headers
Eric C. Snowdeal III | 1 Mar 2006 04:25

[ ot?] browsing samba shares with tap

[ fwiw,  i've debated endlessly whether this a samba question or an 
openvpn question, but finally came to the conclusion that there might be 
a higher chance of resolving this issue by sending the message here.  
apologies to anyone who feels this is off-topic and more appropriate for 
the samba list. ]

i have an bridge (tap) network running on a openvz [1] virtual server.  
to get the bridging working properly, i needed to setup a "fake" lan nic 
( 10.8.1.0/24 ) using a process similar to that described here [2], 
since the "real" nic is bound to a public ip address.  after getting the 
bridge working properly, i decided to test my luck by configuring a 
samba server for connected clients.  everything works perfectly, in the 
sense that after i start the samba server mac and windows clients can 
connect to the samba share, but for the life of me, i can't get the 
samba server to show up "my network places" on windows machines.  i have 
setup the samba server to bind to the bridge interface [3] and netstat 
shows that it's listening to the subnet associated with the bridge [4] 
and i can see netbios broadcasts from clients on the server [5], but the 
server apparently isn't responding.

the only hint i've seen is in an oldish message from james ( yohan ) [6] 
that implies that if samba is listening on a interface other than the 
primary ethernet interface than must configure samba to act as a wins 
server:

"Make sure that your samba configuration is correct. If you are bridging 
ethernet interfaces on the linux server, then the samba config probably 
doesn't need to be modified. However, if you are creating a new 
interface which uses a different subnet than the primary physical 
ethernet which samba is listening on, then you need to upgrade your
(Continue reading)

Permalink | Reply | 0 comments |
headers
fleece@compuserve.com | 1 Mar 2006 05:55
Picon

RE: Cisco IPSec thru OpenVPN?

Thanks I'll give this a try.  I'm a newbie so I may need some help.

-----Original Message-----
From: Schlomo Schapiro 
Sent: Tuesday, February 28, 2006 3:55 PM
To: "fleece <at> compuserve.com"
Cc: "'openvpn-users'"
Subject: Re: [Openvpn-users] Cisco IPSec thru OpenVPN?

 
Hi,

I also have to resort to this solution as my company also offers only 
IPsec/UDP to access the office.

I connect a tun to my home and then over that I connect the IPsec/UDP.

It works only if the path to home is quite well and I don't run any heavy 
downloads at home. Otherwise the IPsec just fails with some timing error 
messages, my guess because the packets take to long to return. If it 
works, it seems to work sufficiently reliable.

Don't expect any performance miracles with this setup, though. It is just 
enought to sync my Outlook. Pulling files is more or less pointless.

HTH,
Schlomo

On Tue, 28 Feb 2006, fleece <at> compuserve.com wrote:
(Continue reading)

Permalink | Reply | 0 comments |
headers
Gerardo Gonzalez | 1 Mar 2006 07:08
Picon

TUN/TAP for Windows NT 4

Hello,

I'm trying to determine if it is possible to create a TUN/TAP driver
for Windows NT 4 so openVPN can be run on that platform.

I know that the current TUN/TAP driver for win32 doesn't support NT 4;
however, in the documentation they imply that it can be done, although
stability would be sacrificed:

http://openvpn.net/INSTALL-win32.html
"To a certain extent, backwards compatibility with NT 4 has been
sacrificed in the interest of better usability and stability on
Win2K/XP."

In the same document it's stated that openVPN's TUN/TAP driver is
derived from CIPE.

Then I found the following post by James Yonan:
http://openvpn.net/archive/openvpn-users/2004-02/msg00042.html
----------------------------------------------------
> Does Open VPN run on NT 4 or only W2K/XP

Only W2K and up (that's because it needs NDIS 5 which isn't available on NT).

James
-----------------------------------------------------

So, here are a couple of questions:
1. Is there any missing feature on NDIS 4 that prevents the
construction of a TUN/TAP driver for NT 4?
(Continue reading)

Permalink | Reply | 0 comments |
headers
Stephen | 1 Mar 2006 08:20
Picon

Re: Re: Automating certificate building

Hi Charles,

Thanks for the heads-up on the openssl.cnf file. Looks like your  
advice is exactly what I needed to pass the data in.

Just have to figure out now how to autosign and save the certificate  
so I don't get asked that question at the end of the build-key script.

Stephen

On 27/02/2006, at 9:22 AM, Charles Duffy wrote:

> Stephen wrote:
>> Hi All,
>> I need a script to generate client certificates so that I can   
>> automate certificate building for a number of users.
>>
>
> Look at openssl.cnf.
>

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Permalink | Reply | 0 comments |
headers
rvenne | 1 Mar 2006 11:10
Picon

Re: authenticated vpn connection on freebsd server

Dominique Goncalves wrote:
> Hi,
>
> On 2/28/06, rvenne <at> dental-on-line.fr <rvenne <at> dental-on-line.fr> wrote:
>   
>> hi list.
>>
>> I've some untrust vpn client somewhere on the earth. they need to have
>> access to some critical resources. openvpn-auth-pam/pam-ldap seems a
>> good solution, excpting this:
>>
>> /openvpn-2.0.5/plugin/auth-pam# make
>> "Makefile", line 9: Missing dependency operator
>> "Makefile", line 11: Need an operator
>> "Makefile", line 13: Need an operator
>> make: fatal errors encountered -- cannot continue
>>     
>
> I guess you need to use gmake instead of (BSD) make.
>
> Hope this help.
>
> Regards.
>
>   
>> I cann't make openvpn pam module.
>>
>>
>> some ideas?
>>
(Continue reading)

