Menu ▾ ▴
openvpn-devel — OpenVPN developers list
You can subscribe to this list here.
| 2002 | Jan | Feb | Mar | Apr (24) | May (14) | Jun (29) | Jul (33) | Aug (3) | Sep (8) | Oct (18) | Nov (1) | Dec (10) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 | Jan (3) | Feb (33) | Mar (7) | Apr (28) | May (30) | Jun (5) | Jul (10) | Aug (7) | Sep (32) | Oct (41) | Nov (20) | Dec (10) |
| 2004 | Jan (24) | Feb (18) | Mar (57) | Apr (40) | May (55) | Jun (48) | Jul (77) | Aug (15) | Sep (56) | Oct (80) | Nov (74) | Dec (52) |
| 2005 | Jan (38) | Feb (42) | Mar (39) | Apr (56) | May (79) | Jun (73) | Jul (16) | Aug (23) | Sep (68) | Oct (77) | Nov (52) | Dec (27) |
| 2006 | Jan (27) | Feb (18) | Mar (51) | Apr (62) | May (28) | Jun (50) | Jul (36) | Aug (33) | Sep (47) | Oct (50) | Nov (77) | Dec (13) |
| 2007 | Jan (15) | Feb (8) | Mar (14) | Apr (18) | May (25) | Jun (16) | Jul (16) | Aug (19) | Sep (32) | Oct (17) | Nov (5) | Dec (5) |
| 2008 | Jan (64) | Feb (25) | Mar (25) | Apr (6) | May (28) | Jun (20) | Jul (10) | Aug (27) | Sep (28) | Oct (59) | Nov (37) | Dec (43) |
| 2009 | Jan (40) | Feb (25) | Mar (12) | Apr (57) | May (46) | Jun (29) | Jul (39) | Aug (10) | Sep (20) | Oct (42) | Nov (50) | Dec (57) |
| 2010 | Jan (82) | Feb (165) | Mar (256) | Apr (260) | May (36) | Jun (87) | Jul (53) | Aug (89) | Sep (107) | Oct (51) | Nov (88) | Dec (117) |
| 2011 | Jan (69) | Feb (60) | Mar (113) | Apr (71) | May (67) | Jun (90) | Jul (88) | Aug (90) | Sep (48) | Oct (64) | Nov (69) | Dec (118) |
| 2012 | Jan (49) | Feb (528) | Mar (351) | Apr (190) | May (238) | Jun (193) | Jul (104) | Aug (100) | Sep (57) | Oct (41) | Nov (47) | Dec (51) |
| 2013 | Jan (94) | Feb (57) | Mar (96) | Apr (105) | May (77) | Jun (102) | Jul (27) | Aug (81) | Sep (32) | Oct (53) | Nov (127) | Dec (65) |
| 2014 | Jan (113) | Feb (59) | Mar (104) | Apr (259) | May (70) | Jun (70) | Jul (146) | Aug (45) | Sep (58) | Oct (149) | Nov (77) | Dec (83) |
| 2015 | Jan (53) | Feb (66) | Mar (86) | Apr (50) | May (135) | Jun (76) | Jul (151) | Aug (83) | Sep (97) | Oct (262) | Nov (245) | Dec (231) |
| 2016 | Jan (131) | Feb (233) | Mar (97) | Apr (138) | May (221) | Jun (254) | Jul (92) | Aug (248) | Sep (168) | Oct (275) | Nov (477) | Dec (445) |
| 2017 | Jan (218) | Feb (217) | Mar (146) | Apr (172) | May (216) | Jun (252) | Jul (164) | Aug (192) | Sep (190) | Oct (143) | Nov (255) | Dec (182) |
| 2018 | Jan (295) | Feb (164) | Mar (113) | Apr (147) | May (64) | Jun (262) | Jul (184) | Aug (90) | Sep (69) | Oct (364) | Nov (102) | Dec (101) |
| 2019 | Jan (119) | Feb (64) | Mar (64) | Apr (102) | May (57) | Jun (154) | Jul (84) | Aug (81) | Sep (76) | Oct (102) | Nov (233) | Dec (89) |
| 2020 | Jan (38) | Feb (170) | Mar (155) | Apr (172) | May (120) | Jun (223) | Jul (461) | Aug (227) | Sep (268) | Oct (113) | Nov (56) | Dec (124) |
| 2021 | Jan (121) | Feb (48) | Mar (334) | Apr (345) | May (207) | Jun (136) | Jul (71) | Aug (112) | Sep (122) | Oct (173) | Nov (184) | Dec (223) |
| 2022 | Jan (197) | Feb (206) | Mar (156) | Apr (212) | May (192) | Jun (170) | Jul (143) | Aug (380) | Sep (182) | Oct (148) | Nov (128) | Dec (269) |
| 2023 | Jan (248) | Feb (196) | Mar (264) | Apr (36) | May (123) | Jun (66) | Jul (120) | Aug (48) | Sep (157) | Oct (198) | Nov (300) | Dec (273) |
| 2024 | Jan (271) | Feb (147) | Mar (207) | Apr (78) | May (107) | Jun (168) | Jul (151) | Aug (51) | Sep (438) | Oct (221) | Nov (302) | Dec (357) |
| 2025 | Jan (451) | Feb (219) | Mar (326) | Apr (232) | May (306) | Jun (181) | Jul (452) | Aug (282) | Sep (620) | Oct (793) | Nov (682) | Dec |
| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
| | | | | | 1 | 2 |
| 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| 10 | 11 | 12 | 13 (1) | 14 | 15 | 16 (1) |
| 17 | 18 | 19 (1) | 20 (1) | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 (1) | 30 |
| 31 (2) | | | | | | |
| From: Matthias A. <ma+...@dt...> - 2003-08-31 11:30:07 |
On Sun, 31 Aug 2003, James Yonan wrote: > I'm thinking about something like this in a more generalized context, where > OpenVPN running as a server would actually generate the config file for the > client, and send it to the client via SSL after an initial authentication > handshake. This would simplify the configuration on the client side, and > allow the server to send routes back to the client. I wonder if this could be extended to a general configuration handshake, where the client could opt out of some options, for example LZO compression or tun vs. tap. (One should think the client would always want to compress data to avoid redundancy-based or "known-plaintext" attacks on the encrypted connection, but anyways.) -- Matthias Andree Encrypt your mail: my GnuPG key ID is 0x052E7D95 |
| From: James Y. <ji...@yo...> - 2003-08-31 05:56:01 |
> question regarding windows openvpn (thanks a lot for this :), is it > possible to have some script executed (like add a route for the other > side subnet) ? I'm thinking about something like this in a more generalized context, where OpenVPN running as a server would actually generate the config file for the client, and send it to the client via SSL after an initial authentication handshake. This would simplify the configuration on the client side, and allow the server to send routes back to the client. James |
| From: julien T. <jul...@ly...> - 2003-08-29 13:42:53 |
works well with openbsd 3.4-beta question regarding windows openvpn (thanks a lot for this :), is it possible to have some script executed (like add a route for the other side subnet) ? Regards Julien |
| From: oyk <oy...@wt...> - 2003-08-20 10:36:49 |
hi, all I am testing on the openvpn(version 1.5beta5). I want to know whether the openvpn can control multi-client connections simultaneously. My case environment: two client boxes: one is a windowxp box(10.1.0.176), the other is a linux box(10.1.0.178). Server: one linux box(10.1.0.232) #ifconfig (on the server box) eth0 Link encap:Ethernet HWaddr 00:07:E9:D4:17:05 inet addr:10.1.0.232 Bcast:10.1.1.255 Mask:255.255.254.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1375385 errors:0 dropped:0 overruns:0 frame:18 TX packets:26317 errors:0 dropped:0 overruns:0 carrier:0 collisions:1232 txqueuelen:100 RX bytes:436079888 (415.8 Mb) TX bytes:4750120 (4.5 Mb) Interrupt:18 eth1 Link encap:Ethernet HWaddr 00:07:E9:D4:17:06 inet addr:192.168.201.1 Bcast:192.168.201.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2524 errors:0 dropped:0 overruns:0 frame:0 TX packets:4001 errors:0 dropped:0 overruns:0 carrier:0 collisions:9 txqueuelen:100 RX bytes:538445 (525.8 Kb) TX bytes:349456 (341.2 Kb) Interrupt:19 Base address:0x2000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:3725 errors:0 dropped:0 overruns:0 frame:0 TX packets:3725 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:265761 (259.5 Kb) TX bytes:265761 (259.5 Kb) In the 192.168.201.0/24 subnetwork, there is one internal box, whose ip is 192.168.201.2. Absolutely, it is only connected the Server by one twisted-pair directly. My purpose: the client boxes can access 192.168.201.0/25 subnetwork simultaneously. In other words, I can access the 192.168.201.2 box from windowsxp client box and linux client box simultaneously. The follow are my configuration: On the windowsxp client box(10.1.0.176): remote 10.1.0.232 dev tap dev-node my-tap secret key.txt ping 10 verb 5 my=tap IP: 192.168.1.2 myroute.bat: route add 192.168.201.0 mask 255.255.255.0 192.168.1.2 On linux client box(10.1.0.178): remote 10.1.0.232 dev tap up ./tap.up secret key.txt ping 10 verb 5 tap.up #!