's free vpn
00:54 <@krzee> https://en.wikipedia.org/wiki/List_of_casinos_in_California
00:54 <@vpnHelper> Title: List of casinos in California - Wikipedia, the free encyclopedia (at en.wikipedia.org)
00:55 <+hyper_ch> "card room"
00:55 <+hyper_ch> Nothing_Much: better go the .conf file route
00:55 <+hyper_ch> IMHO
00:56 < Nothing_Much> hyper_ch: That doesn't work either
00:56 <+hyper_ch> !configs
00:56 < Nothing_Much> Hang on, lemme get the error message again
00:56 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
00:57 <+hyper_ch> krzee: btw, you saw the thing about the snom security issue?
00:57 <@krzee> hyper_ch, ya its just the web interface bugs
00:57 <@krzee> probably some of the ones i found ;]
00:57 <+hyper_ch> :)
00:57 <@krzee> either way, nothing new
00:57 <@krzee> just disable the web interface like i do
00:57 <+hyper_ch> probably not a big deal if you're properly nated...
00:57 <@krzee> screw that, still a big deal imo
00:58 <@krzee> easily rootable and unless you are also in it you will NEVER know im in it
00:58 <+hyper_ch> :) they have new firmware that fixes it but without openvpn client
00:58 <@krzee> perfect place to hide
00:58 <@krzee> i stopped upgrading my firmware long ago
00:58 <+hyper_ch> do you auto provision the SNOMs incl. openvpn config and stuff?
00:58 <@krzee> they broke other stuff before that
00:58 <@krzee> i auto do EVERYTHING
00:58 < Nothing_Much> Error: private key password verification failed ?
00:59 <+hyper_ch> I still can't figure out how to auto provision those
00:59 <@krzee> including in android flashing the recovery, rom, installing and configuring apps etc
00:59 <@krzee> no touch
00:59 <@krzee> my partner builds our phones, hes a lawyer not a tech
01:00 <+hyper_ch> what do lawyers know about tech anyway?
01:00 <+hyper_ch> Nothing_Much: sounds like you need to provide a password?
01:00 <@krzee> he plugs things in and watches it autosense and setup the device, tests it, ships
01:00 <+hyper_ch> and you're sure he's a lawyer?
01:00 < Nothing_Much> hyper_ch: I was told to leave the private key password blank
01:00 <@krzee> hes also a long time close friend of mine
01:00 <+hyper_ch> told by whom and where?
01:01 <+hyper_ch> (he's a close friend until he'll give you his bill)
01:01 <@krzee> has Nothing_Much posted configs or logs or anything?
01:01 <+hyper_ch> no
01:02 <+hyper_ch> krzee: [07:58] Error: private key password verification failed ?
01:02 < Nothing_Much> I got the config from http://www.vpnbook.com/ , it's the .ovpn file, right?
01:02 <@vpnHelper> Title: Free VPN 100% Free PPTP and OpenVPN Service (at www.vpnbook.com)
01:02 <@krzee> Nothing_Much, try starting openvpn by hand not using the linux scripts
01:02 <@krzee> Nothing_Much, ps auxw|grep vpn
01:02 <@krzee> are any openvpn processes running?
01:03 <+hyper_ch> Nothing_Much: just rename it to xxxx.conf and put it into /etc/openvpn/
01:03 <@krzee> yes its the .ovpn file, i assume you made it .conf now tho
01:04 <@krzee> .ovpn is the windows file extension but the linux startup scripts are set to start every *.conf in /etc/openvpn/
01:04 < Nothing_Much> ohh
01:05 <@krzee> but when you start it with those scripts you lose things like the ability to interactively type in the password
01:05 <@krzee> !factoids search --values *.conf
01:05 <@vpnHelper> No keys matched that query.
01:05 <@krzee> !learn extension as .ovpn is the windows file extension for openvpn configs
01:05 <@vpnHelper> Joo got it.
01:05 <@krzee> !learn extension as the linux startup scripts are set to start every *.conf in /etc/openvpn/
01:05 <@vpnHelper> Joo got it.
01:06 < Nothing_Much> hang on a second
01:07 < Nothing_Much> http://pastie.org/private/auzyy1jtyfdktufa8cew
01:07 < Nothing_Much> won't work even with the terminal :\
01:09 < Nothing_Much> should I get rid of the --ip-win32?
01:10 <@krzee> post the config
01:11 < Nothing_Much> http://pastie.org/private/gyvdsjvg2jhae7gu9v2azw krzee
01:15 <@krzee> i dont even see ip-win32
01:15 <@krzee> and now delete that
01:15 <@krzee> and go get another
01:15 <@krzee> never paste your private key
01:15 <@krzee> you just made yours completely public
01:16 < Nothing_Much> that key's public?
01:16 <@krzee> now that you posted it, it is
01:16 <@krzee> yours is inline
01:16 <@krzee> normally people have it pointing to a file
01:16 <@krzee> inline is fine, but it needed to be redacted
01:17 <@krzee> !learn configs as remember to remove any inline private key or tls-auth key before posting
01:17 <@vpnHelper> Joo got it.
01:17 <@krzee> !configs
01:17 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remember to remove any inline private key or tls-auth
01:17 <@vpnHelper> key before posting
01:17 <@krzee> damn
01:17 <@krzee> !forget configs 4
01:17 <@vpnHelper> Joo got it.
01:18 <@krzee> !learn configs as remove inline private keys or tls-auth key before posting
01:18 <@vpnHelper> Joo got it.
01:18 < Nothing_Much> maybe i'll just re-download the thing..
01:18 <@krzee> yes, you need to.
01:18 <@krzee> and make sure its different
01:18 <@krzee> might need a new account or whatever their system uses
01:19 < Nothing_Much> uh.. dude those keys are publically available to download
01:19 < Nothing_Much> on vpnbook.com
01:19 <@krzee> yes, but you dont want YOUR keys public
01:19 <@krzee> if i get my own it doesnt effect you
01:19 < Nothing_Much> none of those are my keys
01:20 < Nothing_Much> it's vpnbook's
01:20 <@krzee> they dont assign one for you?
01:20 < Nothing_Much> it's a free vpn
01:20 <@krzee> its the same exact file for every single person?
01:20 < Nothing_Much> am i supposed to get one?
01:20 < Nothing_Much> i think so
01:20 <@krzee> then whats the point?
01:20 <@krzee> your traffic is not secured even on the vpn if that is the case
01:21 < Nothing_Much> oh
01:23 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
01:28 <@krzee> !certinfo
01:28 <@vpnHelper> "certinfo" is run `openssl x509 -in -noout -text` for info from your cert file
01:29 <@krzee> Issuer: C=CH, ST=Zurich, L=Zurich, O=vpnbook.com, OU=IT, CN=vpnbook.com/name=vpnbook.com/emailAddress=admin@vpnbook.com
01:30 <@krzee> the cert is weak, 1024. there is no mitm protection, and it is a publicly avail key
01:31 <@krzee> you should consider that no protection at all.
01:33 <@krzee> but if you're simply using it as an open proxy and you want your traffic to go through them regardless of encryption, then its fine
01:40 < car> krzee, but the encyryption is done by the key which is generated through DH. That key is used by AES-128. So the only thing what i would worry about is authentication. but that should be fine as well, cause its not a server that Nothing_Much owns.
01:41 < car> so the traffic is encrypted
01:41 <@krzee> until there is a mitm
01:41 < car> or i am wrong?!
01:41 < Nothing_Much> yeah, I'm still trying to figure out why it's not letting me use it
01:41 < Nothing_Much> but apparently openvpn isn't running
01:41 < Nothing_Much> am I missing a package?
01:41 <@krzee> you removed ip-win32, start openvpn again
01:41 < Nothing_Much> openvpn is installed here
01:42 <@krzee> post new log
01:42 < car> krzee, mitm - thats true ;)
01:42 <@krzee> !mitm
01:42 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config
01:42 < Nothing_Much> it's not in the config..
01:43 <@krzee> correct, and you dont have control to do it
01:43 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 244 seconds]
01:43 <@krzee> Nothing_Much, shouldnt you be busy getting a new log?
01:43 < car> i meant your right. i forgot mitm...
01:43 <+hyper_ch> Nothing_Much: sudo service openvpn restart
01:43 <@krzee> car, but openvpn didn't, Thu Jan 15 02:06:15 2015 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
01:44 <@krzee> =]
01:44 < car> :)
01:45 < Nothing_Much> Thu Jan 15 02:44:51 2015 ERROR: Cannot ioctl TUNSETIFF tun1: Operation not permitted (errno=1)
01:45 < Nothing_Much> the config is the same exact one o.o
01:45 <@krzee> are you root?
01:46 < Nothing_Much> nope...
01:46 < Nothing_Much> hmm..
01:46 <@krzee> lol
01:46 <@krzee> well you'll need to be
01:50 < Nothing_Much> uh oh
01:50 <@krzee> you thought a non root user could modify the routing table?
01:53 < Nothing_Much> krzee: how long does it take before the vpn works?
01:56 <@krzee> it wont, you are not root
01:58 < Nothing_Much> krzee: I did it with root
01:58 < Nothing_Much> now it's stuck...
01:58 -!- no_mu [~nothing_m@unaffiliated/nothing-much/x-2931824] has joined #openvpn
01:58 -!- Nothing_Much [~nothing_m@unaffiliated/nothing-much/x-2931824] has quit [Remote host closed the connection]
01:59 < no_mu> krzee: I did it with root
01:59 < no_mu> now it's stuck...
01:59 -!- no_mu is now known as Nothing_Much
01:59 < Nothing_Much> well it was, but it was taking over 3 minutes to connect
01:59 < Nothing_Much> is that normal?
02:08 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
02:17 -!- Papey [~Papey@ks3364303.kimsufi.com] has quit [Read error: Connection reset by peer]
02:24 -!- ampsix [uid26275@gateway/web/irccloud.com/x-kjteoloyvxcjmfup] has joined #openvpn
02:33 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
02:33 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Remote host closed the connection]
02:46 -!- Papey [~Papey@ks3364303.kimsufi.com] has joined #openvpn
02:57 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 244 seconds]
03:00 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
03:02 -!- Denial [~Denial@81.141.16.42] has quit [Ping timeout: 256 seconds]
03:11 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
03:13 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 245 seconds]
03:16 -!- ArtVandalae [~SuperUnkn@CPE-110-148-145-150.vxl8.lon.bigpond.net.au] has left #openvpn ["Leaving"]
03:22 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 245 seconds]
03:30 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
03:49 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
04:07 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:10 -!- car [~car@101.98.155.139] has quit [Quit: Leaving]
04:21 -!- _bt [~bt@mongs.yotm.com] has quit [Changing host]
04:21 -!- _bt [~bt@unaffiliated/bt/x-192343] has joined #openvpn
04:23 -!- rbjorklin [~rbjorklin@128.199.34.53] has joined #openvpn
04:28 -!- defswork [~andy@mailhost.mirrormail.co.uk] has quit [Remote host closed the connection]
04:52 -!- zerenden [~zerenden@46.7.69.83] has joined #openvpn
05:03 < zerenden> Hi guys
05:10 < zerenden> I wan to create a virtual network with some fiends. We will use three tomato routers, connected via OpenVPN. Every router will host an ESXI server. The idea is to be able to connect (multiple protocols) , from a computer in router A, to a computer in router B, or C... using hostname and not just IP. What kind of interface do you recomend? Tun or tap?
05:19 -!- masterkorp [~masterkor@static.85-10-196-211.clients.your-server.de] has quit [Ping timeout: 240 seconds]
05:19 -!- pythonsnake1 [~pythonsna@fedora/pythonsnake] has quit [Ping timeout: 264 seconds]
05:21 -!- ampsix is now known as `^-_-^`
05:30 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Quit: Leaving]
05:32 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
05:32 -!- singcat [~singcat@gateway/tor-sasl/singcat] has joined #openvpn
05:36 < singcat> When I connect with lubuntu x64 14.10 running openvpn client to an openvpn server, I get access to the server's LAN and can access the internet with the server's IP.
05:36 < singcat> When I connect with Windows 7 x64 running openvpn client openvpn-install-2.3.6-I601-x86_64.exe I cannot access the server's LAN nor can I connect to the internet with the servers IP (I still connect with my client IP).
05:36 < singcat> I suspect there is a problem on windows that the routes are not added automatically.
05:36 < singcat> I run the openvpn client gui as an administrator.
05:37 < singcat> How can I make it work on windows?
05:37 < singcat> I tried route-delay 30 and route-method exe but it did not work
05:37 < singcat> I tried redirect-gateway def1 but it did not work
05:37 < singcat> both linux and windows are using the same openvpn client config
05:38 < singcat> !paste
05:38 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
05:38 < singcat> !configs
05:38 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private keys or tls-auth key before
05:38 < singcat> !logs
05:38 <@vpnHelper> posting
05:38 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
05:38 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:39 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
05:39 -!- mode/#openvpn [+v s7r] by ChanServ
05:42 < singcat> this is my client config: http://fpaste.org/169967/13220671/
05:46 < singcat> last message in log is Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )
05:46 < singcat> MANAGEMENT: >STATE:1421322218,CONNECTED,ERROR,172.17.0.2,1.2.3.4
05:46 <@vpnHelper> Title: FAQ – OpenVPN Community (at openvpn.net)
05:50 -!- AL13N_work [~alien@91.183.52.232] has quit [Ping timeout: 245 seconds]
05:55 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 250 seconds]
06:00 -!- mcp [~mcp@wolk-project.de] has quit [Remote host closed the connection]
06:01 -!- zerenden [~zerenden@46.7.69.83] has quit [Ping timeout: 245 seconds]
06:01 -!- singcat [~singcat@gateway/tor-sasl/singcat] has quit [Remote host closed the connection]
06:06 -!- barbariandude [~james@unaffiliated/barbariandude] has joined #openvpn
06:08 < barbariandude> Hi, I'm trying to deploy the Windows OpenVPN client to our network via group policy, and for that I need an MSI file. Unfortunately, we can only find an MSI for 1.5.6, which seems to be incompatible with the other end (which is 2.3.1). Would anyone be able to tell me where I can find the MSI file for this version of the OpenVPN client?
06:10 < pekster> The GPL program is an NSIS installer, which does support silent installation (although it also requires the TAP-WIN32 driver, so you may need to tweak your driver signing policy for automated deployments there.)
