Jan Just Keijser | 1 Apr 09:50 2009
Picon
Picon

Re: Vista and redirect-gateway

Hi,
Encarnacion wrote:
> I'm using redirect-gateway which works fine for a few minutes, after a 
> few minutes my Vista 64 box automatically readds my local 
>
>           0.0.0.0          0.0.0.0     192.168.15.1     192.168.15.3   
>   25
>
> route which causes the VPN redirect to fail. 
>
> Any ideas on how to stop that?
>
>
Most likely it's an update from the DHCP server on your LAN . Ways to 
stop this: don't let the default route be set by the DHCP server? Stop 
using Vista ;-) ?

cheers,

JJK

> After starting openvpn:
>
> Active Routes:
> Network Destination        Netmask          Gateway       Interface 
>  Metric
>           0.0.0.0          0.0.0.0         10.8.0.9        10.8.0.10   
>   30
>          10.8.0.1  255.255.255.255         10.8.0.9        10.8.0.10   
>   30
(Continue reading)

Jan Just Keijser | 1 Apr 09:49 2009
Picon
Picon

Re: tunneling

Hi Richard,

let me get this straight: the USA server is the openvpn client, the NL 
server is the openvpn server right?

the openvpn log file from the US machine shows:

Mon Mar 30 12:27:36 2009 us=142152 VERIFY ERROR: depth=0, error=unsupported certificate purpose: /C=NL/ST=Noord_Holland/L=Haarlem/O=Software_Development/OU=VPN_management/CN=s01.haarlem.softwaredev.nl/emailAddress=sysadmin <at> softwaredev.nl
Mon Mar 30 12:27:36 2009 us=142247 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

this suggests that the US machine is expecting a server certificate 
(--ns-cert-type server in the config?) yet the certificate from the 
machine in the NL (s01.haarlem.softwaredev.nl) does not supply this kind 
of cert. Can you try it without the
  --ns-cert-type server
to see if that makes any differences?
You could also recreate the server certificate (on the haarlem machine) 
using
  ./build-key-server

HTH/groetjes,

JJK

Richard Pijnenburg wrote:
> Hi Jan,
>
> I've checked it and even recreated the certificates with build-key but I'm still getting verify errors.
>
(Continue reading)

Mohit Kumar | 1 Apr 10:24 2009
Picon

Open VPN in VISTA

Hi ALL

I have succesfully install the openvpn on windows XP but window vista requires administrator privileges to install the open vpn.

Is there any solution to install the openvpn on vista machine without administrator privileges?

If this is not possible then please suggest me any other Tunnel technologies instead of Open VPN which will allow me to enable tunneling on VISTA without having to be login as ADMIN
 
Mohit Kumar
 
------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
eerov | 1 Apr 10:57 2009

Re: Open VPN in VISTA

Quoting Mohit Kumar <mk22101985 <at> gmail.com>:

> *
>
> Hi ALL
>
> I have succesfully install the openvpn on windows XP but window vista
> requires administrator privileges to install the open vpn.
>
> Is there any solution to install the openvpn on vista machine without
> administrator privileges?
>
> If this is not possible then please suggest me any other Tunnel technologies
> instead of Open VPN which will allow me to enable tunneling on VISTA without
> having to be login as ADMIN
>
> Mohit Kumar
>
> *
>

Installation requires admin priviledges, but start not:

See: http://openvpn.net/archive/openvpn-users/2008-01/msg00231.html
so, you need to put user in "Network Configuration Operators" group

--
Eero,
RHCE

------------------------------------------------------------------------------
claus westerkamp | 1 Apr 13:36 2009

NFS issue

Hello List,

I have set up a TUN-network with about 10clients.

everything seems to work fine besides NFS:

- linux-clients cannot mount NFS-share
- apple max OSX clients can mount NTF-shares

both have the same client.conf

anyone else experienced this?
the server is ubuntu 8.0.4LTS with openvpn 2.1rc15,
clients have 2.1rc15 too

does client.conf on the ubuntu-clients need any modification?