/bin/bash ifconfig $1 192.168.1.3 netmask 255.255.255.0 mtu $2 route add -net 192.168.201.0 netmask 255.255.255.0 gw $5 On the Server: dev tap up ./tap.up secret key.txt ping 10 verb 5 On the Server firewall rules: #!/bin/bash echo 1 > /proc/sys/net/ipv4/ip_forward PRIVATE=192.168.201.0/24 LOOP=127.0.0.1 iptables -F iptables -P OUTPUT ACCEPT iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -A INPUT -i eth0 -s $LOOP -j DROP iptables -A FORWARD -i eth0 -s $LOOP -j DROP iptables -A INPUT -i eth0 -d $LOOP -j DROP iptables -A FORWARD -i eth0 -d $LOOP -j DROP iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP iptables -A INPUT -s $LOOP -j ACCEPT iptables -A INPUT -d $LOOP -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p udp --dport 5000 -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT iptables -A INPUT -i eth1 -j ACCEPT iptables -A FORWARD -i eth1 -j ACCEPT iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE My test steps: On the Server side: 1. openvpn --config server.conf 2. sh firewall.sh 3.tcpdump -s 1518 -lennx -i tap0 |tcpshow -cooked (on another console) On the linux client box: 4. openvpn --config linuxclient.conf 5. ping 192.168.1.1 (OK!) tcpdump shows: tcpdump: listening on tap0 --------------------------------------------------------------------------- Packet 1 TIME: 17:29:38.755258 ARP: 192.168.1.3 (00:FF:CD:30:4B:A1) asks where is 192.168.1.1 --------------------------------------------------------------------------- Packet 2 TIME: 17:29:38.755282 (0.000024) ARP: 192.168.1.1 says to 192.168.1.3 it's at 00:FF:29:2D:B4:96 --------------------------------------------------------------------------- Packet 3 TIME: 17:29:38.756636 (0.001354) ICMP: 192.168.1.3 -> 192.168.1.1 echo-request DATA: W6...>C?.s... ................. !"#$%&'()*+,-./01234567 --------------------------------------------------------------------------- Packet 4 TIME: 17:29:38.756696 (0.000060) ICMP: 192.168.1.1 -> 192.168.1.3 echo-reply DATA: W6...>C?.s... ................. !"#$%&'()*+,-./01234567 --------------------------------------------------------------------------- 6. ping 192.168.201.1 (OK!) tcpdump shows: --------------------------------------------------------------------------- Packet 1 TIME: 17:32:57.138120 ICMP: 192.168.1.3 -> 192.168.201.1 echo-request DATA: Y6..g?C?}.... ................. !"#$%&'()*+,-./01234567 --------------------------------------------------------------------------- Packet 2 TIME: 17:32:57.138162 (0.000042) ICMP: 192.168.201.1 -> 192.168.1.3 echo-reply DATA: Y6..g?C?}.... ................. !"#$%&'()*+,-./01234567 --------------------------------------------------------------------------- 7. ping 192.168.201.2 (Fail!) On the server side, OpenVPN shows: RRRRR... On the client side, OpenVPN shows: WWWWW... and tcpdump shows: tcpdump: listening on tap0 --------------------------------------------------------------------------- Packet 1 TIME: 17:33:45.569484 ARP: 192.168.1.3 (00:FF:CD:30:4B:A1) asks where is 192.168.201.2 --------------------------------------------------------------------------- Packet 2 TIME: 17:33:46.569419 (0.999935) ARP: 192.168.1.3 (00:FF:CD:30:4B:A1) asks where is 192.168.201.2 --------------------------------------------------------------------------- Now, I try to start my windows box: On the windowsxp box: 8. start openvpn On the server side shows: Wed Aug 20 17:35:36 2003 96[0]: Peer Connection Initiated with 10.1.1.176:5000 RRRRWed Aug 20 17:35:37 2003 97[0]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #167 / time = (1061371483) Wed Aug 20 17:24:43 2003 ] Now, the linux client box is interruptted, I can not access the OpenVPN Server from my linux box. And, the windowsxp client box setup OpenVPN environment. The result are the same as linux client box. And, Wether do the OpenVPN have only one simultaneously alive client? And, I cann't access the internal subnetwork, why? The same configurations, I use tun device, I can access internal subnetwork without any problem. Thank you, everybody! Best Regards Ouyang Kai |
| From: julien T. <jul...@ly...> - 2003-08-19 13:14:43 |
James Yonan wrote: > If anyone out there is running 1.5-beta5 or later on OpenBSD, FreeBSD, NetBSD, > Mac OS X, or Linux 2.2, please let me know. > i test it today in the following conf: linux 2.4 (openvpn 1.3) <-> openbsd 3.2-stable (beta): ping OK linux 2.4 (1.3 or beta) <-> windows2k (beta): problem on linux side with tap # /tmp/openvpn-1.5-beta6/openvpn --cd /etc/openvpn/ --config vpn10.conf [ snip ] Tue Aug 19 15:06:55 2003 6: Data Channel MTU parms [ link_mtu=1609 extra_frame=45 extra_buffer=19 extra_tun=64 ] Tue Aug 19 15:06:55 2003 7: TUN/TAP device tap0 opened Tue Aug 19 15:06:55 2003 8: tap0 is not a tun device. The --ifconfig option works only for tun devices. You should use an --up script to ifconfig a tap device. Tue Aug 19 15:06:55 2003 9: Exiting note than /dev/tunX exist but no /dev/tapX vpn10.conf: dev tap0 remote 192.168.2.10 ifconfig 10.0.3.2 10.0.3.1 up ./tap.up secret key/test.txt user nobody group nogroup comp-lzo ping 15 verb 3 tun-mtu 1500 tun-mtu-extra 6 i will try to test it on openbsd 3.4-beta for the end of the week. Regards Julien |
| From: James Y. <ji...@yo...> - 2003-08-16 20:08:39 |
If anyone out there is running 1.5-beta5 or later on OpenBSD, FreeBSD, NetBSD, Mac OS X, or Linux 2.2, please let me know. I want to make sure that 1.5 is tested on everything before 1.5 final is released. Thanks, James |
| From: <gar...@ex...> - 2003-08-13 22:05:23 |
Hi all, I need to listen for many connections on one machine, but I am only allowed one hole in the firewall. I have seen some discussion of adding support for this to OpenVPN. I have come up with a technique that achieves my goals without modifying OpenVPN ... I know the IP address and port of each initiating end point. So, I just use iptables to NAT each connection to the appropriate local listener port. For my proof of concept I set up three machines. A listener, initiator, and a router/fw. Listener -------- eth0: 192.168.1.50 lo alias: 10.5.10.5 route to 10.0.10.10 through 192.168.1.52 OpenVPN listening on 10.5.10.5:5001 Initiator --------- eth0: 10.0.10.10 route to 192.168.1.50 through 10.0.10.1 OpenVPN initiator port: 5000 OpenVPN initiating connection to 192.168.1.50:5000 Router/FW --------- ethO: 192.168.1.52 eth1: 10.0.10.1 firewall rule allows traffic to and from 192.168.1.50 udp port 5000 On the Listener machine I added this rule: iptables -t nat -A PREROUTING -p udp --sport 5000 -s 10.0.10.10 -d 192.168.1.50 --dport 5000 -j DNAT --to-destination 10.5.10.51:5001 ... and viola! You would need a good firewall like iptables to use this technique of course so it may not be an option for everybody. Any thoughts? .garth _______________________________________________ |