06:10 < pekster> 1.5.6 isn't the community-maintained openvpn version, see this for more info:
06:10 < pekster> !connect
06:10 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide or (#2) https://forums.openvpn.net/post34969.html#p34969 or (#3) the source is here:
06:10 <@vpnHelper> http://staging.openvpn.net/openvpn3/ except for the portion that may not be released because of NDA with apple (for its vpn API)
06:10 < rbjorklin> !welcome
06:10 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
06:10 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:11 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Read error: Connection reset by peer]
06:11 < rbjorklin> !goal
06:11 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:11 < pekster> barbariandude: Check out the /S flag for NSIS installers (the NSIS docs should help here) as that causes installation to be silent. I've done AD deployments of NSIS-installers before using login scripts; maybe that's an option here?
06:11 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
06:13 < barbariandude> Thanks for the help! Will start reading about the NSIS installer. I had no idea OpenVPN Connect was nothing to do with the community
06:13 < barbariandude> !download
06:13 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) in the community version of openvpn (only thing supported here) there is no separate download for client/server, it is the same install with different configs
06:14 -!- singcat [~singcat@gateway/tor-sasl/singcat] has joined #openvpn
06:14 < singcat> I am back
06:19 < rbjorklin> Hi, I'm trying to connect to the company VPN from Linux with openvpn. I can successfully auth however we use OTP (one time password) which are sent out via SMS after successful auth. This is where openvpn fails
06:21 < rbjorklin> Does openvpn support OTP or do I have to find some 3rd party module for that? If it's the latter, any recommendations?
06:22 < singcat> ignore previous log snippet, here is the full one http://fpaste.org/169971/24466142/
06:29 < singcat> additionally, same symptoms on the android client
06:29 < singcat> everything only works in linux client, not in win, not in android
06:38 -!- moparsthbest [~mitb@unaffiliated/moparisthebest] has quit [Ping timeout: 245 seconds]
06:45 -!- moparisthebest [~mitb@gateway/tor-sasl/moparisthebest] has joined #openvpn
07:03 < singcat> can anyone give me some more pointers what to try or investigate?
07:10 -!- singcat [~singcat@gateway/tor-sasl/singcat] has quit [Ping timeout: 250 seconds]
07:10 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
07:10 -!- singcat [~singcat@gateway/tor-sasl/singcat] has joined #openvpn
07:15 <@Dougy> rbjorklin: support it?
07:16 <@Dougy> rbjorklin: what do you mean? is there a SMS module for openvpn?
07:16 -!- pythonsnake1 [~pythonsna@fedora/pythonsnake] has joined #openvpn
07:22 <+hyper_ch> people still think sms is save for authentication?
07:24 <@Dougy> as a 2nd factor, it's not a "bad" method
07:26 <+hyper_ch> if you don't trust the generated certificates but trust the sms... then there's something wrong IMHO
07:27 <@Dougy> hyper_ch: i think this user is looking to use it in addition to certificates
07:28 <+hyper_ch> I fail to see what security besides make-believe security is provided by that
07:34 <@Dougy> how do you figure?
07:37 <@Dougy> theoretically, if i had my computer compromised and someone got my certs, they still wouldn't have a token sent to my phone
07:37 <@Dougy> unless i'm missing something
07:50 < singcat> anyone who could help me with the issue?
07:58 <@plaisthos> whois Dougy
07:58 <@plaisthos> !whois Dougy
07:58 <@plaisthos> :p
08:03 -!- `^-_-^` [uid26275@gateway/web/irccloud.com/x-kjteoloyvxcjmfup] has quit [Quit: Connection closed for inactivity]
08:04 <@Dougy> hrmm
08:04 <@Dougy> wat
08:08 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
08:12 -!- You're now known as ecrist
08:16 -!- aoseki [~akaseki@unaffiliated/akaseki] has joined #openvpn
08:24 -!- aep [~aep@libqxt/developer/aep] has quit [Ping timeout: 244 seconds]
08:24 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
08:24 -!- mdorenka [~marcel3@unaffiliated/mdorenka] has joined #openvpn
08:24 < mdorenka> hey guys i got a question regarding routing between VPNs
08:25 < mdorenka> i have a vpn server tun0 for incomming connections - i can ping my local network 10.0.0.0
08:25 < mdorenka> now i have another tunnel,this time a client - tun0
08:25 < mdorenka> from 10.0.0.0 i can reach clients in 192.168.113.0 (the network behind tun0)
08:26 < mdorenka> sorry tun1 i mean
08:26 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 244 seconds]
08:26 < mdorenka> how can i allow clients from tun0 to connect to tun1?
08:27 -!- aep [~aep@libqxt/developer/aep] has joined #openvpn
08:38 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
08:41 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
08:44 <@Dougy> ha
08:44 <@Dougy> hahaahahaha
08:44 * Dougy cries
08:44 <@Dougy> pfsense y u give me headaches
08:45 <@Dougy> mdorenka: so you want the 2 sets of clients to talk to one another?
08:45 < mdorenka> yep
08:45 < mdorenka> i got them talking but i needed push "route 0.0.0.0 0.0.0.0" in config
08:45 < mdorenka> not that nice :|
08:46 <@Dougy> that isn't right
08:46 <@Dougy> pushing routes is correct, but not that route
08:46 < mdorenka> sorry - didnt push it
08:46 < mdorenka> push "redirect-gateway def1 bypass-dhcp"
08:47 <@Dougy> did you try pushing the proper routes to each set of clients?
08:47 <@Dougy> rather than that
08:47 <@Dougy> if forcing 0/0 through it worked, then if you just set it to push the "right" route yu should be good
08:47 < mdorenka> so a correct route would be push "route 192.168.113.0 255.255.255.0", correct?
08:48 <@Dougy> if you push that to the other set of clients
08:48 <@Dougy> !iroute
08:48 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
08:48 <@Dougy> !route
08:48 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
08:49 <@Dougy> that guide may be of good use to you
08:50 < mdorenka> huh ... i just restarted everything (firewall + openvpn) and now it seems to work?!
08:50 <@Dougy> couldn't tell you, you'd need to tell me
08:50 <@Dougy> ;]
08:57 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
08:57 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
09:00 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Client Quit]
09:08 -!- barbariandude [~james@unaffiliated/barbariandude] has quit [Remote host closed the connection]
09:11 -!- singcat [~singcat@gateway/tor-sasl/singcat] has quit [Ping timeout: 250 seconds]
09:13 < jeev> doug
09:13 < jeev> i lost another supermicro
09:16 < dvl> jeev: Lost as in dead, or as in gone walkabouts?
09:22 < jeev> dead
09:22 < jeev> put a second cpu in it and boom, stopped working again
09:22 < jeev> now second cpu socket wont work
09:25 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
09:26 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
09:30 -!- mdorenka [~marcel3@unaffiliated/mdorenka] has quit [Ping timeout: 246 seconds]
09:38 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 276 seconds]
09:45 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
10:09 -!- liriel [~liriel@asia.feralhosting.com] has quit [Quit: bye]
10:09 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
10:15 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.91.1 [Firefox 34.0.5/20141126041045]]
10:16 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
10:17 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
10:26 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
10:45 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 252 seconds]
10:47 -!- kexmex [~kexmex@195.42.130.233] has joined #openvpn
10:52 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
11:05 <+hyper_ch> all my € are now worthless :( maybe I should throw them out of the window...
11:05 <+esde> send to me
11:05 <@krzee> ya ill take them
11:05 <+hyper_ch> ;)
11:05 <+esde> address is as follows
11:05 <+esde> P. Sherman
11:05 <+esde> 42, Wallaby Way,
11:05 <+esde> Sydney, Australlia
11:05 <+hyper_ch> doesn't sound fair when I send you worthless stuff ;)
11:06 <@krzee> you can get them to me at:
11:06 <@krzee> !donate
11:06 <@vpnHelper> "donate" is (#1) send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel. or (#2) Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc. or (#3) http://www.secure-computing.net/wiki/index.php/OpenVPN/Donations for Contribution totals and benefactors
11:06 <+hyper_ch> esde: How are the Adelaide Crows doing?
11:06 <+hyper_ch> krzee: esde: https://www.ecb.europa.eu/stats/exchange/eurofxref/html/eurofxref-graph-chf.en.html
11:06 <@vpnHelper> Title: ECB: Euro exchange rates CHF (at www.ecb.europa.eu)
11:06 <+esde> krzee, mind a pm?
11:07 <@krzee> esde, all good
11:07 <@krzee> hyper_ch, omg what happened
11:08 <@krzee> hyper_ch, and ill still take them :D
11:09 <+hyper_ch> krzee: well, with the subprime crisis followed by a euro crisis, the swiss national bank announced in 2011 that it will keep a min. exchange rate of 1.20 : 1 so the € won't fall further (from swiss point of view)... that has worked
11:10 <+hyper_ch> but at around 11:30 this morning, the SNB announced, that it will not fix the exchange rate anymore by buying € if needed... and then the course plummeted
11:11 <+hyper_ch> also the swiss market index lost 10% by the end of the business day
11:11 <+hyper_ch> however, EU zone has become cheaper for me to buy stuff :)
11:11 <+hyper_ch> I think I have like 50-60 € here :)
11:13 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:15 <@krzee> i thought you were .ch
11:15 <@krzee> they use swiss franc there?
11:16 <+esde> ch = country code for switzerland, right?
11:16 <@krzee> oh i just looked up the TLD
11:16 <@krzee> lol
11:16 <@krzee> i was thinking .cz
11:16 <+esde> croatia?
11:16 <@krzee> my americanism is showing
11:17 <+esde> ah czech republic
11:17 <+esde> HAHAHAHAHA
11:17 <@krzee> cz = Czech
11:17 <+esde> dialing code = 420
11:17 <@krzee> no wayyyyy
11:17 <@krzee> cz is 420?
11:17 <+esde> look it up
11:17 <+esde> https://encrypted.google.com/search?hl=en&q=cz%20country%20code
11:17 <@vpnHelper> Title: cz country code - Google Search (at encrypted.google.com)
11:17 <@krzee> dazo_afk, im moving to cz bro
11:17 <@krzee> only because of your phone prefix
11:18 <+esde> can we emigrate together?
11:18 <+esde> i dont take up much room
11:21 <+hyper_ch> krzee: most people think china
11:21 <+hyper_ch> (most people --> most USians)
11:21 <+hyper_ch> well, switzerland is +41
11:24 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
11:25 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Ping timeout: 245 seconds]
11:27 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
11:28 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
11:31 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
11:36 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
11:36 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:52 -!- Marc128000 [~quassel@cpe-66-68-87-18.austin.res.rr.com] has joined #openvpn
12:01 -!- You're now known as f^cking-moron
12:01 -!- You're now known as ecrist
12:06 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
12:07 -!- le0 [~le0@unaffiliated/le0] has quit [Quit: Leaving]
12:13 <@krzee> esde, was that a failed attempt to search for "cz tld" ?
12:14 < Marc128000> !welcome
12:14 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
12:14 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:15 <+esde> no
12:15 < Marc128000> Simple question, and most likely my error, but when building 2.3.6 from source on debian 7, init scripts are not built. Is there a place to find the init scripts?
12:15 <+esde> i wanted the country code
12:15 <@krzee> gotchya
12:16 <+esde> *to know what the country code stood for
12:17 <@krzee> Marc128000, that is not part of openvpn, it is part of your OS
12:17 <@krzee> Marc128000, you can install openvpn from your package manager and will probably get the init scripts
12:17 <+esde> Marc128000, do you have opencpn installed anywhere?
12:17 <+esde> *vpn
12:17 <+esde> *server *else
12:18 < Marc128000> Okay, thats what I was trying to avoid. But probably easiest option
12:18 <@krzee> well at least to pull out the init scripts
12:18 <+esde> actually i'll pastebin one for you now if you'd like
12:18 <@krzee> ya or esde can give you his ^
12:18 < Marc128000> that'd be great
12:18 < Eagleman> How do i allow a client with the same username but a different certificate to connect twice or more to the VPN?
12:20 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
12:20 <+esde> cd /tmp; wget http://pastebin.com/raw.php?i=h9NG1kGQ -O openvpn; sudo mv openvpn /etc/init.d; sudo chown 755 /etc/init.d/openvpn; sudo update-rc.d openvpn defaults
12:20 <+esde> iirc
12:20 <+esde> YMMV
12:21 < Marc128000> thank you sir, I'll give it a shot. Worst case I'm back to having to steal the init section from the deb package
12:21 < Marc128000> or ma'am
12:21 < Marc128000> lol
12:21 <+esde> well the pastebin is the init script you need
12:21 <+esde> i just tried to give you the "recipe" you needed by including the commands
12:22 < Marc128000> I appreciate the extra effort
12:22 <+esde> np
12:24 <+esde> those commands get you into the tmp dir first, grab the script and save it as openvpn. then it moves the file to your init.d directory and makes the script executable with appropriate permissions, and the finally command would enable the script if i'd added enable to the end. having said that
12:24 <+esde> cd /tmp; wget http://pastebin.com/raw.php?i=h9NG1kGQ -O openvpn; sudo mv openvpn /etc/init.d; sudo chown 755 /etc/init.d/openvpn; sudo update-rc.d openvpn defaults enable
12:24 <+esde> is the correct set of commands
12:24 <+esde> s/finally/update-rc.d
12:25 -!- aoseki [~akaseki@unaffiliated/akaseki] has left #openvpn ["Leaving"]
12:27 < Marc128000> Dang, as I expected, the init scripts are spread through file system
12:27 <+esde> ?
12:27 < Marc128000> can't open /lib/lsb/init-functions
12:27 < Marc128000> the file is there
12:29 < Marc128000> Don't want to flood channel with my issue. Appreciate the help!
12:29 <+esde> can you pastebin the commands you ran and the errors?
12:29 < Marc128000> sure
12:30 < Marc128000> http://pastebin.com/iNBTRaJ6
12:32 < Marc128000> I'm thinking about using apt-get to install package, then using make install to overwrite with my build
12:32 <@krzee> is it the right file permissions?