I dont get it:(

kind regards
claus

------------------------------------------------------------------------------
Mike Wiseman | 1 Apr 17:13 2009
Picon
Picon

Re: Open VPN in VISTA

You can do this without turning UAC off:

http://article.gmane.org/gmane.network.openvpn.user/24873

Mike

> -----Original Message-----
> From: eerov <at> welho.com [mailto:eerov <at> welho.com]
> Sent: April-01-09 4:57 AM
> To: Mohit Kumar
> Cc: openvpn-users <at> lists.sourceforge.net
> Subject: Re: [Openvpn-users] Open VPN in VISTA
> 
> Quoting Mohit Kumar <mk22101985 <at> gmail.com>:
> 
> > *
> >
> > Hi ALL
> >
> > I have succesfully install the openvpn on windows XP but window vista
> > requires administrator privileges to install the open vpn.
> >
> > Is there any solution to install the openvpn on vista machine without
> > administrator privileges?
> >
> > If this is not possible then please suggest me any other Tunnel
> technologies
> > instead of Open VPN which will allow me to enable tunneling on VISTA
> without
> > having to be login as ADMIN
> >
> > Mohit Kumar
> >
> > *
> >
> 
> Installation requires admin priviledges, but start not:
> 
> See: http://openvpn.net/archive/openvpn-users/2008-01/msg00231.html
> so, you need to put user in "Network Configuration Operators" group
> 
> --
> Eero,
> RHCE
> 
> 
> 
> -----------------------------------------------------------------------
> -------
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users

------------------------------------------------------------------------------
Jan Just Keijser | 1 Apr 17:22 2009
Picon
Picon

Re: NFS issue

hi Claus,

claus westerkamp wrote:
> Hello List,
>
> I have set up a TUN-network with about 10clients.
>
> everything seems to work fine besides NFS:
>
> - linux-clients cannot mount NFS-share
> - apple max OSX clients can mount NTF-shares
>
> both have the same client.conf
>
>
> anyone else experienced this?
> the server is ubuntu 8.0.4LTS with openvpn 2.1rc15,
> clients have 2.1rc15 too
>
>
>
> does client.conf on the ubuntu-clients need any modification?
>   

what are NTF mounts?
if "everything works" except NFS then most likely you're looking at a 
firewall issue. Without config files it is very hard to tell what is 
failing here.
There is no reason why NFS should not work except misconfiguration.

HTH,

JJK

------------------------------------------------------------------------------
Dennis P. Nikolaenko | 1 Apr 18:54 2009
Picon

Re: WinXP machine can no longer connect

Nik wrote:
> Hi all,
>
> I've been using OpenVPN since version 1.something, and it always works 
> flawlessly, and is hassle-free (thanks!).
>
> I currently support a small number of clients on different architectures 
> to the one linux server.
>
> Some time ago, one of the Windows users allowed some automatic update on 
> one of their machines, and now it cannot connect any more. I am trying 
> to work out what has caused this machine to cease connecting.
>
> I currently have the machine in question in the office, and I *cannot* 
> get it to connect.
> This machine uses the OpenVpnGUI on Windows XP.
> The log on the client shows:
>
> TLS: Initial packet from w.x.y.z p sid= i1 i2
> VERIFY OK: DEPTH=1, ...
> VERIFY X509NAME:
> VERIFY OK: DEPTH = 0, ...
>
> Then there is a pregnant pause, then a timeout message, and the 
> connection attempt is tried again.
> At the same time, I can connect with my linux notebook without any 
> problems.
>
> I have tried disabling Windows Firewall, disabling authenticated network 
> connectivity on both main and TUN network adaptors.
> On the server I have tried opening the server firewall (within the 
> office) to this machine completely.
>
> The user is logged into the client machine as Administrator, has Windows 
> firewall enabled, has Vet Antivirus (from CA), and Novel Netware.
>
> The symptoms are of packets being blocked, but I am at a loss as to what 
> is blocking them.
>
> Q1: Has anyone else encountered a similar situation?
> Q2: Can anyone suggest other things to investigate?
> Q3: How do I go about debugging this further?
>
>   

Use a tool like wireshark to see if there are any packets transmitted 
through the physical interface during the  pause.
Increasing the verbosity of the log may also help.
--
Dennis

------------------------------------------------------------------------------
filip beijer | 1 Apr 19:21 2009
Picon
Picon

Re: NFS issue

Hi Claus,

Does the NFS exports (/etc/exports) allow clients, with their subnet, to 
mount ?

