Samuli Seppänen | 2 Dec 19:30 2011
Picon

Re: Windows OpenVPN client



On Nov 24, 2011 3:08 AM, "Samuli Seppänen" <samuli <at> openvpn.net> wrote:
>
>
> > Trying to debug my openvpn server install I decided to try from a
> > windows machine (Windows7 64-bit) as well.
> >
> > I downloaded the lastest installer - 2.2.1 - and ran the installer.
> > Per instructions I put the client.opvn and the certificates in the
> > config/ and right-clicked on the OpenVPN GUI icon and changed the
> > properties to Run as Administrator.  However, when I right-click on
> > the icon in the tray, I'm not presented with an options menu or
> > connect,  Instead I have About, Exit and settings.  And the settings
> > seem to relate to proxy options.  I expected something like:
> > http://www.klopfenstein.net/public/Uploads/lorenz/uwic-openvpn-connect.png
> > I uninstalled it and reinstalled it but it made no difference.  I even
> > tried down-grading to an earlier version.  Currently, I can't use it
> > to connect to my OpenVPN server - is there something I'm missing?
> >

> Hi Simon,
>
> I think the GUI is simply unable to find or load the
> config/something.ovpn file. Did you install OpenVPN to a non-default
> location? Also, OpenVPN 2.0.9 is terribly old, you should not use it.

Thanks.   For now both my machines are trying to use 2.2.1..

So the extra options will only show up if the program sees something in the config directory?  I'll check that .opvn file but otherwise it's just client.opvn, 2 .crt files and one .key file.  Odd that it should happen on both machines though.  Both installed to the default location..

Simon

Just in case nobody responded to this already (I simply forgot). Yes, the GUI will only show the "Connect" menu if there are .ovpn files in the config directory. Not sure if it actually reads the config files to see if it thinks they're valid, or if it depends on the file extension.
-- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Openvpn-users mailing list
Openvpn-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Simon Brereton | 2 Dec 19:53 2011

Re: Windows OpenVPN client

2011/12/2 Samuli Seppänen <samuli <at> openvpn.net>:
>
>
> On Nov 24, 2011 3:08 AM, "Samuli Seppänen" <samuli <at> openvpn.net> wrote:
>>
>>
>> > Trying to debug my openvpn server install I decided to try from a
>> > windows machine (Windows7 64-bit) as well.
>> >
>> > I downloaded the lastest installer - 2.2.1 - and ran the installer.
>> > Per instructions I put the client.opvn and the certificates in the
>> > config/ and right-clicked on the OpenVPN GUI icon and changed the
>> > properties to Run as Administrator.  However, when I right-click on
>> > the icon in the tray, I'm not presented with an options menu or
>> > connect,  Instead I have About, Exit and settings.  And the settings
>> > seem to relate to proxy options.  I expected something like:
>> >
>> > http://www.klopfenstein.net/public/Uploads/lorenz/uwic-openvpn-connect.png
>> > I uninstalled it and reinstalled it but it made no difference.  I even
>> > tried down-grading to an earlier version.  Currently, I can't use it
>> > to connect to my OpenVPN server - is there something I'm missing?
>> >
>
>> Hi Simon,
>>
>> I think the GUI is simply unable to find or load the
>> config/something.ovpn file. Did you install OpenVPN to a non-default
>> location? Also, OpenVPN 2.0.9 is terribly old, you should not use it.
>
> Thanks.   For now both my machines are trying to use 2.2.1..
>
> So the extra options will only show up if the program sees something in the
> config directory?  I'll check that .opvn file but otherwise it's just
> client.opvn, 2 .crt files and one .key file.  Odd that it should happen on
> both machines though.  Both installed to the default location..
>
> Simon
>
> Just in case nobody responded to this already (I simply forgot). Yes, the
> GUI will only show the "Connect" menu if there are .ovpn files in the config
> directory. Not sure if it actually reads the config files to see if it
> thinks they're valid, or if it depends on the file extension.

Thanks.  On both machines, I do have the .opvn file in the config
directory.  Importantly, the registry confirms the path as the path to
the config file and neither machine has hidden known extensions.
Meaning that the .opvn files are really .opvn and not .opvn.txt or
something silly.

Simon

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Openvpn-users mailing list
Openvpn-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Timothy Madden | 2 Dec 20:28 2011
Picon

Non-encrypted tunnel

Hello

I would like to configure an OpenVPN server (currently on CentOS Linux, 
but also on Windows) to accept connections from any client if possible, 
and use no encryption.

Is this possible ?
Can I also have no authentication at all ? So I want just the tunnel, 
and nothing more, anyone can connect ...

I tried to configure a server with the example file provided on Windows, 
but openvpn keeps asking for those certificate files ... and then 
creates encrypted tunnels.