12:33 <@krzee> oh ya it is, esde gave the command for i
12:33 <@krzee> it*
12:33 < Marc128000> Should be, I haven't changed the permissions on anything but openvpn script
12:33 <@krzee> sry i didnt read all scroll before talking
12:33 -!- jareth_ [~jareth_@bak.project-treadstone.nl] has quit [Quit: ZNC - http://znc.in]
12:33 <@krzee> :x
12:33 < Marc128000> No problem! I'll never hate on folks trying to help
12:33 <+esde> i found something when searching for your error, but it's in cryllic :/
12:34 <+esde> http://slitaz30.rssing.com/chan-15642138/all_p104.html
12:34 <@vpnHelper> Title: SliTaz Forum » Recent Posts (at slitaz30.rssing.com)
12:34 <+esde> at least the bits that might be helpful
12:34 < Marc128000> haha
12:34 < Marc128000> I'll take a look
12:34 -!- jareth_ [~jareth_@bak.project-treadstone.nl] has joined #openvpn
12:34 <@krzee> any special reason you prefer installing from source? (not that im against that at all)
12:34 <@krzee> you loading patches or something?
12:35 < Marc128000> Trying a patch out
12:35 < Marc128000> https://forums.openvpn.net/topic12605.html
12:35 <@vpnHelper> Title: OpenVPN Support Forum Patch: Fix for Iran and China users : Scripting and Customizations (at forums.openvpn.net)
12:35 < Marc128000> Thx bot!
12:35 <@krzee> why not use:
12:35 <@krzee> !obfs
12:35 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation or (#3) in client/server mode an admin can know that openvpn is being used. in
12:35 <@vpnHelper> static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
12:35 < Marc128000> Two main reasons
12:35 <@krzee> (thats the reason that patch wont be accepted into openvpn)
12:36 <+esde> i like running from source because I know where it came from and since openvpn is something i love, i figure it's a good way to learn about manually installing packages :)
12:36 < Marc128000> Client connections are about .5/.12 mbs
12:36 * esde shudders
12:36 < Marc128000> Also clients aren't tech savy so I'm attempting to minimize their setup and possible error
12:37 <+esde> is this a widespread issue?
12:37 < Marc128000> proxy/wrappers are an excellent solution iff the user understands how to setup
12:37 < Marc128000> I would think so
12:37 < Marc128000> Folks behind gov't firewalls that aren't techies
12:37 <+esde> that's fucked up
12:38 <@krzee> esde, yes, in certain locations
12:38 <+esde> the gov't need to keep their nose out and let you do your thang.
12:38 < Marc128000> Lol, trying to assist that
12:38 <+esde> that said, let's get you going!!
12:38 -!- mode/#openvpn [+v Marc128000] by krzee
12:38 <@krzee> Marc128000, you plan on helping others do the same?
12:38 * esde goes to the bathroom and grabs a juicebox
12:38 <+Marc128000> This idea may not work anyhow, as it'll mean I need to custom build and distribute clients as well
12:39 <+Marc128000> I'd like to
12:39 <@krzee> Marc128000, good man.
12:39 <@krzee> in the long run you may find obfsproxy easier
12:39 <+Marc128000> Usually I've only set up vanilla setups
12:39 <+Marc128000> There is an element of byod (bring your own device) that also adds complexity to obfsproxy
12:39 <@krzee> ehh?
12:39 <+Marc128000> The XOR traffic option seemed quite elegant
12:39 <@krzee> how so?
12:40 <+Marc128000> Installing obfsproxy for android, IOS, win, linux and MacOS
12:40 <@krzee> sure, unless it becomes popular then it'll get blocked and you're back to square 1
12:40 <@krzee> obfsproxy is made for just that!
12:40 <+Marc128000> Hrm, thats a good point
12:40 <+Marc128000> How much of an overhead hit is obfsproxy?
12:40 <@krzee> just use a diff plugin and it obfuscates to another proto
12:41 <@krzee> i dunno, never had an excuse to play with it
12:41 * Marc128000 gets to reading
12:41 <@krzee> .o
12:41 <+Marc128000> lol
12:41 <@krzee> oops
12:41 <@krzee> http://community.openvpn.net/openvpn/wiki/TrafficObfuscation
12:41 <@vpnHelper> Title: TrafficObfuscation – OpenVPN Community (at community.openvpn.net)
12:42 <+Marc128000> Read that, its a good primer
12:42 -!- rbxs [~rbxs@cable-213-34-250-223.zeelandnet.nl] has joined #openvpn
12:43 <@krzee> when those firewalls last changed they effectively blocked all openvpn users again, thats when the xor patch came out, and we decided that it would be useless to include it
12:43 <@krzee> because the game of cat + mouse with DPI firewalls belongs to obfsproxy not to openvpn
12:43 -!- `^-_-^` [uid26275@gateway/web/irccloud.com/x-ilapitckhanvcdbw] has joined #openvpn
12:43 <@krzee> its already a nice project dedicated to just that goal
12:44 <+Marc128000> "but it does have a much lower bandwidth overhead since it is not carrying an additional layer of encryption. This can be a particularly relevant for users in places such as Syria or Ethiopia, where bandwidth is often a critical resource. Obfsproxy is also somewhat easier to set up and configure."
12:44 <+Marc128000> Maybe the overhead is not as bad as I thought
12:44 <+Marc128000> I'll be doing some testing. Maybe I'll do a writeup and compare
12:45 <@krzee> feel free to use one of our wikis for the writeup if you like
12:45 <@krzee> !wiki
12:45 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki
12:45 <+Marc128000> I wonder if you used the scramble patch, and had a rolling password if that would work
12:45 <+Marc128000> I can't imagine a polymorphic XOR getting caught by automated pattern recognition
12:46 <@krzee> the other side would have to roll equally
12:46 <@krzee> which means it would be staticly rolling
12:46 <@krzee> which means they could include it to the DPI code
12:46 <@krzee> because remember, its the initiation of the session they block
12:47 <@krzee> so you dont get to hand the xor keys over the secure channel, which wont exist
12:47 <+Marc128000> What about copying something like the RSA Key idea, where it rolls based of a seed?
12:47 <+Marc128000> Hrm thats a good point
12:47 <@krzee> the best solution is obfsproxy ;]
12:47 <@krzee> we've gone over this in dev meetings
12:48 <+Marc128000> I appreciate the explination! Always nice to understand the choices
12:48 <+Marc128000> I have no dog in the fight, I'm just hashing out options at this point
12:48 <+Marc128000> I think obfsproxy is the better choice though
12:48 <@krzee> but if you just need something quick, i expect statickey would be fine too
12:48 <@krzee> since there is no handshake
12:48 <@krzee> its just an encrypted stream, no way to distinguish it
12:49 <+Marc128000> For the simple fact that if I custom build OVPN, I'll have to do it for all possible client devices AND somehow securely deliver it
12:49 <+Marc128000> Which is exactly what I was trying to avoid by using obfsproxy. In other words its the same either way
12:49 <@krzee> ya client device*S* means no statickey ;]
12:49 <@krzee> ^ yep
12:50 <@krzee> the big difference is that your obfsproxy will work still after they catch on to whatever comes next
12:50 <+Marc128000> Also yes, plural. Said no to statickey due to threat of data aggregation attack due to number of clients
12:50 <@krzee> in the game of cat + mouse, obfsproxy will never have to work as hard as the governments
12:50 <@krzee> thats the point of obfsproxy, with that we're always winning the game
12:50 <+Marc128000> Imagine that, the experts already thought it out ;-)
12:51 <@krzee> oh you blocked my obfsproxy transport? ok i'll just change that real quick, done!
12:51 <@Dougy> hello krzee
12:51 <@krzee> helo Dougy
12:51 <@krzee> ;]
12:51 * Marc128000 sets to undoing all the hackish fixes on server
12:51 <+esde> i need to look into opfsproxy more... it'd be nice to know my traffic is cloaked. because we know comcast is watching
12:51 <@Dougy> krzee: REJECTED
12:52 <+esde> *b
12:52 <@krzee> esde, all comcast sees is the encrypted connection
12:52 <+Marc128000> In US, I'm not concerned. The encryption is enough
12:52 <+esde> correct
12:52 <+Marc128000> They are welcome to see my VPN connection. Not yet a jailable offense to simply be using one
12:52 <+Marc128000> yet...
12:52 <@krzee> im also not concerned about obfs my vpns ^
12:53 <+esde> but it would just be nice to know they see a bunch of non-sense that couldnt even be profiled as vpn traffic
12:53 <+esde> if that makes sense
12:53 <@krzee> i consider it a tool for bypassing censorship firewalls
12:53 <+Marc128000> Would be a good theory if they start to throttle it
12:53 <@krzee> although really, its a good tool to play with and learn
12:53 <@krzee> if for no other reason than to help those being censored
12:53 <+Marc128000> however, VPN are standard tools for all kinds of uses in US. So I doubt that'll become an issue
12:53 <+esde> that's really why i want to use it, just for the experience to help someone whose life might depend on it
12:53 <+Marc128000> krzee: thats my goal
12:53 <+esde> as dramatic as that may sound
12:53 <+Marc128000> Not dramatic at all
12:54 <@krzee> totally not dramatic
12:54 <@krzee> thats real life some places bro
12:54 <+Marc128000> Knowing the threats and mitigating technologies back and forth is vital when a user trusting your advice can have serious physical consequences
12:54 <+Marc128000> Hence all my reading and testing
12:55 <+esde> obfsproxy will work clientside with no extra finagling? just configure obfsproxy on the serverside and configure some directives in the server/client confs?
12:56 <+Marc128000> Throw in some other hinderences like, no ability to test [not in client country], low bandwidth, poor connection, registered IPs, data aggregation ...
12:56 <+Marc128000> and its a real challenge
12:56 <@krzee> ^^
12:56 <@krzee> esde, i havnt played with it, feel free to answer that to me when you find it ;]
12:56 <+Marc128000> Haha, over the next few hours I should become pretty familiar with it
12:56 <+esde> i'll go do some r&d in the sandbox is openvpn is fronting cash for the trip :)
12:57 <+esde> *if
12:57 <+Marc128000> lol, my adventure days are over. Now doing my part with the brain ;-)
12:58 <+Marc128000> some vps are avaiable from within some of the countries in question
12:58 <+Marc128000> However, I'm trying to minimize connections to server, as too much traffic can raise a flag
12:58 <+esde> but if they dont accept buttcoin, a user might be putting themselves on some lists lol
12:59 <+Marc128000> That is definitely true
12:59 <+esde> and accepting buttcoin defeats the purpose of all the censorship :/
12:59 <@krzee> bbl
13:15 -!- kexmex [~kexmex@195.42.130.233] has quit [Quit: Computer has gone to sleep.]
13:17 -!- int32 [~int32@unaffiliated/xero-] has joined #openvpn
13:17 -!- int32 [~int32@unaffiliated/xero-] has left #openvpn []
13:19 -!- EnRage [~EnRage@quadrifun.com] has joined #openvpn
13:20 < EnRage> hey guys, i've ran into problems with an openvpn client on debian 7.7 wheezy as i wanted it to route all traffic over the vpn, but after i've started the vpn i couldn't connect via public ip anymore
13:21 < EnRage> anything i need to do in order to be able to connect to the public ip of the server and get a response from it?
13:21 <+hyper_ch> I doubt there's a Debian 7.7 Wheezy
13:21 <+esde> there is.
13:22 <+esde> EnRage, can you use different words to describe your goal and problem? it's a bit confusing to me how you've explained it
13:22 < EnRage> Linux x 3.2.0-4-amd64 #1 SMP Debian 3.2.63-2+deb7u2 x86_64 GNU/Linux
13:22 <+esde> hell 7.8 is out even
13:22 <+hyper_ch> that was faster then I though :)
13:22 <+hyper_ch> I guess I was wrong :)
13:22 < EnRage> umm i just want to use both networks
13:22 <+hyper_ch> even the most brilliant minds err sometimes..... so I can do that too :)
13:23 < EnRage> i want to route everything the server requests from the internet over the vpn
13:23 <+esde> !goal
13:23 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:23 <+esde> sounds like you want to connect to the server and forward all traffic through it
13:23 <+hyper_ch> you contradict yourself
13:23 <+hyper_ch> you say you want to route all over the vpn
13:23 <+hyper_ch> but then you say you want to use both netwroks
13:23 < EnRage> all traffic the server is requesting
13:24 <+esde> language barrier, probably
13:24 < EnRage> but if someone from the internet is requesting the public ip of the server, i want that it is able answer
13:25 <+esde> That's still confusing
13:25 < EnRage> i have a server in a datacenter and want to be able to connect to it using its public ip, but also everything the server does should be routed over the vpn
13:25 < EnRage> so my public ip of the server is not visible when the server is acting on its own
13:25 <+esde> "the server" is the machine in the data center?
13:26 < EnRage> right
13:26 < KavanS> would this be a good scenario for redirect-gateway?
13:26 <+esde> and you want to hide it's traffic?
13:26 < EnRage> yup
13:27 <+esde> You would need to create a connection to another machine (openvpn server) as an openvpn client
13:27 < EnRage> sorry if i cant tell you clearly what i want, its just that i can route everything through that openvpn server without a problem
13:28 < EnRage> but i use the servers public ip to connect to it
13:28 < EnRage> but i cant use*
13:29 < EnRage> from my computer at home i cant get a connection to the server with its public ip anymore
13:29 < EnRage> thats the problem i want to fix
13:29 < EnRage> so it should be reachable over the vpn network and its public ip
13:29 <+esde> you want the computer at home to connect to the server in the data center and forward all traffic through the server? so the client appears to others online as the $SERVER_IP?
13:30 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
13:30 <+esde> s/online/internet
13:30 < EnRage> but as soon as the openvpn server is pushing the routes and is adding this one: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.14.13.1
13:30 < EnRage> i cant connect anymore
13:30 <+esde> stop
13:30 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Remote host closed the connection]
13:30 <+esde> you're getting way to far ahead of me
13:30 <+esde> im not even sure i understand your goal yet
13:31 < EnRage> i just want to get access to the ssh server from my local computer
13:31 <+Marc128000> It sounds like a redirect gateway
13:31 <+esde> it does
13:31 <+esde> but i don't want to lead him down the wrong path. i almost think he can't connect to the server at all currently, including via ssh
13:32 <+Marc128000> oh, yeah that'd be a problem. Could also be iptables incorrectly configured [assuming Linux]
13:32 < EnRage> right, as soon as the route is pushed from the server, all connections to the server i have open are closed
13:32 <+esde> !allinfo
13:32 <@vpnHelper> "allinfo" is Please type !configs !logs and !interface to see all the info we want to be able to help you
13:32 <+esde> gather and share all the things!!!