Permalink | Reply | 2 comments |
headers
rvenne | 1 Mar 2006 12:56
Picon

Re: authenticated vpn connection on freebsd server

rvenne <at> dental-on-line.fr wrote:
> Dominique Goncalves wrote:
>> Hi,
>>
>> On 2/28/06, rvenne <at> dental-on-line.fr <rvenne <at> dental-on-line.fr> wrote:
>>  
>>> hi list.
>>>
>>> I've some untrust vpn client somewhere on the earth. they need to have
>>> access to some critical resources. openvpn-auth-pam/pam-ldap seems a
>>> good solution, excpting this:
>>>
>>> /openvpn-2.0.5/plugin/auth-pam# make
>>> "Makefile", line 9: Missing dependency operator
>>> "Makefile", line 11: Need an operator
>>> "Makefile", line 13: Need an operator
>>> make: fatal errors encountered -- cannot continue
>>>     
>>
>> I guess you need to use gmake instead of (BSD) make.
>>
>> Hope this help.
>>
>> Regards.
>>
>>  
>>> I cann't make openvpn pam module.
>>>
>>>
>>> some ideas?
(Continue reading)

Permalink | Reply | 1 comment |
headers
Per-Olov Sjöholm | 1 Mar 2006 14:20
Favicon

Listen statement

Hi

How can I make OpenVPN 2.0.5 listen on just a specific address and not being 
greedy and bind to all IP:s in the server? I have searched the archives 
without success...

This a an example config I want to change to bind to a single machine IP....

--snip--
daemon openvpn
port 443
proto tcp
dev tun2
server 192.168.210.0 255.255.255.0
log-append /var/log/openvpnd-tcp.log
status /var/log/openvpnd-status-tcp.log 10
dh /etc/ssl/dh2048.pem
ca /etc/ssl/CA_cert.pem
cert /etc/ssl/certs/CVPNgw3.pem
key /etc/ssl/keys/KVPNgw3.pem
crl-verify /etc/ssl/crl/crl.pem
max-clients 50
keepalive 10 60
user openvpn
group openvpn
persist-key
persist-tun
push "route 192.168.12.0 255.255.252.0"
push "dhcp-option DNS 192.168.13.12"
push "dhcp-option DNS 192.168.13.13"
(Continue reading)

Permalink | Reply | 1 comment |
headers
Dale | 1 Mar 2006 14:45
Picon

Re: OpenVPN Server Performance (real experience)

Dale <d.schultz <at> telesat.ca> writes:

> 
> Charles Duffy <cduffy <at> spamcop.net> writes:
> > I'd be interested to see what exactly your system is actually doing 
> > that's throttling the CPU. Perhaps you could use oprofile to find out if 
> > it's spending its time inside OpenSSL (which is the only *legitimate* 
> > place for it to be) or somewhere else.
> > 
> I can look at tusing that tool, thanks.  I just want to be clear though, I'm 
> only having CPU load issues when the network has to re-establish all the 
> tunnels with the remotes.  I have no problems once the tunnels are up.  The 
> CPU with 200+ tunnels running is very low in normal operating mode.  The 
> highest I see it go is 10%, and that is when the reneg kicks in.  I need to 
> look at the reneg option too, I'd like to get away from the 3600 seconds 
> thing.  Can I use both reneg on a packet count and on time together?  Such 
> that if the packet limit is not reached before the time period then the time 
> cause a reneg?
> 
> Thanks

Hi: Does anyone know the affect of using dh4096.pem on tunnel establishment 
compared to n=1024 or n=2048?  I didn't create this server but I did find out 
that we are using n=4096 and it took three days to generate the DH parameters 
on this server (3GHz Intel Xeon).

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
(Continue reading)

Permalink | Reply | 4 comments |
headers
Mathias Sundman | 1 Mar 2006 15:21
Picon
Favicon

Re: Listen statement

On Wed, 1 Mar 2006, Per-Olov Sjöholm wrote:

> How can I make OpenVPN 2.0.5 listen on just a specific address and not being
> greedy and bind to all IP:s in the server? I have searched the archives
> without success...

--local x.x.x.x

--

-- 
_____________________________________________________________
Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://openvpn.se/               / \   NO Word docs in e-mail
Permalink | Reply | 0 comments |
headers
Iker Amescua | 1 Mar 2006 16:34

Re: No MAC resolution in bridged vpn

El Lunes, 27 de Febrero de 2006 18:46, Iker Amescua escribió:

Finally I have discovered and solved the problem. This traffic problem was 
originated by bad file (device) permissions. Although ifconfig showed eth0 
was in promisc mode it wasn't, so no packets were received by the bridge. Now 
with this issue solved it works flawlessly.

> Hello
>
> I am using openvpn in bridged configuration between my local lan (eth0 and
> tap0) running o a dedicated Suse linux 9.3. The insecure side of this box
> (from clients connect to) is another ethernet lan eth1 (i comes from a wifi
> AP).
>
> The conecction establishes without any error and I can ping from client to
> the vpn gateway and viceversa, but I cant ping any lan computer from the
> client. If I ping from the client to lan I get arp who-has requests but in
> the bridge and in the lan, but no response from any computer. So I have
> concluded client is unable to resolve lan macs, but lan is able to resolve
> client macs.
>
> In the other way if I ping from the lan to the client the mac is resolved,
> in the lan machine and in the client, but no response at all. Client
> receives the echo request but the response does not arrive to the lan.
>
> Another strange thing is that I am using a dhcp server to configure client
> IP address and the server is in another machine in the lan, so I can guess
> that the comunication between lan <-> client works until ip address is
> asigned to client. Just after the ip lease, if I look arp tables in the
> client it shows dhcp server's mac and ip, but again no traffic.
(Continue reading)

Permalink | Reply | 0 comments |

Gmane