Thank you,
Timothy Madden

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
Les Mikesell | 2 Dec 23:44 2011
Picon

Re: Non-encrypted tunnel

On Fri, Dec 2, 2011 at 1:28 PM, Timothy Madden <terminatorul <at> gmail.com> wrote:
> Hello
>
> I would like to configure an OpenVPN server (currently on CentOS Linux,
> but also on Windows) to accept connections from any client if possible,
> and use no encryption.
>
> Is this possible ?
> Can I also have no authentication at all ? So I want just the tunnel,
> and nothing more, anyone can connect ...

I've never considered using OpenVPN in those circumstances (where a
GRE would suffice) but this says you can do it in PTP mode:
http://www.linuxhorizon.ro/openvpn-brief.html
The downside is that you have to use a different port and process for
each connection.

> I tried to configure a server with the example file provided on Windows,
> but openvpn keeps asking for those certificate files ... and then
> creates encrypted tunnels.

If you run in server mode (necessary to accept multiple connections on
the same port), I think you need the certificate, although it might
work to give all the clients the same one.

--

-- 
  Les Mikesell
    lesmikesell <at> gmail.com

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
Jan Just Keijser | 4 Dec 22:49 2011
Picon
Picon

Re: Non-encrypted tunnel

Les Mikesell wrote:
> On Fri, Dec 2, 2011 at 1:28 PM, Timothy Madden <terminatorul <at> gmail.com> wrote:
>   
>> Hello
>>
>> I would like to configure an OpenVPN server (currently on CentOS Linux,
>> but also on Windows) to accept connections from any client if possible,
>> and use no encryption.
>>
>> Is this possible ?
>> Can I also have no authentication at all ? So I want just the tunnel,
>> and nothing more, anyone can connect ...
>>     
>
> I've never considered using OpenVPN in those circumstances (where a
> GRE would suffice) but this says you can do it in PTP mode:
> http://www.linuxhorizon.ro/openvpn-brief.html
> The downside is that you have to use a different port and process for
> each connection.
>
>   
>> I tried to configure a server with the example file provided on Windows,
>> but openvpn keeps asking for those certificate files ... and then
>> creates encrypted tunnels.
>>     
>
> If you run in server mode (necessary to accept multiple connections on
> the same port), I think you need the certificate, although it might
> work to give all the clients the same one.
>
>   
you could use
  client-cert-not-required
to  overcome the need for client certificates, but then you might *have 
to* use a username+password combo , which again wouldn't server your 
purpose.

You could also use something like 'socat' or 'stunnel' to establish this 
kind of VPN tunnel.

HTH,

JJK

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
Timothy Madden | 5 Dec 13:00 2011
Picon

Output NOTE: on --script-security

Hello

I would like to get a nice and clean start-up for my OpenVPN server. Is 
there a proper way to prevent the script-security NOTE: message that 
shows up in OpenVPN output on startup ?

If I remove --script-security from my config file, or set it to 0, I get 
the note that OpenVPN now requires the --script-security option in order 
to run user script files.

If I specify --script-security in my file with a non-zero value, than I 
get the note that the current script-security level *allows* invocation 
of external user-specified scripts. :)

Thank you,
Timothy Madden

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
Samuli Seppänen | 5 Dec 13:47 2011
Picon

Re: Output NOTE: on --script-security


> Hello
>
> I would like to get a nice and clean start-up for my OpenVPN server. Is 
> there a proper way to prevent the script-security NOTE: message that 
> shows up in OpenVPN output on startup ?
>
> If I remove --script-security from my config file, or set it to 0, I get 
> the note that OpenVPN now requires the --script-security option in order 
> to run user script files.
>
> If I specify --script-security in my file with a non-zero value, than I 
> get the note that the current script-security level *allows* invocation 
> of external user-specified scripts. :)
>
> Thank you,
> Timothy Madden
Hi Timothy,

Which version of OpenVPN are you using? This _may_ have been fixed in
2.2.x and later by this commit:

<https://community.openvpn.net/openvpn/changeset/c2533d18ce6da1bd43502f9f2923541c578864e9>

--

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
Timothy Madden | 5 Dec 14:00 2011
Picon

How to route traffic for all sub-net through the VPN ?

Hello

I have a VPN connection between a (multi-client) server and currently 
only one client. Each one, client, and server, have their own local 
network or subnet, and the VPN connection, configured with --dev tun and 
with --client-to-client, creates yet another, virtual, subnet.

I would like any VPN clients that connect to have access to the server 
network.

For this I can push a route for the VPN server subnet to the clients 
that connect. But the return route, on the other hand, is not that easy 
to get.

The problem is the VPN server is not the gateway, nor the DHCP/DNS/WINS 
server, on its network. The gateway/DHCP server there is a (rather poor) 
D-Link DIR-100 home router, that carries and provides the uplink (which 
happens to lead the client subnet, if that matters).