13:32 <+esde> :)
13:32 < EnRage> okay
13:32 < EnRage> !configs
13:32 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private keys or tls-auth key before
13:32 <@vpnHelper> posting
13:33 <+esde> also, to be clear. you can connect to the server and get a shell, it's just when using the openvpn connection, that connectivity is lost?
13:36 < EnRage> i can use the server completely without problems, but as soon as i start the openvpn client with that config, all connections are lost and i cant reach it anymore until i do a restart of the machine (via datacenter)
13:37 < EnRage> !logs
13:37 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
13:37 <+esde> no problem, get us those uncommented configs, logs, and routing info and we'll see what help we can offer
13:37 < EnRage> thank you
13:37 < EnRage> verb to 4?
13:38 < EnRage> kk is already ;)
13:38 <+esde> fine for right now, might ask for higher later
13:38 < EnRage> the only problem is, that i cant give you any server informations since the server is not in my hands
13:39 <+esde> :(
13:39 <+esde> !crystal
13:39 <@vpnHelper> "crystal" is (#1) Our crystal ball is out of service. Try explaining your !goal, a description of your problem, and relevant !configs and !logs. See also: !welcome. or (#2) unless reiffert is here, his crystal ball is functional again
13:39 < EnRage> im using a commercial provider for that :\
13:39 <+esde> AH
13:40 <+esde> so it's not your own openvpn connection failing, it's someone else's
13:40 <+esde> well your connection, their server
13:40 < EnRage> its not failing
13:40 < EnRage> im using it on my local machine too
13:40 <+esde> then i'm still a little confused, but i have to run now
13:40 -!- moparisthebest [~mitb@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
13:41 < EnRage> but its like the public ip of the server itself isnt reachable anymore
13:41 < EnRage> when the server connects itself to that openvpn provider
13:41 -!- Voyage [~Voyage@39.34.149.234] has joined #openvpn
13:41 < Voyage> HI
13:42 < Voyage> I am talking through an openVpn. Still my skype calls are blocked by my ISP . whhat can be the reason?
13:42 -!- moparisthebest [~mitb@unaffiliated/moparisthebest] has joined #openvpn
13:43 <+hyper_ch> crappy ISP
13:44 < Voyage> vpn should bypas
13:44 < Voyage> http://pastebin.com/TiX0TpZT
13:47 < EnRage> hope this helps: http://pastebin.com/8LQ2qHQV
13:48 < Voyage> guys, my ip is not changed. ip of client. so the traffic is not routing through the vpn.
13:51 < Voyage> rephrase. I got connected via openvpn but my ip is not changed. ie. client's trafic is not routing through the vpn server. http://pastebin.com/TiX0TpZT I did this on the server though. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
13:52 -!- EnRage [~EnRage@quadrifun.com] has quit [Disconnected by services]
13:52 -!- EnRage [~EnRage@research.quadrifun.com] has joined #openvpn
13:52 < EnRage> sorry
13:57 < Voyage> helo
14:04 < DArqueBishop> Voyage: you need to be running OpenVPN with administrator privileges.
14:04 < Voyage> I am
14:04 < DArqueBishop> That log says otherwise.
14:04 < Voyage> DArqueBishop you mean on client side?
14:04 < DArqueBishop> Yes.
14:04 < Voyage> hm
14:05 < DArqueBishop> OpenVPN cannot set the tun adapter properties or change routes without admin privileges.
14:06 < Voyage> thanks
14:10 <+Marc128000> For anyone that was around earlier, using TCP/443 has fixed throttling issue
14:11 <+Marc128000> Phase 2 for my project will be using obfsproxy
14:11 < EnRage> anyone any idea for my problem?
14:11 -!- yeik [~jeff@2601:7:6881:4700:210a:45c3:6608:84dd] has joined #openvpn
14:12 <+Marc128000> EnRage: Reading over your conversation now
14:12 < EnRage> thank you
14:14 < DArqueBishop> EnRage...
14:14 < DArqueBishop> !both
14:14 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
14:14 <+Marc128000> Agree with DArqueBisho, if you can't adjust your iptables and server config then I'm not sure its something you can fix
14:15 < EnRage> couldnt i use nopull to prevent the route add stuff to be set?
14:15 < EnRage> and route the traffic port based?
14:15 < yeik> So, I could use some help. I have been testing an openvpn server and client, windows and linux clients connecting to it
14:15 <+Marc128000> On your local side, but it sounds like the server side iptables are triggred by openvpn connection
14:16 < EnRage> because i want all traffic routed through the vpn to hide my ip
14:16 < EnRage> but the services on the server should also be reachable
14:16 < EnRage> which they arent
14:16 < yeik> the windows side gets heavily bogged down and huge performance decrease to the server when openvpn is up. linux I can do the same things and get the same throughput I was getting without openvpn
14:17 < yeik> i changed ciphers, did auth none, set mtu, mssfix, and nothing I have found seems to help.
14:17 <+Marc128000> Yeik: could be related to TAP interface if its in use
14:17 <+Marc128000> Yeik: are you using TAP or TUN?
14:17 < yeik> we are doing dev tun
14:17 <+Marc128000> okay
14:17 < yeik> i tried tap and it seemed to have the same throughput
14:17 <+Marc128000> Why not make linux the server ;-)
14:18 <+Marc128000> Ciphers would've been my next guess
14:18 < yeik> This is for a company product and will be used on linux and windows.
14:18 < yeik> I tried setting ciphers to none, but I have a version that has a bug so wasn't able to fully test that
14:18 < yeik> 10-20% cpu utilization on the windows side, with both blowfish and aes-256-cbc
14:18 <+Marc128000> With just one client?
14:18 <+Marc128000> That seems high
14:19 < yeik> 10% cpu utilization on the server side with one client
14:19 < yeik> aes-256-cbc (this is a guest in kvm with 1 cpu)
14:19 < yeik> no AES-NI gets passed to kvm
14:20 < yeik> I have read people say they see 10% slower speeds with the windows tap driver.
14:20 < yeik> but this is magnitudes slower.
14:20 <+Marc128000> TCP or UDP?
14:20 < yeik> udp
14:20 <+Marc128000> possible gateway/isp throttling? Have you tried port TCP/443?
14:20 < yeik> these machines are on the same network for testing.
14:21 <+Marc128000> ok, thats makes it more interesting
14:21 < yeik> and even on the same machine (both kvm guests, fyi, it ran a little slower when both server and client were on the same host, speeds were better but not great when they were on seperate hosts)
14:22 <+Marc128000> Something with the windows firewall perhaps? Which version of windows?
14:22 < yeik> differences I was seeing, locally 2.7 MiB/s file transfer speed max with openvpn, 30 MiB/s without openvpn
14:22 < yeik> server 2008r2
14:22 < yeik> firewall has been disabled
14:22 <+Marc128000> Have you tried disabling it for a test
14:22 <+Marc128000> beat me to it
14:23 <+Marc128000> Well I think you've done everything I would've thought to check
14:23 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.91.1 [Firefox 34.0.5/20141126041045]]
14:23 < yeik> now, because these communicate over openvpn, we do some stuff with natting and blocking all traffic except the udp port. from the interface ip. But we have ruled that out because we have the same config working in linux.
14:24 <+Marc128000> Maybe a performance issue with windows in KVM?
14:24 < yeik> Interestingly though we did notice a bug probably inside the kernel or something with connection tracking ending too soon and so when a connection is closed the syn/ack isn't able to finish properly and keeps getting retransmitted.
14:24 < yeik> We were seeing the same kind of performance issues inside vmware
14:24 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 276 seconds]
14:24 < yeik> brought it to kvm to isoolate from other static noise
14:25 <+Marc128000> Good work on doing your homework :-). Sounds like the issue is out of my leauge
14:25 <+Marc128000> Perhaps someone else can step up!
14:25 < yeik> Who would be the best person to talk to about something like this, maybe profiling the tap driver, fixing bugs or making it perform better.
14:26 < yeik> FYI, i also tested the NDIS 6.0 and the older driver for windows.
14:27 <+Marc128000> Not sure, I'm just a user not a dev. Haha, I was just about to suggest a driver rollback or update
14:28 < yeik> I work in IT, it may only be my third month doing anything with openvpn.
14:28 < yeik> but I do my research
14:32 <+Marc128000> Similar background here
14:33 < hydrajump> the client.conf in /etc/openvpn should it be owned by `root:root` for openvpn to establish a connection on boot?
14:37 -!- EnRage [~EnRage@research.quadrifun.com] has quit [Ping timeout: 272 seconds]
14:37 -!- MrWhoo [c777e9df@gateway/web/freenode/ip.199.119.233.223] has joined #openvpn
14:37 < MrWhoo> Greetings
14:38 < MrWhoo> I finally was able to get tap1 and tun1 going on DD-Wrt at the same time :)!
14:38 -!- akamaru217 [~akamaru21@67.191.183.251] has quit [Read error: Connection reset by peer]
14:39 < MrWhoo> But I have problem with routing could please someone take a look at the table and give me some guidance, ... I'm very new to all this ...
14:39 -!- akkad [akkad@166.84.6.60] has joined #openvpn
14:40 < MrWhoo> http://pastebin.com/BJaBW79U
14:40 < akkad> I have an openvpn server that ran out of disk space, stopped routing packets for users. restarted openvpn, and am not seeing any logs, but no packets are routing when connected.
14:40 < MrWhoo> just on simple command to route stuff to tap1 or tun1 .. will do the trick I can take it from there :)
14:40 < MrWhoo> is this something that needs to be done with Iptables ?
14:44 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:c069:f6fb:4d2c:8e8c] has joined #openvpn
14:47 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has quit [Ping timeout: 244 seconds]
14:48 -!- Marc128000 [~quassel@cpe-66-68-87-18.austin.res.rr.com] has quit [Ping timeout: 245 seconds]
14:49 < yeik> is tun1 a valid address space?
14:49 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has joined #openvpn
14:49 <+hyper_ch> tun1 is a network interface
14:50 < yeik> MrWhoo, 25.0.8.0 in your pastebin doesn't seem like a proper ip/route for a tunnel interface
14:56 < MrWhoo> yeik, yes it is
14:56 < MrWhoo> I know that its weird ip, but I verified with
14:57 < yeik> is it a public block that you own?
14:57 < MrWhoo> with provided
14:57 < MrWhoo> Nope, this actually belongs to MOD
14:57 < MrWhoo> in UK
14:57 < MrWhoo> its strange what they do internally there :D
14:58 < MrWhoo> but if I don't use --route-nopull
14:58 < yeik> usually the idea of vpn is to use a non public ip block to connect over the internet to another non public block..
14:58 < MrWhoo> everything is working
14:59 < MrWhoo> response from provider: We are using 25.0.X.X as private subnet for the point-to-point VPN connection (between client and VPN server) for technical reason. The server is also pushing a private DNS server (25.0.0.1) to your VPN client. The 25.0.0.1 DNS server is hosted on the VPN server.\
15:00 -!- Henryabcd [~Henryabcd@pD9E08888.dip0.t-ipconnect.de] has joined #openvpn
15:00 < yeik> MrWhoo, still doesn't seem right then, it would be a 25.0.0.0 that you would need to route through that interface
15:01 < yeik> 25.0.0.0/16 if they own 25.0.x.x
15:02 < MrWhoo> I'm not sure, This the route that shows up when I start OpenVpn, I don't really understand it
15:03 < MrWhoo> I did tons of google searches and its making sense but very slow progress.
15:03 < MrWhoo> how about the route to the other provider.
15:05 < yeik> tap1 looks fine.
15:05 < yeik> just tun1 is the one I saw...
15:06 < akkad> openvpn keeps pushing a secondary default route of "default 10.1.0.5 UGScI 0 0 tun0"
15:06 < akkad>
15:06 < MrWhoo> yeik, how can I send some traffic down tun1 ?
15:08 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
15:09 < MrWhoo> I tried to setup IP vpn_net and vpn_gateway
15:09 < MrWhoo> but no luck
15:17 -!- redpill [~redpill@unaffiliated/redpill] has quit [Max SendQ exceeded]
15:20 -!- Voyage [~Voyage@39.34.149.234] has quit [Ping timeout: 252 seconds]
15:23 -!- MrWhoo [c777e9df@gateway/web/freenode/ip.199.119.233.223] has quit [Ping timeout: 246 seconds]
15:27 < yeik> you just need to ping something in 25.0.8.x
15:28 -!- phix [~threat@123-243-44-131.static.tpgi.com.au] has quit [Ping timeout: 255 seconds]
15:38 -!- phix [~threat@123-243-44-131.static.tpgi.com.au] has joined #openvpn
15:43 -!- phix [~threat@123-243-44-131.static.tpgi.com.au] has quit [Remote host closed the connection]
15:46 -!- phix [~threat@123-243-44-131.static.tpgi.com.au] has joined #openvpn
15:46 -!- rbxs [~rbxs@cable-213-34-250-223.zeelandnet.nl] has quit [Remote host closed the connection]
15:51 -!- phix [~threat@123-243-44-131.static.tpgi.com.au] has quit [Remote host closed the connection]
15:56 -!- phix [~threat@123-243-44-131.static.tpgi.com.au] has joined #openvpn
16:01 -!- yeik [~jeff@2601:7:6881:4700:210a:45c3:6608:84dd] has quit [Remote host closed the connection]
16:02 -!- Henryabcd [~Henryabcd@pD9E08888.dip0.t-ipconnect.de] has quit [Quit: Leaving]
16:08 < Eagleman> How do i allow a client with the same username but a different certificate to connect twice or more to the VPN?
