Eric Lawman | 2 Oct 18:11 2005
Picon

Re: Open VPN in FULL MESHED MODE

I just wanted to point out this is possible with some simple scripting.  On one server, I have a script that basically creates the config files for 30 other servers, then pushes them out and restarts openvpn.  I maintain a 30 tunnel full-mesh peer to peer vpn this way, and changes/additions are quite easy.

The only down side is I dynamically assign ports and ip addresses, so if i change one server, I have to change them all.  The script handles this, but it's inefficient.  While waiting for openvpn 3.0, I'll probably modify it to use a map file which keeps a record of which machines or subnets allocate which ports and ip addresses. 

I just wanted to mention this because people keep asking if it's possible, and it is.

Eric.

Ralph Dauber | 2 Oct 21:53 2005
Picon
Picon

http-proxy


Hello there,

I've got a OVPN-Server on a Linux and clients are XP-Pro.
I can connect per tcp or udp (device = tun)
Now i want to connect the client per proxy.
Proxy = Linux-Firewall with squid.
squid runs for a long time on my router.
now the config...
my client on windows
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client-config
-----------------------------------------------

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node OpenVpn
dev-node OpenVpn
# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
proto tcp
;proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote VPN-Server-remote 80
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
http-proxy my-proxy 3128
# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca Orga-ca.pem
cert clientcert.pem
key clientkey.pem

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20
------------------------------------------------
output while starting the connection:
Sun Oct 02 18:44:56 2005 us=578082 TCP connection established with 
"Proxy-Server":3128
Sun Oct 02 18:44:56 2005 us=595160 Send to HTTP proxy: 'CONNECT 
Vpn-Server-Remote:80 HTTP/1.0'
Sun Oct 02 18:44:57 2005 us=617025 HTTP proxy returned: 'HTTP/1.0 403 
Forbidden'

Sun Oct 02 18:44:57 2005 us=628081 HTTP proxy returned bad status
Sun Oct 02 18:44:57 2005 us=634805 TCP/UDP: Closing socket
Sun Oct 02 18:44:57 2005 us=641462 SIGTERM[soft,init_instance] received, 
process
  exiting
Press any key to continue...
-----------------------------------------------------
i can't see anything in the syslog of my server....
maybe a fault of squid..?

thanks for help

Ralph

-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
Rolf Fokkens | 2 Oct 23:14 2005
Picon

Patch: Admin interface shows server IP when connected

Hi,

I created an OpenVPN admin interface, which I want to show the actual connected server of a client. The normal "state" command in the admin interface does not provide the information. The attached patch adds an extra argument to the "state" result which shows the server's IP. Like this:
[root <at> VPN00059 ~]# echo state | nc 0.0.0.0 5000
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
1128286300,CONNECTED,SUCCESS,,145.66.1.1
END
[root <at> VPN00059 ~]#
James Yonan once told me that this actualy changes the admin API, so it may break some admin interfaces. For those however who can use it I attached the patch.

Rolf
Attachment (openvpn-2.0.1-fks1.patch): text/x-patch, 5703 bytes
Zym0tiC | 2 Oct 22:54 2005
Picon

VPN no gateway troubles

I have a VPN connection running between 2 locations.

First my home location:

server
ip: 192.168.0.100/24 
vpn: 192.168.1.1/30

|
|
|

router
ip 192.168.0.1

|
|
Internet
|
|

laptop
ip: 10.0.0.45/8 (can change depending on location)
vpn: 192.168.1.2/30

I can see the resources on the other site, no problem so far but what i 
want is to use other machines, my router with internet, which is behind 
my vpn server.

My server.conf so far:
dev tun
ifconfig 192.168.1.1 192.168.1.2
push "route-gateway vpn_gateway"
push "redirect-gateway"
secret /etc/openvpn/static.key

My client.conf
remote vpn-address
dev tun
ifconfig 192.168.1.2 192.168.1.1
secret "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\static.key"

But when I run ipconfig on my laptop then I don't see a gateway apear by 
my vpn interface.

Zym0tiC

-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
Jeff Shanholtz | 2 Oct 23:36 2005

Enabling OpenVPN server on multiple interfaces?

Apologies if this is a double post (didn't seem to get through the 1st
time)...

I currently have OpenVPN successfully working on my external interface
(internet). I want it to also serve my wireless network which is on its own
network (i.e. I have 3 nic's - one for local network, one for internet, one
for wireless). In other words, I want wireless clients to be firewalled out
of my local network until they vpn in.

So I want OpenVPN to serve both my external interface and my wireless
network. However, when I try to connect to the vpn over the wireless
network, it fails to connect with this error: "TCP/UDP: Socket bind failed
on local address [undef]:1194: Address already in use (WSAEADDRINUSE)". In
addition, if I set verb to 9 on my server it reports "TCP/UDP: No outgoing
address to send packet". I am using a static configuration (this is for
personal use only for now) and I know there isn't already another vpn
connection established.