On this router I could find no configuration option to make my VPN 
server, which appears as a local (internal) node to the router, set up 
to be a gateway for another sub-net (namely the virtual one 172.16.0.0/24).

Is there a way to announce the nodes in VPN server sub-net that they now 
have a new route to virtual network, that can be accessed with the VPN 
server as gateway ?

Or some other way to make the route work ?

Thank you,
Timothy Madden

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
Timothy Madden | 5 Dec 14:06 2011
Picon

Re: Output NOTE: on --script-security

On 05.12.2011 14:47, Samuli Seppänen wrote:
>
>> Hello
>>
>> I would like to get a nice and clean start-up for my OpenVPN server. Is
>> there a proper way to prevent the script-security NOTE: message that
>> shows up in OpenVPN output on startup ?
>>
>> If I remove --script-security from my config file, or set it to 0, I get
>> the note that OpenVPN now requires the --script-security option in order
>> to run user script files.
>>
>> If I specify --script-security in my file with a non-zero value, than I
>> get the note that the current script-security level *allows* invocation
>> of external user-specified scripts. :)
>>
>> Thank you,
>> Timothy Madden
> Hi Timothy,
>
> Which version of OpenVPN are you using? This _may_ have been fixed in
> 2.2.x and later by this commit:
>
> <https://community.openvpn.net/openvpn/changeset/c2533d18ce6da1bd43502f9f2923541c578864e9>
>

I have OpenVPN 2.2.0 on CentOS and indeed I do not get a WARNING: about 
this, I get a NOTE: , and only once, as that patch descriptions said. 
And it looks like the note is about OpenVPN 2.1 ... :(

Here is my OpenVPN start-up output:

[root <at> console ~]# openvpn /etc/openvpn/server.conf
Tue Dec  6 14:16:59 2011 OpenVPN 2.2.0 x86_64-redhat-linux-gnu [SSL] 
[LZO2] [EPOLL] [PKCS11] [eurephia] built on Jun  6 2011
Tue Dec  6 14:16:59 2011 NOTE: your local LAN uses the extremely common 
subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might 
create routing conflicts if you connect to the VPN server from public 
locations such as internet cafes that use the same subnet.
Tue Dec  6 14:16:59 2011 NOTE: OpenVPN 2.1 requires '--script-security 
2' or higher to call user-defined scripts or executables
Tue Dec  6 14:16:59 2011 TUN/TAP device tun0 opened
Tue Dec  6 14:16:59 2011 /sbin/ip link set dev tun0 up mtu 1500
Tue Dec  6 14:16:59 2011 /sbin/ip addr add dev tun0 172.16.0.1/24 
broadcast 172.16.0.255
Tue Dec  6 14:16:59 2011 UDPv4 link local (bound): [undef]:1194
Tue Dec  6 14:16:59 2011 UDPv4 link remote: [undef]
Tue Dec  6 14:16:59 2011 Initialization Sequence Completed

Thank you,
Timothy Madden

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
Les Mikesell | 5 Dec 14:50 2011
Picon

Re: How to route traffic for all sub-net through the VPN ?

On Mon, Dec 5, 2011 at 7:00 AM, Timothy Madden <terminatorul <at> gmail.com> wrote:

> I have a VPN connection between a (multi-client) server and currently
> only one client. Each one, client, and server, have their own local
> network or subnet, and the VPN connection, configured with --dev tun and
> with --client-to-client, creates yet another, virtual, subnet.
>
> I would like any VPN clients that connect to have access to the server
> network.
>
> For this I can push a route for the VPN server subnet to the clients
> that connect. But the return route, on the other hand, is not that easy
> to get.
>
> The problem is the VPN server is not the gateway, nor the DHCP/DNS/WINS
> server, on its network. The gateway/DHCP server there is a (rather poor)
> D-Link DIR-100 home router, that carries and provides the uplink (which
> happens to lead the client subnet, if that matters).
>
> On this router I could find no configuration option to make my VPN
> server, which appears as a local (internal) node to the router, set up
> to be a gateway for another sub-net (namely the virtual one 172.16.0.0/24).
>
> Is there a way to announce the nodes in VPN server sub-net that they now
> have a new route to virtual network, that can be accessed with the VPN
> server as gateway ?
>
> Or some other way to make the route work ?

If you can't add static routes on either the LAN gateway or the LAN
hosts, you can NAT the traffic to the LAN ethernet address of the VPN
server.   A side effect of NAT is that you won't be able to see/log
the real source IPs of tunneled packets, though.

Another option would be to make the vpn server also the dhcp server
and gateway address, letting it route to the DIR-100 as the default
gateway.

--

-- 
  Les Mikesell
    lesmikesell <at> gmail.com

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

Gmane