16:13 -!- phix [~threat@123-243-44-131.static.tpgi.com.au] has quit [Ping timeout: 272 seconds]
16:24 -!- `^-_-^` is now known as ampsix
16:24 -!- ampsix [uid26275@gateway/web/irccloud.com/x-ilapitckhanvcdbw] has quit [Changing host]
16:24 -!- ampsix [uid26275@unaffiliated/ampsix] has joined #openvpn
16:24 -!- ampsix [uid26275@unaffiliated/ampsix] has quit [Changing host]
16:24 -!- ampsix [uid26275@gateway/web/irccloud.com/x-ilapitckhanvcdbw] has joined #openvpn
16:31 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
16:34 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
16:35 -!- debbie10t [~debbie10t@unaffiliated/m10t] has joined #openvpn
16:39 -!- phix [~threat@123-243-44-131.static.tpgi.com.au] has joined #openvpn
16:43 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
--- Log closed Thu Jan 15 16:46:44 2015
--- Log opened Thu Jan 15 16:46:58 2015
16:46 -!- ecrist_ [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
16:46 -!- Irssi: #openvpn: Total of 206 nicks [10 ops, 0 halfops, 4 voices, 192 normal]
16:46 -!- mode/#openvpn [+o ecrist_] by ChanServ
16:47 -!- CGML_ [~CGML@unaffiliated/cgml] has joined #openvpn
16:47 -!- rooth_ [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
16:47 -!- riddle [riddle@us.yunix.net] has quit [Disconnected by services]
16:47 -!- Irssi: Join to #openvpn was synced in 40 secs
16:47 -!- riddle [riddle@us.yunix.net] has joined #openvpn
16:49 -!- julie_harshaw [~julie@juliekoubova.net] has joined #openvpn
16:49 -!- badaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
16:49 -!- JackWinter_ [~jack@vodsl-10478.vo.lu] has joined #openvpn
16:50 -!- shivanshu_ [~shivanshu@104.131.8.15] has joined #openvpn
16:51 -!- antihero [~antihero@37.139.5.204] has joined #openvpn
16:51 -!- phix [~threat@123-243-44-131.static.tpgi.com.au] has quit [Ping timeout: 276 seconds]
16:52 -!- Netsplit *.net <-> *.split quits: scyld, KavanS, Left_Turn, pythonsnake1, Mike--, AsadH, jeev, deviantintegral, typ, mirco, (+41 more, use /NETSPLIT to show all of them)
16:52 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
16:52 -!- Netsplit *.net <-> *.split quits: ratsupremacy, TheEternalAbyss, Adian, jl-, Slippern, nlb, julieeharshaw, Zimsky, mete, burp_, (+3 more, use /NETSPLIT to show all of them)
16:52 -!- shivanshu_ is now known as shivanshu
16:52 -!- Netsplit *.net <-> *.split quits: nsrafk, tapout, @dazo_afk, dvl, lachesis, ExtraCarpety, kossy, trumee, akamaru217
16:53 -!- Netsplit over, joins: @vpnHelper, @novaflash, pythonsnake1, Left_Turn, james41382, KavanS, `Yoda, mirco, mgorbach, rich0 (+13 more)
16:53 -!- pythonsnake1 [~pythonsna@fedora/pythonsnake] has quit [Max SendQ exceeded]
16:54 -!- Netsplit *.net <-> *.split quits: @Dougy, sireebob, pppingme, Neal_, Haseo, abbe, lxusrbin, pekster, troyt, carlcrack, (+15 more, use /NETSPLIT to show all of them)
16:54 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded]
16:54 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
16:54 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
16:54 -!- ketas [~ketas@65-38-190-90.dyn.estpak.ee] has joined #openvpn
16:54 -!- nomad_fr [~nomad_fr@ks397872.ip-192-95-25.net] has joined #openvpn
16:54 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
16:54 -!- DonRichie [~DonRichie@ricl.de] has joined #openvpn
16:54 -!- benoliver999 [~ben@ben.baconseed.org] has joined #openvpn
16:54 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
16:54 -!- r00t^2 [~bts@g.rainwreck.com] has joined #openvpn
16:54 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
16:54 -!- cwillu_at_work [~cwillu@cwillu.com] has joined #openvpn
16:55 -!- early` [~early@192.241.198.49] has joined #openvpn
16:55 -!- pythonsnake1 [~pythonsna@fedora/pythonsnake] has joined #openvpn
16:55 -!- Netsplit *.net <-> *.split quits: someone, early, boypussy, dkr, Reventlov, roentgen_, almostworking, RGamma, gardar, Papey, (+9 more, use /NETSPLIT to show all of them)
16:56 -!- markelite [croftworth@gateway/shell/yourbnc/x-tcbsaqyavfnpcsln] has joined #openvpn
16:57 -!- Netsplit over, joins: bakhtiya
16:58 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
16:58 -!- Netsplit *.net <-> *.split quits: D-Boy
16:58 -!- mode/#openvpn [+o dazo_afk] by ChanServ
16:58 -!- dazo_afk is now known as dazo
16:58 -!- _KaszpiR_ [quasselcor@unaffiliated/kaszpir/x-3157048] has joined #openvpn
16:58 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
17:01 -!- zalami_ [~realnameo@unaffiliated/zalami] has quit [Quit: No Ping reply in 180 seconds.]
17:01 -!- _KaszpiR__ [quasselcor@unaffiliated/kaszpir/x-3157048] has quit [Quit: No Ping reply in 180 seconds.]
17:01 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 276 seconds]
17:01 -!- debbie10t [~debbie10t@unaffiliated/m10t] has quit [Read error: Connection reset by peer]
17:01 -!- james41382_ [~james4138@unaffiliated/james41382] has joined #openvpn
17:01 -!- carlcrack [~carlcrack@gateway/vpn/privateinternetaccess/carlcrack] has joined #openvpn
17:01 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
17:01 -!- u0m3 [~u0m3@92.80.89.9] has quit [Read error: Connection reset by peer]
17:01 -!- obscurehero [~obscurehe@via.arcis.pw] has quit [Ping timeout: 272 seconds]
17:01 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Ping timeout: 272 seconds]
17:01 -!- mpoole [~mpoole@minotaur.apache.org] has quit [Ping timeout: 272 seconds]
17:01 -!- early` [~early@192.241.198.49] has quit [Ping timeout: 272 seconds]
17:01 -!- pythonsnake1 [~pythonsna@fedora/pythonsnake] has quit [Ping timeout: 272 seconds]
17:01 -!- riddle [riddle@us.yunix.net] has quit [Ping timeout: 272 seconds]
17:01 -!- maxiepax [max@83.241.146.10] has quit [Ping timeout: 272 seconds]
17:01 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Remote host closed the connection]
17:01 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 272 seconds]
17:01 -!- Matir_ [~matir@ubuntu/member/matir] has quit [Ping timeout: 272 seconds]
17:01 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has quit [Ping timeout: 272 seconds]
17:02 -!- u0m3 [~u0m3@92.80.89.9] has joined #openvpn
17:02 -!- RGamma [~RGamma@ip-84-118-23-37.unity-media.net] has joined #openvpn
17:02 -!- cpt-oblivious [~quassel@freebsd/user/cpt-oblivious] has quit [Read error: Connection reset by peer]
17:02 -!- keatont [~keatont@keatonstaylor.com] has quit [Ping timeout: 264 seconds]
17:02 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Ping timeout: 264 seconds]
17:02 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has quit [Read error: Connection reset by peer]
17:02 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 264 seconds]
17:02 -!- phunyguy [~vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 264 seconds]
17:02 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 264 seconds]
17:02 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 264 seconds]
17:02 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
17:02 -!- mode/#openvpn [+v hazardous] by ChanServ
17:03 -!- zalami [~realnameo@unaffiliated/zalami] has joined #openvpn
17:03 -!- haasn [~haasn@static.102.126.46.78.clients.your-server.de] has joined #openvpn
17:03 -!- MogDog [MogDog@unaffiliated/mogdog66] has joined #openvpn
17:03 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
17:03 -!- mode/#openvpn [+v RBecker] by ChanServ
17:03 -!- obscurehero [~obscurehe@via.arcis.pw] has joined #openvpn
17:03 -!- pythonsnake1 [~pythonsna@fedora/pythonsnake] has joined #openvpn
17:03 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
17:04 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
17:04 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
17:04 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
17:04 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
17:05 -!- mpoole [~mpoole@minotaur.apache.org] has joined #openvpn
17:05 -!- Netsplit *.net <-> *.split quits: jeev, Maxel, @vpnHelper, thumbs, ghormoon, james41382, DonRichie, ketas, `Yoda, rich0, (+28 more, use /NETSPLIT to show all of them)
17:05 -!- mirco_ is now known as mirco
17:05 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
17:05 -!- mode/#openvpn [+o mattock] by ChanServ
17:05 -!- lxusrbin [~lxusrbin@han.solo.atw0rk.net] has joined #openvpn
17:05 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
17:05 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has joined #openvpn
17:05 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
17:05 -!- Neal_ [neal@felix.ineal.me] has joined #openvpn
17:05 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
17:05 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
17:05 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
17:05 -!- hypermist [hypermist@unaffiliated/hypermist] has joined #openvpn
17:05 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
17:05 -!- Guest77113 [~Tony@unaffiliated/darkg] has joined #openvpn
17:05 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
17:05 -!- abbe [having@badti.me] has joined #openvpn
17:05 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
17:05 -!- sireebob [sireebob@unaffiliated/sireebob] has joined #openvpn
17:05 -!- kokel [~quassel@kenneth.kokelnet.de] has joined #openvpn
17:05 -!- Eugene [eugene@kashpureff.org] has joined #openvpn
17:05 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
17:05 -!- Haseo [~Haseo@aufrinfo.net] has joined #openvpn
17:05 -!- ServerMode/#openvpn [+oo krzee plaisthos] by sinisalo.freenode.net
17:05 -!- phunyguy [~vortex@ubuntu/member/phunyguy] has joined #openvpn
17:05 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
17:06 -!- Netsplit over, joins: Jeroen52
17:06 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Max SendQ exceeded]
17:06 -!- keatont [~keatont@keatonstaylor.com] has joined #openvpn
17:06 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
17:07 -!- burp [~quassel@ns337126.ip-188-165-218.eu] has joined #openvpn
17:07 -!- riddle [riddle@us.yunix.net] has joined #openvpn
17:07 -!- phix [~threat@123-243-44-131.static.tpgi.com.au] has joined #openvpn
17:07 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
17:07 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
17:08 -!- Netsplit *.net <-> *.split quits: bakhtiya, @raidz, Synced
17:08 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
17:08 -!- Netsplit *.net <-> *.split quits: Brando753, K1rk, Shiftos, Fusl, badon, atyoung, DrCode
17:08 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
17:09 -!- tekk [~me@185.17.149.149] has joined #openvpn
17:09 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
17:10 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
17:10 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
17:12 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
17:12 -!- Latrina [~Latrina@adsl-ull-159-179.50-151.net24.it] has joined #openvpn
17:12 -!- ghormoon [~ghormoon@ghorland.net] has joined #openvpn
17:12 -!- deviantintegral [~deviantin@mail.furrypaws.ca] has joined #openvpn
17:12 -!- doop [~doop@colostomy.club] has joined #openvpn
17:12 -!- cwillu_at_work [~cwillu@cwillu.com] has joined #openvpn
17:12 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
17:12 -!- r00t^2 [~bts@g.rainwreck.com] has joined #openvpn
17:12 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
17:12 -!- benoliver999 [~ben@ben.baconseed.org] has joined #openvpn
17:12 -!- DonRichie [~DonRichie@ricl.de] has joined #openvpn
17:12 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
17:12 -!- nomad_fr [~nomad_fr@ks397872.ip-192-95-25.net] has joined #openvpn
17:12 -!- ketas [~ketas@65-38-190-90.dyn.estpak.ee] has joined #openvpn
17:12 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
17:12 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
17:12 -!- Papey [~Papey@ks3364303.kimsufi.com] has joined #openvpn
17:13 -!- Papey [~Papey@ks3364303.kimsufi.com] has quit [Max SendQ exceeded]
17:13 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
17:13 -!- someon [~someone@sonoshee.chronostasis.net] has joined #openvpn
17:13 -!- jeev [~j@107.170.196.88] has joined #openvpn
17:13 -!- raidz [~raidz@raidz.im] has joined #openvpn
17:13 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded]
17:13 -!- 7JTAB3J4F [~lev@stipakov.fi] has joined #openvpn
17:13 -!- Magiobiwan [IRC@192.210.209.165] has joined #openvpn
17:13 -!- `Yoda [Yoda@gateway/shell/yourbnc/session] has joined #openvpn
17:13 -!- gmc [~gmc@babbelbox.metro.cx] has joined #openvpn
17:13 -!- novaflash [~novaflash@its.novaflash.nl] has joined #openvpn
17:13 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:c069:f6fb:4d2c:8e8c] has joined #openvpn
17:13 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
17:13 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
17:13 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
17:13 -!- ExtraCarpety [~ExtraCarp@2607:5300:60:a0d::1] has joined #openvpn
17:13 -!- yoavz [yoavz@yoavz.net] has quit [Max SendQ exceeded]
17:14 -!- Magiobiwan [IRC@192.210.209.165] has quit [Max SendQ exceeded]
17:14 -!- `Yoda [Yoda@gateway/shell/yourbnc/session] has quit [Changing host]
17:14 -!- `Yoda [Yoda@unaffiliated/itsyoda] has joined #openvpn
17:14 -!- ketas [~ketas@65-38-190-90.dyn.estpak.ee] has quit [Max SendQ exceeded]
17:14 -!- deviantintegral [~deviantin@mail.furrypaws.ca] has quit [Changing host]
17:14 -!- deviantintegral [~deviantin@drupal.org/user/71291/view] has joined #openvpn
17:14 -!- raidz [~raidz@raidz.im] has quit [Changing host]
17:14 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
17:14 -!- mode/#openvpn [+o raidz] by ChanServ
17:14 -!- jeev [~j@107.170.196.88] has quit [Changing host]
17:14 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn
17:14 -!- d10n [~d10n@unaffiliated/d10n] has joined #openvpn
17:14 -!- ketas [~ketas@65-38-190-90.dyn.estpak.ee] has joined #openvpn
17:14 -!- Zimsky-- [~alice@unaffiliated/zimsky] has joined #openvpn
17:14 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
17:14 -!- gmc is now known as Guest39046
17:14 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
17:14 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
17:15 -!- Papey [~Papey@ks3364303.kimsufi.com] has joined #openvpn
17:15 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
17:15 -!- K1rk [~Kirk@equinox.epecweb.com] has joined #openvpn
17:16 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
17:16 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Quit: leaving]
17:16 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
17:17 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
17:17 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
17:18 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn
17:18 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
17:20 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
17:20 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
17:22 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
17:23 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
17:23 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
17:23 -!- atyoung [~darkwurm@gateway/tor-sasl/darkwurm] has joined #openvpn
17:23 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Max SendQ exceeded]
17:24 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
17:26 -!- james41382_ [~james4138@unaffiliated/james41382] has quit [Changing host]
17:26 -!- james41382_ [~james4138@gateway/vpn/privateinternetaccess/james41382] has joined #openvpn
17:27 -!- cpt-oblivious [~quassel@freebsd/user/cpt-oblivious] has joined #openvpn
17:27 -!- ampsix [uid26275@gateway/web/irccloud.com/x-ilapitckhanvcdbw] has quit []
17:30 -!- `Yoda [Yoda@unaffiliated/itsyoda] has quit [Changing host]
17:31 -!- `Yoda [Yoda@gateway/shell/yourbnc/x-qafvbngfwpqktbdm] has joined #openvpn
17:31 -!- debbie10t [~debbie10t@unaffiliated/m10t] has joined #openvpn
17:36 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
17:38 -!- someon is now known as someone
17:39 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
17:43 -!- shivanshu [~shivanshu@104.131.8.15] has quit [Read error: Connection reset by peer]
17:46 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:57 -!- nlb [~nlb@unaffiliated/nlb] has joined #openvpn
18:01 -!- debbie10t is now known as JudgeJudyfk
18:04 -!- JudgeJudyfk is now known as TheManual
18:04 < TheManual> they must have read me ..