I'm quite certain my iptables firewall is properly configured. Everything
works fine across the internet so I essentially duplicated all my external
interface rules for my wireless. I can get a dhcp address and ping back and
forth on my wireless network (I mean before attempting to connect to the
vpn). And bringing down my firewall makes no difference either.

I'm not sure what the problem could be. The only difference between my
working "across the internet" client conf file and the one I'm using for my
wireless connection is the remote address setting.

Anyway, here's my server conf file, followed by my client conf file. If
anyone can shed some light on this problem I'd be grateful.

Server:
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret /etc/openvpn/keys/static.key
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key

Client:
remote 192.168.1.1
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
route 192.168.0.0 255.255.255.0
dhcp-option WINS 192.168.0.1
dhcp-option NBT 2

-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
edoardo | 3 Oct 03:41 2005

ssh not workin' through openvpn


hi gals, hi dudes : )

this is my first post to the list. i come up here with a question no one 
seems to be able to answer this far. i set up an openvpn between my client 
at home and a server at my father's office, through routin'. then i added 
a route to the server's gateway and added forwardin' support to the 
server, so that now my client at home can see the whole office network, 
and the whole network can see my client. then i set up sshd on port 26 on 
my client at home. then i went into the server's gateway configuration, 
and forwarded port 26 to my client, which is 10.8.0.50 on the openvpn.

now if i ssh on port 26 from any computer on the server's lan to my 
client, it works fine. but if try and do that from the internet, it don't 
work.

what could the causes be? help! : ) thankyou! : )

ciao! : )

edo

-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
Hristo Markow | 2 Oct 15:02 2005
Picon

(no subject)

Hello openvpn-users,

Can someone help me, I want to use OpenVPN project without distributing TAPINSTALL.EXE and of course
without using it i.e. I want to install TAP driver from INF file with my own program. I write in DELPHI, but
and some C source can help me

Best regards, 

Hristo Markow
airsoft <at> bginfo.net
2005-10-02

-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
Jeff Shanholtz | 2 Oct 00:19 2005

Enabling OpenVPN server on multiple interfaces?

I currently have OpenVPN successfully working on my external interface
(internet). I want it to also serve my wireless network which is on its own
network (i.e. I have 3 nic's - one for local network, one for internet, one
for wireless). In other words, I want wireless clients to be firewalled out
of my local network until they vpn in.

So I want OpenVPN to serve both my external interface and my wireless
network. However, when I try to connect to the vpn over the wireless
network, it fails to connect with this error: "TCP/UDP: Socket bind failed
on local address [undef]:1194: Address already in use (WSAEADDRINUSE)". I am
using a static configuration (this is for personal use only for now) and I
know there isn't already another vpn connection established.

I'm quite certain my iptables firewall is properly configured. Everything
works fine across the internet so I essentially duplicated all my external
interface rules for my wireless. I can get a dhcp address and ping back and
forth on my wireless network (I mean before attempting to connect to the
vpn). And bringing down my firewall makes no difference either.

It almost seems like the server is only binding to the external interface,
but looking at the man page it appears that by default it binds to all
interfaces, so I'm not sure what the problem could be. The only difference
between my working "across the internet" client conf file and the one I'm
using for my wireless connection is the remote address setting.

Anyway, here's my server conf file, followed by my client conf file. If
anyone can shed some light on this problem I'd be grateful.

Server:
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret /etc/openvpn/keys/static.key
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key

Client:
remote 192.168.1.1
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
route 192.168.0.0 255.255.255.0

-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
Glenn English | 3 Oct 04:12 2005

Re: ssh not workin' through openvpn

On Mon, 2005-10-03 at 03:41 +0200, edoardo wrote:

> now if i ssh on port 26 from any computer on the server's lan to my 
> client, it works fine. but if try and do that from the internet, it don't 
> work.
> 
> what could the causes be? help! : ) thankyou! : )

Your client that's 10.8.0.50 on the vpn -- what is it on the Internet?

Can you ping it from the Internet?

--

-- 
Glenn English
ghe <at> slsware.com
GPG ID: D0D7FF20

-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
Paul Gregory | 1 Oct 15:53 2005
Picon

No connection until I ping from server

I'm new to OpenVPN and am having problems getting the connection to work
automatically. I'm Using OpenVPN 2.0.2 as server on Windows XP Pro SP2,
clients are XP Pro SP2 and Fedora FC4.

When I establish a connection from a client to the server the client
cannot ping or "see" any of the data on the server until I ping FROM the
  server TO the client after which everything works as expected. Using
Ethereal on the server shows that the ping requests are being received
but no replies are being sent.

Any ideas on how I correct this gratefully received.

Thanks
Attachment (smime.p7s): application/x-pkcs7-signature, 4298 bytes

Gmane