Filip

Jan Just Keijser wrote:
> hi Claus,
>
> claus westerkamp wrote:
>   
>> Hello List,
>>
>> I have set up a TUN-network with about 10clients.
>>
>> everything seems to work fine besides NFS:
>>
>> - linux-clients cannot mount NFS-share
>> - apple max OSX clients can mount NTF-shares
>>
>> both have the same client.conf
>>
>>
>> anyone else experienced this?
>> the server is ubuntu 8.0.4LTS with openvpn 2.1rc15,
>> clients have 2.1rc15 too
>>
>>
>>
>> does client.conf on the ubuntu-clients need any modification?
>>   
>>     
>
> what are NTF mounts?
> if "everything works" except NFS then most likely you're looking at a 
> firewall issue. Without config files it is very hard to tell what is 
> failing here.
> There is no reason why NFS should not work except misconfiguration.
>
> HTH,
>
> JJK
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>   

------------------------------------------------------------------------------
Daniel Carmo Olops | 1 Apr 20:43 2009
Picon

Packet loss and high latency on client-to-client communication

Hi people,

It's my first post to the list. I've set up an OpenVPN environment with one server and several clients, and it works fine. But I'm facing considerable packet loss and high latency on clients that connects through cheap links (ADSL, 1 Mbps or more), when they try to reach another client, as you can see below:

--- 192.168.100.10 ping statistics ---
50 packets transmitted, 45 received, 10% packet loss, time 49013ms
rtt min/avg/max/mdev = 86.621/518.784/1045.346/223.954 ms, pipe 2

This is the same test using the other client's external IP address (ommited):
--- a.b.c.d ping statistics ---
50 packets transmitted, 50 received, 0% packet loss, time 48955ms
rtt min/avg/max/mdev = 32.720/63.983/242.638/35.962 ms

Just to make things clear, it's a connection between the DSL client to another one that is behind a dedicated 2 Mbps link. I've setup OpenVPN to allow client-to-client communication. The packet loss was higher, but it was reduced after playing a bit with the 'fragment' and 'mssfix' options. It was about 30-50%, now it's between 10-20%. Here's the ping results between the dedicated link client and the server, that also is behind a 2 Mbps dedicated link (fiber):

--- 192.168.100.10 ping statistics ---
50 packets transmitted, 50 received, 0% packet loss, time 49059ms
rtt min/avg/max/mdev = 32.297/82.671/247.125/58.747 ms

--- a.b.c.d ping statistics ---
50 packets transmitted, 50 received, 0% packet loss, time 49132ms
rtt min/avg/max/mdev = 30.355/85.371/236.315/48.426 ms

As you can see, in this side, there are no significant difference in RTT and packet loss between plain access and VPN. An interesting point is that when the acess is between the DSL client and the OpenVPN Server, RTT and packet loss is almos equal to plain access.

Is there something I could do in order to improve RTT and packet loss in this scenario? The server is a Debian Etch box, running OpenVPN 2.0.9. One of the problematic clients uses OpenVPN 2.0.9 on Debian Sarge (yeah, I know it needs updating), and the other is a Windows Server 2003 running OpenVPN 2.1_rc15. The client that is being accessed through the VPN (192.168.100.10) is a Debian Etch box with OpenVPN 2.0.9.

Here's the config files:

SERVER
================
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
keepalive 10 120
tls-auth ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
chroot /etc/openvpn/chroot
server 192.168.100.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir clients
push "dhcp-option WINS 172.2.16.2"
client-to-client

route 172.16.0.0 255.255.0.0
route 192.168.14.0 255.255.255.0

push "route 172.2.0.0 255.255.0.0"
push "route 172.16.0.0 255.255.0.0"
push "route 192.168.14.0 255.255.255.0"

fragment 1000
mssfix
================

CLIENT BEHIND DEDICATED LINK (192.168.100.10)
================
fragment 1000
mssfix
client
dev tun
proto udp
remote vpn.grupopolis.com.br 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert faj1.crt
key faj1.key
ns-cert-type server
tls-auth ta.key 1
cipher AES-128-CBC
comp-lzo
verb 3
================

CLIENT BEHIND DSL LINK
================
fragment 1000
mssfix
client
dev tun
proto udp
remote vpn.grupopolis.com.br 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert policamp.crt
key policamp.key
ns-cert-type server
tls-auth ta.key 1
cipher AES-128-CBC
comp-lzo
verb 3
================

Best regards,

Daniel

------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Gmane