18:04 -!- TheManual is now known as theSource
18:05 -!- theSource is now known as SourceCode
18:05 -!- SourceCode is now known as ballzucker
18:32 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
18:32 -!- atyoung [~darkwurm@gateway/tor-sasl/darkwurm] has quit [Ping timeout: 250 seconds]
18:33 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
18:39 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Remote host closed the connection]
18:45 -!- ballzucker [~debbie10t@unaffiliated/m10t] has quit [Killed (Sigyn (Spam is off topic on freenode))]
19:15 -!- novae [~novae@unaffiliated/novae] has joined #openvpn
19:22 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
19:33 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 272 seconds]
19:34 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
19:35 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
19:35 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
19:43 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
19:44 -!- arkie [~arkie@unaffiliated/arkie] has quit [Ping timeout: 252 seconds]
19:49 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
20:05 -!- pipi- [~pipi-@unaffiliated/pipi-] has quit [Ping timeout: 256 seconds]
20:05 -!- pipi- [~pipi-@unaffiliated/pipi-] has joined #openvpn
20:29 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
20:35 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Ping timeout: 265 seconds]
20:41 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
20:58 -!- Nothing_Much [~nothing_m@unaffiliated/nothing-much/x-2931824] has quit [Quit: Konversation terminated!]
20:58 -!- rich0_ is now known as rich0
21:17 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Ping timeout: 272 seconds]
21:20 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
21:40 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:41 <@krzee> anyone waiting for help with something?
21:41 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Quit: You shouldn't be seeing this]
21:45 -!- BladedThesis [~BladedThe@lamp.whatbox.ca] has joined #openvpn
21:54 -!- BladedThesis [~BladedThe@lamp.whatbox.ca] has quit [Excess Flood]
21:54 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
22:05 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
22:10 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
22:41 -!- Nothing_Much [~nothing_m@unaffiliated/nothing-much/x-2931824] has joined #openvpn
22:55 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
23:03 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
23:20 -!- keatont [~keatont@keatonstaylor.com] has quit [Quit: ZNC - http://znc.in]
23:22 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
23:31 -!- ShadniX [dagger@p5481D726.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
23:31 -!- ShadniX_ [dagger@p5794135A.dip0.t-ipconnect.de] has joined #openvpn
23:31 -!- ShadniX_ is now known as ShadniX
23:31 -!- james41382_ is now known as james41382
23:44 -!- novaflash [~novaflash@its.novaflash.nl] has quit [Changing host]
23:44 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
23:44 -!- mode/#openvpn [+o novaflash] by ChanServ
--- Day changed Fri Jan 16 2015
00:38 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
01:34 -!- pythonsnake1 [~pythonsna@fedora/pythonsnake] has quit [Ping timeout: 264 seconds]
01:36 -!- pythonsnake1 [~pythonsna@fedora/pythonsnake] has joined #openvpn
01:44 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Remote host closed the connection]
01:46 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
01:56 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
02:01 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
02:29 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 256 seconds]
02:50 -!- Tobinski [~tobinski@x2f6003b.dyn.telefonica.de] has joined #openvpn
02:51 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
02:54 -!- Tobinski [~tobinski@x2f6003b.dyn.telefonica.de] has quit [Quit: Leaving]
02:54 -!- Tobinski [~tobinski@x2f6003b.dyn.telefonica.de] has joined #openvpn
03:02 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
03:03 -!- le0 [~le0@unaffiliated/le0] has joined #openvpn
03:12 -!- Schrottfresse [~quassel@schrottfresse.de] has joined #openvpn
03:20 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:45 <+hyper_ch> krzee: google publishes another security issue with windows... 90 days to fix just aren't good enough for Microsoft...
03:50 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
04:08 -!- asper [~argali@volans.uberspace.de] has joined #openvpn
04:10 < asper> hey guys, i set up a vpn with client-to-client OFF. Is it possible to create rules so that some "controlling hosts" can see all or just a few "slave hosts"?
04:16 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Read error: Connection reset by peer]
04:23 -!- badaptr is now known as adaptr
04:33 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection]
04:33 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
04:33 -!- mode/#openvpn [+o plaisthos] by ChanServ
04:43 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
04:49 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
04:54 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
04:55 -!- shio [marmot@6.121.101.84.rev.sfr.net] has joined #openvpn
05:00 -!- krzee [~k@openvpn/community/support/krzee] has quit [Excess Flood]
05:02 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
05:03 -!- mode/#openvpn [+o krzee] by ChanServ
05:03 <@krzee> asper, did you get your question answered already?
05:03 < asper> no
05:03 <@krzee> !c2c
05:04 <@krzee> hey whered my bot go!
05:04 <@krzee> 1sec
05:04 < asper> waiting for the bot......
05:04 < asper> .....
05:04 < asper> ....
05:04 < asper> ....
05:04 < asper> ..
05:04 < asper> .
05:05 < asper> ok i'll wildly guess what c2c means... consumer to consumer?
05:05 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
05:05 -!- mode/#openvpn [+o vpnHelper] by ChanServ
05:05 <@krzee> !c2c
05:05 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
05:05 <@vpnHelper> other clients
05:06 <@krzee> so as you can see, for what you want you can simply not use that config option, and use your firewall on your server to accomplish your goal
05:12 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
05:15 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:36 -!- Zimsky-- is now known as Zimsky
05:39 < asper> thanks krzee
05:39 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Ping timeout: 255 seconds]
05:39 <@krzee> np
05:45 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
05:45 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
05:52 -!- Dropje [~yge@ip4da1148b.direct-adsl.nl] has joined #openvpn
05:54 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
05:55 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
05:59 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has left #openvpn ["Quitte"]
06:14 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
06:25 -!- mirco [~mirco@tmo-100-202.customers.d1-online.com] has joined #openvpn
06:25 -!- mirco [~mirco@tmo-100-202.customers.d1-online.com] has quit [Remote host closed the connection]
06:32 -!- RoyK [~roy@77.88.71.251] has joined #openvpn
06:33 < RoyK> hi all. anyone that knows where I can find a howto on setting up android access?
06:37 < RoyK> that is, setting up an access server for distributing profiles to be imported
06:41 <@plaisthos> !as
06:41 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
06:50 -!- pipi- [~pipi-@unaffiliated/pipi-] has quit [Ping timeout: 256 seconds]
06:52 -!- pipi- [~pipi-@unaffiliated/pipi-] has joined #openvpn
06:56 -!- Guest77113 [~Tony@unaffiliated/darkg] has quit [Max SendQ exceeded]
06:57 -!- TonyL [~Tony@unaffiliated/darkg] has joined #openvpn
07:09 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
07:37 -!- deviantintegral [~deviantin@drupal.org/user/71291/view] has quit [Quit: ZNC - http://znc.in]
07:38 -!- deviantintegral [~deviantin@drupal.org/user/71291/view] has joined #openvpn
07:44 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
07:48 -!- elfixit [~Icedove@2001:1620:2018:11:863a:4bff:fe93:6310] has joined #openvpn
07:49 < RoyK> plaisthos: sorry - didn't mean AS, just openvpn, I just don't understand this client config file distribution thing
07:50 <@krzee> !sleep
07:51 <@krzee> !learn sleep as if you are having issues with openvpn after waking from sleep mode in windows see: https://community.openvpn.net/openvpn/wiki/WhyMyOpenVPNTunnelDoesNot
07:51 <@vpnHelper> Joo got it.
07:54 <@plaisthos> RoyK: just get the ovpn file to that device and open it
07:54 <@plaisthos> email it or something
07:54 <@krzee> copy it over using android file transer, adb, or by mounting the sdcard
07:55 <@krzee> then just import
07:55 <@krzee> its as easy as could be
07:55 <@plaisthos> or use a webserver with the right mime type
07:55 <@plaisthos> !android
07:55 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old or (#4) You can get the apk directly from http://plai.de/android/ or (#5)
07:55 <@vpnHelper> https://code.google.com/p/ics-openvpn/wiki/FAQ
08:05 < RoyK> krzee: the thing is, it's a wee bit more than one device :P
08:05 < RoyK> OpenVPN Connect asks for an Access Server Hostname from which to import a profile. Any idea how to setup such a thing with OSS OpenVPN?
08:06 <@krzee> no
08:06 <@krzee> thats all AS stuff
08:06 <@plaisthos> RoyK: there is no standard for that
08:06 <@krzee> it uses AS black magic
08:06 < RoyK> well, shouold be able to reverse engineer it :P
08:06 <@plaisthos> you can do your own login/pw site and service ovpn profiles
08:07 <@krzee> RoyK, you going to touch each device?
08:07 < RoyK> krzee: no
08:19 -!- lorens [~lorens@213.27.241.114] has joined #openvpn
08:30 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
08:40 -!- lorens [~lorens@213.27.241.114] has quit [Remote host closed the connection]
08:50 -!- rangerpb [~rangerpb@gentoo/developer/rangerpb] has joined #openvpn
08:53 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
08:54 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
08:55 < rangerpb> hey folks, I'm having some mixing luck with a simple openvpn connection between two nodes behind NAT'd firewalls. I'm using nat-traversal to initially get them aware of each other. Subsequently the nodes DO connect, but I cannot flow any data (like pings, curl) over the tunnel. I've tried the iptables recommendations to now avail.
08:55 < rangerpb> my configs look like -> http://paste.fedoraproject.org/170519/14214200
08:55 < rangerpb> using tcpdump, i can def see the data headed out the right device, etc
08:56 < rangerpb> Any ideas of where I could poke at to next to debug this?
08:57 < rangerpb> firewalls on both nodes is disabled
09:01 < Poster> if you're attempting to route from network to network, you'll need to have return routes via the OpenVPN host
09:02 < rangerpb> i only want the client and server to communicate ... the routes openvpn adds should be sufficient right?
09:03 < Poster> just peer to peer?
09:04 < Poster> no networks on either side?
09:04 < rangerpb> no i dont want the peer networks to use the vpn
09:04 < rangerpb> the vpn tunnel that is
09:04 < Poster> ok so you need to add routes to the remote network by way of the local OpenVPN host IP address along with enabling IP routing on both sides
09:04 -!- Dougy [~dhaber@openvpn/community/support/Dougy] has joined #openvpn
09:05 < Poster> so route to network B via OpenVPN host A | route to network A via OpenVPN host B
09:05 < rangerpb> can you translate that into a route command? Would appreciate it
09:06 < Poster> ok what is the IP subnet on site 1?
09:06 < rangerpb> 192.168.1.0
09:07 < rangerpb> and site 2 192.168.2.0
09:07 < Poster> ok and what is the IP address of the OpenVPN server at site 1? 192.168.1.?
09:07 < rangerpb> .129
09:07 < Poster> ok and what is the IP address of the OpenVPN server at site 2? 192.168.2.?
09:07 < rangerpb> .227
09:08 < Poster> ok and what OS is the default gateway on site 1?
09:08 < rangerpb> .5
09:08 < rangerpb> and .7 on other side
09:09 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
09:10 < Poster> is it a firewall of some type?
09:11 < rangerpb> the client and server are not firewalls, is that what you are asking?
09:11 < Poster> what is the default gateway?
09:11 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
09:11 < rangerpb> Poster, to be clear, the vpn client and vpn server cannot even communicate (i.e., 10.10.10.11 and 10.10.10.12)
09:12 < Poster> what device is connecting your 192.168.1.0/24 to the Internet?
09:12 < rangerpb> eth0
09:12 < Poster> so it's a Linux system?
09:12 < rangerpb> definately
09:12 < rangerpb> both sides
09:13 < Poster> ok, so on 192.168.1.5, type:
09:13 < Poster> route add -net 192.168.2.0/24 gw 192.168.1.129
09:13 < Poster> on 192.168.2.7, type:
09:13 < Poster> route add -net 192.168.1.0/24 gw 192.168.2.227
09:14 < rangerpb> ok but dont those routes enable the two sep LANs to communicate?
09:14 < Poster> the default gateway has to know to route traffic destined for the remote network via the local OpenVPN host
09:15 < rangerpb> and that enables one to ping 10.10.10.11 from 10.10.10.12 ?
09:15 < rangerpb> and other way around?
09:16 < Poster> that probably works already
09:16 < rangerpb> it doesnt
09:16 < rangerpb> thats what I am trying to debug
09:16 < rangerpb> sorry if my misused terminology confused things
09:16 < Poster> ok, on both the client and server, please run
09:17 < Poster> openvpn --config /path/to/your/config.conf
09:17 < Poster> and paste the output into pastebin or something
09:18 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
09:18 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 256 seconds]
09:21 < rangerpb> client -> http://paste.fedoraproject.org/170539/21421653/
09:21 < rangerpb> server -> http://paste.fedoraproject.org/170541/42142161/
09:23 -!- yeik [~jket@2601:7:6881:4700:fab1:56ff:feb8:524a] has joined #openvpn
09:25 < rangerpb> Poster, that info you were looking for ?
09:28 -!- Ferriss [~server6@what.possessed.us] has joined #openvpn
09:28 < Ferriss> !welcome
09:28 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
09:28 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:30 < Ferriss> !/30
09:30 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
09:30 < Ferriss> !topology
09:30 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
09:31 < Ferriss> !config
09:31 <@vpnHelper> (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose.
09:31 < Ferriss> !configs
09:31 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private keys or tls-auth key before
09:31 <@vpnHelper> posting
09:32 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 252 seconds]
09:34 < Ferriss> I would like to access the internet over my vpn. I am a new user. I feel my current issue might be with server.conf. Upon attempt to manually run openvpn with my server.conf specified, it responds "Options error: You must define TUN/TAP device. (--dev)"
09:34 < Ferriss> I will have to do some digging before I am able to provide my server.conf. It is remote
09:34 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Quit: Ride fast. Take chances.]
09:35 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
09:39 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
09:42 < Ferriss> nevermind. I can't SSH into it right now for some reason. Keeps timing out.
09:42 < Ferriss> I have other open connections through it that are working fine. Rather strange.
09:44 < KaiForce> If I have a site to site OpenVPN based VPN with the remote subnet 192.168.1.0, and I have a client key for a separate OpenVPN VPN to another site with the same subnet, which VPN will traffic flow to if I connect to the second VPN? If that is possible... Is there a way to control which is used?
09:45 -!- zune [~zune_free@188-180-61-96-dynamic.dk.customer.tdc.net] has quit [Quit: ZNC - http://znc.in]
09:50 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
09:53 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
09:56 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 252 seconds]
10:13 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
10:16 -!- kexmex [~kexmex@195.42.130.233] has joined #openvpn
10:27 < Dropje> KaiForce: you would have to setup metrics. I *assume* that without metrics an error will be generated upon route creation, as it will already exist
10:30 < KaiForce> Dropje: Ok, thanks. This isn't a big deal - we do remote support and for clients that we do more work for, we usually have a site to site VPN. We have a few that have overlapping subnets, so I'll probably just continue to create client keys for those.
10:37 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
10:43 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:54 -!- kexmex [~kexmex@195.42.130.233] has quit [Quit: ["Textual IRC Client: www.textualapp.com"]]
10:59 -!- swebb [~swebb@8.36.226.184] has quit [Ping timeout: 246 seconds]
10:59 -!- kexmex [~kexmex@195.42.130.233] has joined #openvpn
11:13 -!- le0 [~le0@unaffiliated/le0] has quit [Quit: Leaving]
11:28 -!- kexmex [~kexmex@195.42.130.233] has quit [Quit: Computer has gone to sleep.]
11:51 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Read error: Connection reset by peer]
11:51 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
12:03 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
12:15 -!- Henryabcd [~Henryabcd@pD9E0AC63.dip0.t-ipconnect.de] has joined #openvpn
12:37 -!- Henryabcd [~Henryabcd@pD9E0AC63.dip0.t-ipconnect.de] has quit [Quit: Leaving]
12:39 -!- swebb [~swebb@8.36.226.184] has joined #openvpn
12:46 -!- raidz [~raidz@openvpn/corp/admin/andrew] has left #openvpn []
12:57 <+hyper_ch> krzee: I knew that gaming was a waste of time... but it's also a security rist to your data: https://github.com/ValveSoftware/steam-for-linux/issues/3671
12:57 <@vpnHelper> Title: Moved ~/.local/share/steam. Ran steam. It deleted everything on system owned by user. · Issue #3671 · ValveSoftware/steam-for-linux · GitHub (at github.com)
13:10 -!- anthony25 [~anthony25@ip-136.net-81-220-249.rev.numericable.fr] has joined #openvpn
13:24 -!- anthony25 [~anthony25@ip-136.net-81-220-249.rev.numericable.fr] has quit [Read error: Connection reset by peer]
13:29 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.91.1 [Firefox 34.0.5/20141126041045]]
13:31 -!- anthony25 [~anthony25@ip-136.net-81-220-249.rev.numericable.fr] has joined #openvpn
13:41 -!- Synced [~Synced@unaffiliated/synced] has joined #openvpn
13:58 -!- anthony25 [~anthony25@ip-136.net-81-220-249.rev.numericable.fr] has quit [Ping timeout: 246 seconds]
14:00 -!- anthony25 [~anthony25@ip-136.net-81-220-249.rev.numericable.fr] has joined #openvpn
14:01 -!- shadowe989 [~shadowe98@184.9.189.122] has quit [Ping timeout: 252 seconds]
14:02 -!- anthony25 [~anthony25@ip-136.net-81-220-249.rev.numericable.fr] has quit [Client Quit]
14:02 -!- anthony25 [~anthony25@ip-136.net-81-220-249.rev.numericable.fr] has joined #openvpn
14:06 -!- anthony25 [~anthony25@ip-136.net-81-220-249.rev.numericable.fr] has quit [Read error: Connection reset by peer]
14:08 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
14:11 -!- anthony25 [~anthony25@ip-136.net-81-220-249.rev.numericable.fr] has joined #openvpn
14:19 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
14:23 < yeik> is anybody here good with openvpn and performance?
14:28 <+hyper_ch> no
14:33 -!- anthony25 [~anthony25@ip-136.net-81-220-249.rev.numericable.fr] has quit [Read error: Connection reset by peer]
14:34 -!- two_oes [~orenoi@85.64.3.169.dynamic.barak-online.net] has joined #openvpn
14:36 -!- Nothing_Much [~nothing_m@unaffiliated/nothing-much/x-2931824] has quit [Remote host closed the connection]
14:36 -!- Nothing_Much [~nothing_m@unaffiliated/nothing-much/x-2931824] has joined #openvpn
14:42 -!- anthony25 [~anthony25@ip-136.net-81-220-249.rev.numericable.fr] has joined #openvpn
14:44 < yeik> Is there a good person/people to talk to about seeing low performance even with no cipher, no auth?
14:49 <+hyper_ch> no
14:49 < yeik> are you very helpful?
14:50 <+hyper_ch> yes
15:09 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
15:10 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Ping timeout: 246 seconds]
15:11 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:12 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:13 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Max SendQ exceeded]
15:22 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 252 seconds]
15:23 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
15:26 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:27 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
15:49 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
15:54 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
16:08 -!- mattock is now known as mattock_afk
16:12 -!- rangerpb is now known as rangerpbzzzz
16:20 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has quit [Read error: Connection reset by peer]
16:21 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
16:22 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 252 seconds]
16:28 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
16:29 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
16:30 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
16:30 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
16:35 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:35 <@krzee> yeik,
16:35 <@krzee> !speed
16:35 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu) or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links or (#5) less likely are issues with bad TCP
16:35 <@vpnHelper> window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs) or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp) or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better.
16:36 < yeik> so Krzee, we have looked at MTU size, it isn't cpu, we are using UDP, i have turned cipher none, auth none, mssfix, fragment/mntu size
16:36 < yeik> we are using tap
16:36 < yeik> err tun, and have tested with tap
16:37 < yeik> i tried setting txqueuelen on windows but it isn't supported.
16:37 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
16:38 -!- lachesis [~lachesis@unaffiliated/lachesis] has left #openvpn []
16:38 < yeik> we have an openvpn server inside linux, same settings on linux and windows, linux box sees no performance difference, windows we see 4x or greater performance hit.
16:47 -!- swebb [~swebb@8.36.226.184] has quit [Ping timeout: 272 seconds]
16:47 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
16:57 -!- two_oes [~orenoi@85.64.3.169.dynamic.barak-online.net] has quit [Ping timeout: 264 seconds]
17:00 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
17:03 -!- swebb [~swebb@192.69.23.161] has joined #openvpn
17:15 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
17:15 -!- mode/#openvpn [+v s7r] by ChanServ
17:18 -!- Tobinski [~tobinski@x2f6003b.dyn.telefonica.de] has quit [Quit: Leaving]
17:24 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:33 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Quit: Quit]
17:35 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
17:45 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Remote host closed the connection]
17:46 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
17:59 -!- Diabolik [DiabolikFr@2a00:d880:3:1::6be5:5bc8] has joined #openvpn
17:59 < Diabolik> hi guys
18:00 < Diabolik> i have a newb question, i just installed openvpn on my ubuntu server, im frustrated as to where to find my .ovpn files and keys on the server?
18:02 -!- ApplesInArrays [~Administr@207.126.91.2] has joined #openvpn
18:02 -!- ApplesInArrays [~Administr@207.126.91.2] has left #openvpn []
18:10 < pekster> You have to create them in OpenVPN; how do you not know where they are?
18:10 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
18:10 < pekster> Unless you're not referring to OpenVPN, but the commercial product, for which you should seek them out for support. For more info, see:
18:10 < pekster> !as
18:10 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
18:32 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn []
18:45 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
19:06 <@krzee> also Diabolik
19:06 <@krzee> !extension
19:06 <@vpnHelper> "extension" is (#1) .ovpn is the windows file extension for openvpn configs or (#2) the linux startup scripts are set to start every *.conf in /etc/openvpn/
19:34 -!- KavanS [~quassel@LINBIT/KavanS] has joined #openvpn
19:44 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
20:25 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has quit [Ping timeout: 265 seconds]
20:34 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
20:36 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has quit [Excess Flood]
20:36 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
20:37 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
20:39 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has quit [Excess Flood]
20:41 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
20:46 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has quit [Ping timeout: 265 seconds]
20:48 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
20:49 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has quit [Excess Flood]
20:52 -!- x5eb [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
20:53 -!- x5eb [~seb@seb-hpws2.w1.tele.crt1.net] has quit [Excess Flood]
20:58 -!- StickyRice [d036d4c2@gateway/web/cgi-irc/kiwiirc.com/ip.208.54.212.194] has joined #openvpn
20:58 < StickyRice> ok so everyone heard of barracuda?
20:58 < StickyRice> no not the fishj
20:59 -!- x5eb [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
21:01 -!- x5eb [~seb@seb-hpws2.w1.tele.crt1.net] has quit [Excess Flood]
21:02 -!- x5eb [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
21:02 -!- x5eb [~seb@seb-hpws2.w1.tele.crt1.net] has quit [Excess Flood]
21:06 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 256 seconds]
21:06 -!- StickyRice [d036d4c2@gateway/web/cgi-irc/kiwiirc.com/ip.208.54.212.194] has left #openvpn []
21:29 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
21:30 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
21:43 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit []
21:48 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has quit [Ping timeout: 244 seconds]
21:49 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
21:52 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:59 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
22:01 -!- james41382_ [~james4138@unaffiliated/james41382] has joined #openvpn
22:05 -!- james41382 [~james4138@gateway/vpn/privateinternetaccess/james41382] has quit [Ping timeout: 276 seconds]
22:14 -!- elfixit1 [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
22:17 -!- james41382_ is now known as james41382
22:35 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
22:37 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn
22:38 -!- keatont [~keatont@keatonstaylor.com] has joined #openvpn
22:56 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
22:56 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
23:19 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
23:31 -!- ShadniX [dagger@p5794135A.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
23:31 -!- ShadniX [dagger@p5481DE39.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sat Jan 17 2015
00:26 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Ping timeout: 250 seconds]
00:35 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Ping timeout: 264 seconds]
01:08 -!- MogDog is now known as Laika
01:08 -!- Laika is now known as MogDog
01:50 -!- shadowe989 [~shadowe98@184.9.189.122] has joined #openvpn
01:54 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 245 seconds]
01:58 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
02:11 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 272 seconds]
02:14 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
02:37 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
02:43 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
02:44 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
04:31 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:56 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:19 -!- ghormoon [~ghormoon@ghorland.net] has quit [Ping timeout: 255 seconds]
05:25 -!- ghormoon [~ghormoon@ghorland.net] has joined #openvpn
05:42 -!- Denial [~Denial@81.141.17.58] has joined #openvpn
05:44 -!- anthony25 [~anthony25@ip-136.net-81-220-249.rev.numericable.fr] has quit [Read error: Connection reset by peer]
05:52 -!- anthony25 [~anthony25@ip-136.net-81-220-249.rev.numericable.fr] has joined #openvpn
06:00 -!- Denial [~Denial@81.141.17.58] has quit [Ping timeout: 256 seconds]
06:06 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
06:12 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
06:18 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
06:20 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
06:21 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
06:33 -!- mattock_afk is now known as mattock
06:36 -!- Left_Turn is now known as oreoOs
06:53 <+hyper_ch> krzee: http://thehill.com/policy/technology/229787-obama-backs-call-for-tech-backdoors
06:53 <@vpnHelper> Title: Obama backs call for tech backdoors | TheHill (at thehill.com)
06:54 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
07:16 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
07:20 -!- aditsu [~aditsu@059148208052.ctinets.com] has joined #openvpn
07:21 < aditsu> hi, is there a way to automatically disconnect openvpn when one of the regular interfaces is using a certain subnet?
07:31 <+hyper_ch> why would you want that?
07:42 < pekster> You probably should investigate what hooks your distro has for DHCP
07:42 < pekster> Presumably if you're setting networks statically you already know them, so it sounds like you want some scripted logic to do clever things based on what DHCP gets, which is what hooks in your dhcp script are for
07:42 < pekster> You can SIGTERM openvpn to have it shut down, or read the docs on the management interface if you want a more formal API
07:50 < aditsu> hyper_ch: because that means I'm already in the network I would be connecting to via vpn
07:51 < aditsu> pekster: aha, sounds like that could work; I guess openvpn itself doesn't have any such feature?
07:53 -!- anthony25 [~anthony25@ip-136.net-81-220-249.rev.numericable.fr] has quit [Ping timeout: 246 seconds]
07:54 < aditsu> (obviously, it's for laptops/portable devices using dhcp)
07:56 < pekster> Nope, nor should it
07:56 < pekster> Should openvpn also identify your coutry of origin? Your city? The state of your lawn?
07:56 < pekster> This isn't systemd ;)
07:57 < aditsu> those things have nothing to do with openvpn's operation, but the routing table does :p
07:57 < pekster> Routing table has very little to do with "what never you're connected to"
07:57 < pekster> That's none of openvpn's business, although see for instance the detection of your pre-existing default gateway as perhaps the only thing that might matter when using --redirect-gateway
07:57 < pekster> But you'll notice that's only there as a precondition for not breaking things when inserting the two /1 routes
07:58 < pekster> what network*
07:58 <+hyper_ch> I fail to see why openvpn shouldn't be run in that case
07:58 <+hyper_ch> pekster: it seems you have a dislike for systemd?
07:59 < aditsu> hyper_ch: because 1) it's redundant and 2) there's a conflict and connections are breaking or at least slowing down
07:59 < pekster> hyper_ch: your belitting OP doens't really help
08:00 <+hyper_ch> my what doesn't help?
08:00 < pekster> His/her needs are there, unless you have a reason why you know the user "doesn't really want" to not run the VPN on a particular netwnork. Sounds plausable, and talking users out of what they want isn't really helpful
08:00 < pekster> But whatever
08:01 < pekster> aditsu: So yea, look at DHCP as a hook. OpenVPN doesn't do magic things for the same reason openssh, or any other daemon doesn't offer this support: it's not the role of service daemons to make operating decisions based on external network conditions, like what IP network you're on
08:01 < pekster> You'll need to build a bit of log around it to either start (if unstarted and you want it up) or stop (if started and you want it terminated) based on network state, but otherwise there's not much magic involved
08:02 < pekster> logic* (let's see if coffee improves typos..)
08:03 < aditsu> if it wasn't obvious, I'll specify that the vpn server is pushing one or more routes
08:03 < pekster> Yes, I figured that
08:04 < pekster> At least one of which you don't want at your location, which makes perfect sense. Don't let those who can't "fathom" your needs tell you they aren't there
08:05 < pekster> You could also consider puting the route pushes in a --client-connect script that's smart enough to look at the source IP of the VPN connection
08:06 < pekster> That way you could leave the VPN up all the time and simply change the routes pushed. This would require that you do _not_ run the client-VPN with downgraded user permisions so it can remove/re-create the routes (without the omitted ones for these alternate locations) which it can't do without persistent root perms
08:09 -!- Latrina [~Latrina@adsl-ull-159-179.50-151.net24.it] has quit [Ping timeout: 264 seconds]
08:10 -!- oreoOs is now known as Left_Turn
08:10 -!- Latrina [~Latrina@adsl-ull-84-253.45-151.net24.it] has joined #openvpn
08:11 < aditsu> pekster: ok, thanks for your suggestions; I'll look into it later since it doesn't seem very simple
08:11 < pekster> The --client-connect stuff is pretty easy
08:12 < pekster> Write a script, have it check the $trusted_ip env-var, and conditionally echo the push statements (instead of putting "--push "192.0.2.0 255.255.255.0"" in your server config) and you're done
08:13 < pekster> For shell, start with the conditional: if [ "$trusted_ip{%.*}" != "192.168.1" ]; then your_special_routes_that_should_not_be_pushed_for_clients_from_192_168_0_network; fi
08:14 < pekster> !scripts
08:14 <@vpnHelper> "scripts" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
08:15 < pekster> Erm, "${trusted_ip%.*}", but you probably get the idea
08:27 -!- mattock is now known as mattock_afk
08:56 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Remote host closed the connection]
08:59 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
09:15 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
09:17 -!- aditsu [~aditsu@059148208052.ctinets.com] has quit [Ping timeout: 265 seconds]
09:21 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
09:35 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
09:44 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
09:44 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Read error: Connection reset by peer]
09:56 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn
10:08 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
10:11 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:12 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
10:17 -!- elfixit1 [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 255 seconds]
10:40 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
10:41 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
10:45 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:45 -!- mode/#openvpn [+v s7r] by ChanServ
11:04 -!- JackWinter_ [~jack@vodsl-10478.vo.lu] has quit [Quit: Konversation terminated!]
11:06 -!- JackWinter [~jack@vodsl-10478.vo.lu] has joined #openvpn
11:11 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
12:02 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
12:05 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Read error: Connection reset by peer]
12:05 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
12:21 -!- aditsu [~aditsu@183178080020.ctinets.com] has joined #openvpn
12:24 -!- s7r [~s7r@openvpn/user/s7r] has quit [Read error: Connection reset by peer]
12:24 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:24 -!- mode/#openvpn [+v s7r] by ChanServ
12:38 <+hyper_ch> krzee: http://www.spiegel.de/media/media-35663.pdf
13:13 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Read error: Connection reset by peer]
13:13 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
13:38 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
14:01 -!- kossy [a@unaffiliated/kossy] has quit [Ping timeout: 245 seconds]
14:03 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
14:12 -!- moparisthebest [~mitb@unaffiliated/moparisthebest] has quit [Ping timeout: 256 seconds]
14:18 -!- moparisthebest [~mitb@gateway/tor-sasl/moparisthebest] has joined #openvpn
14:24 -!- Henryabcd [~Henryabcd@pD9E0A5C1.dip0.t-ipconnect.de] has joined #openvpn
14:28 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
14:29 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
14:36 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
14:37 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
14:40 -!- esde [~esde@openvpn/user/esde] has joined #openvpn
14:40 -!- mode/#openvpn [+v esde] by ChanServ
15:10 -!- r00t^2_ [~bts@g.rainwreck.com] has joined #openvpn
15:12 -!- r00t^2 [~bts@g.rainwreck.com] has quit [Ping timeout: 252 seconds]
15:13 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:17 -!- r00t^2_ is now known as r00t^2
15:31 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:33 -!- 7JTAB3J4F is now known as lev__
15:37 -!- Henryabcd [~Henryabcd@pD9E0A5C1.dip0.t-ipconnect.de] has quit [Quit: Leaving]
16:23 -!- techtopia [~dystopia@95.211.195.1] has joined #openvpn
16:23 < techtopia> hey guys
16:24 < techtopia> is there a way to only route some traffic through a vpn
16:24 < techtopia> and let some apps connect directly to the internet
16:24 < techtopia> using openvpn connect client in windows
16:30 <+hyper_ch> yes
16:30 < techtopia> how would i go about doing it hyper_ch
16:30 < techtopia> would like to let ftprush connect directly to sites
16:30 <+hyper_ch> well, some apps can be bound to an interface
16:31 <+hyper_ch> or you set according gateway through the vpn for specific sites/ips that shall be reached
16:31 <+hyper_ch> or if you run the vpn server, you can setup a proxy and let some apps connect through tthere
16:32 < techtopia> unfortunatly i paid for a vpn
16:32 < techtopia> i learn since i should ahve got a vps and set it up myself
16:32 <+hyper_ch> probably you could setup a local (socks) proxy that goes through the vpn
16:33 < techtopia> ok i will do some research :)
16:49 <+esde> techtopia, if you're running openvpn client on a firewall, it would be feasible to combine iptables on the openvpn server with some rules on the openvpn clientside firewall.
16:51 <+esde> as an axample, you could configure the clientside to only allow outbound traffic from port 80 through $wan, while forcing all other traffic through $ovpn.
16:52 <+esde> *lan traffic
17:07 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
17:08 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Read error: Connection reset by peer]
17:09 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
17:25 < KavanS> openvpn is acting funny...linux to linux over a 4G connection....it might be MTU related....when I get a big burst of data it'll choke out...but say regular ping/ssh seems to work fine
17:25 < KavanS> any suggestions?
17:26 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:31 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
17:36 < KavanS> n/m found mssfix
17:36 < KavanS> seems to have fixed it :)
17:45 -!- kexmex [~kexmex@178.136.234.6] has quit [Quit: Computer has gone to sleep.]
17:47 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
17:54 -!- deskjob [2e138974@gateway/web/freenode/ip.46.19.137.116] has joined #openvpn
18:00 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
18:05 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
18:19 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
18:32 -!- cpt-oblivious [~quassel@freebsd/user/cpt-oblivious] has quit [Remote host closed the connection]
18:45 -!- cpt-oblivious [~quassel@freebsd/user/cpt-oblivious] has joined #openvpn
18:49 -!- paxmark9 [~paxtormar@198.144.158.14] has joined #openvpn
18:56 -!- KavanS [~quassel@LINBIT/KavanS] has quit [Ping timeout: 244 seconds]
19:08 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
21:09 -!- Diabolik [DiabolikFr@2a00:d880:3:1::6be5:5bc8] has quit [Ping timeout: 244 seconds]
21:11 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has quit [Excess Flood]
21:11 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn
21:12 -!- mode/#openvpn [+v hyper_ch] by ChanServ
21:20 -!- deskjob [2e138974@gateway/web/freenode/ip.46.19.137.116] has left #openvpn []
21:29 -!- Latrina [~Latrina@adsl-ull-84-253.45-151.net24.it] has quit [Ping timeout: 246 seconds]
21:30 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:30 -!- Latrina [~Latrina@adsl-ull-52-202.50-151.net24.it] has joined #openvpn
21:55 -!- Diabolik [DiabolikFr@2a00:d880:3:1::6be5:5bc8] has joined #openvpn
22:37 -!- Latrina [~Latrina@adsl-ull-52-202.50-151.net24.it] has quit [Ping timeout: 256 seconds]
22:55 -!- Latrina [~Latrina@adsl-ull-168-213.50-151.net24.it] has joined #openvpn
23:31 -!- elfixit [~Icedove@2001:1620:2018:11:863a:4bff:fe93:6310] has quit [Remote host closed the connection]
23:31 -!- ShadniX [dagger@p5481DE39.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
23:33 -!- ShadniX [dagger@p5DDFE95B.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sun Jan 18 2015
00:23 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
00:25 -!- paxmark9 [~paxtormar@198.144.158.14] has left #openvpn ["Leaving"]
00:58 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [K-Lined]
00:58 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
01:39 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Read error: Connection reset by peer]
01:39 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
02:01 -!- novae [~novae@unaffiliated/novae] has quit [Remote host closed the connection]
02:07 -!- novae [~novae@unaffiliated/novae] has joined #openvpn
02:46 -!- mattock_afk is now known as mattock
03:14 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
03:38 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:52 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:20 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn
04:20 -!- catsup [~d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer]
04:21 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
05:24 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
05:30 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
05:48 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 244 seconds]
05:55 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
06:43 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
07:20 -!- JackWinter [~jack@vodsl-10478.vo.lu] has quit [Quit: Konversation terminated!]
07:22 -!- JackWinter [~jack@vodsl-10478.vo.lu] has joined #openvpn
07:49 -!- AlbSpirit [~Bad@shoqeria.al] has joined #openvpn
07:51 -!- rooth_ is now known as rooth
08:15 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
08:16 -!- kexmex [~kexmex@178.136.234.6] has quit [Max SendQ exceeded]
08:17 < AlbSpirit> can someone help me please, i have installed openvpn as and all is working good. My problem is i have 2 IP FAILOVER. I need to have the ip failover to use not my real ip, is that possible?
08:21 <+hyper_ch> no idea what you mean with ip failover
08:24 < AlbSpirit> when i connect with the vpn i use the real ip of the vps, in my vps i have also 2 ip failover (pointing to usa and canada), i want to use the us ip failover
08:35 -!- AlbSpirit [~Bad@shoqeria.al] has quit [Quit: (AS v9.0) download it @ www.albaniasite.net]
09:23 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
09:34 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
09:43 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:52 -!- D-Boy [~D-Boy@unaffiliated/cain] has left #openvpn ["Leaving"]
10:53 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
10:55 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 245 seconds]
11:02 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
11:08 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
11:10 <@krzee> hyper_ch, you could have stopped him at "openvpn as"
11:10 <+hyper_ch> krzee: whom?
11:11 <@krzee> AlbSpirit
11:11 <+hyper_ch> didn't see that
11:12 <@krzee> "can someone help me please, i have installed openvpn as and all is working good. My problem is i have 2 IP FAILOVER. I need to have the ip failover to use not my real ip, is that possible?"
11:12 <@krzee> no idea what you mean with ip failover
11:12 <+hyper_ch> didn't see the "as" then
11:12 <@krzee> oh i get it, you didnt see the "as"
11:18 <+hyper_ch> krzee: did you see the pdf I linked you to?
11:18 <@krzee> most likely
11:18 <@krzee> what was it
11:18 <+hyper_ch> nsa "diary" on openssh
11:18 <+hyper_ch> [19:38] krzee: http://www.spiegel.de/media/media-35663.pdf
11:18 <@krzee> yep
11:19 <+hyper_ch> so, in 2007 the NSA hasn't hacked openssh yet
11:19 <+hyper_ch> that analyst even says how annoyingly openssh has builtin mechanisms to prevent abuse and stuff
11:22 <+hyper_ch> to me that sounded like a compliment to the openssh devs :)
11:24 -!- Evil_Eric [~Evil_Eric@gateway/vpn/privateinternetaccess/evileric/x-42088219] has joined #openvpn
11:24 < Evil_Eric> hi guys i need help im running openvpn on xubuntu and when i log in it segfaults can someone help?
11:25 < Evil_Eric> 32-bit and 14.10
11:25 <+hyper_ch> when you log in?
11:25 <+hyper_ch> also, logs or it didn't happen
11:25 <+hyper_ch> and
11:25 <+hyper_ch> !configs
11:25 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private keys or tls-auth key before
11:25 <@vpnHelper> posting
11:26 <+hyper_ch> krzee: I still don't get what he means with failover ip
11:26 < Evil_Eric> thanks ill get on that
11:30 < Evil_Eric> ummmmm now i know this is a newby question but where in xubuntu do they store the crash logs thought xubuntu had a log reader like ubuntu did
11:33 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Read error: Connection reset by peer]
11:34 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
11:35 <+hyper_ch> do you use network manager for openvpn connection?
11:36 < Evil_Eric> yes
11:36 <+hyper_ch> no idea then
11:36 < Evil_Eric> i found the log
11:36 < Evil_Eric> brb going to do this thing
11:37 <+hyper_ch> better to use a .conf file in /etc/openvpn/ IMHO
11:37 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Read error: Connection reset by peer]
11:43 < Evil_Eric> yeah here come pastebin :\
11:44 <+hyper_ch> ?
11:44 < Evil_Eric> http://pastebin.com/QrNFutu6
11:45 < Evil_Eric> if you need more info please just ask
11:45 <+hyper_ch> no idea
11:47 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
11:48 <+hyper_ch> well, try to use a .conf file in /etc/openvpn/
11:49 < Evil_Eric> never mind i got like 6 people on it one of them will give me an answer on this issue probally a simple thing where i dint use like sudo or something somewhere
11:55 -!- kexmex [~kexmex@178.136.234.6] has joined #openvpn
12:00 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
12:09 -!- rich0_ [~quassel@gentoo/developer/rich0] has quit [Remote host closed the connection]
12:14 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
12:18 -!- dob1 [~d@dynamic-adsl-78-12-174-21.clienti.tiscali.it] has joined #openvpn
12:18 < dob1> hi, i would like to run a script (on server side) after a client is connected to the vpn, i read about "up etc" but seems this is related to client side
12:19 < dob1> am i wrong?
12:19 -!- Evil_Eric [~Evil_Eric@gateway/vpn/privateinternetaccess/evileric/x-42088219] has quit [Quit: I am out of here!!!! ...... for awhile]
12:22 -!- Evil_Eric [~Evil_Eric@gateway/vpn/privateinternetaccess/evileric/x-42088219] has joined #openvpn
12:28 <@krzee> !client-connect
12:28 <@vpnHelper> "client-connect" is --client-connect