[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Re: Re: Re: Re: IP Allocation


  • Subject: Re: [Openvpn-users] Re: Re: Re: Re: IP Allocation
  • From: Helder Miguel Gaspar Rodrigues <crash@xxxxxxxx>
  • Date: Thu, 13 Jan 2005 06:32:02 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Btw, now i have three clients connect to the vpn, and log messages in
server shows something strange:
Thu Jan 13 05:48:58 2005 us=926462
helder-laptop.wifivpn.frew.org/192.168.1.11:1194 Authenticate/Decrypt
packet error: bad packet ID (may be a replay): [ #226 ] -- see the man
page entry for --no-replay and --replay-window for more info or silence
this warning with --mute-replay-warnings

All configurations in the clientes are the same, but the logs shows only
problems with this connection. Any tips?

The client is an windows xp sp2 with openvpn2 rc6.

Thanks a lot
Charles Duffy wrote:
| On Wed, 12 Jan 2005 20:38:20 +0000, Helder Miguel Gaspar Rodrigues wrote:
|
|
|>What you think about the configuration settings? its a wifi enviroment.
|
|
| Comments below.
|
|
|
|>duplicate-cn
|
|
| Evil. Bad security policy (can't just replace one client's certificate,
| need to replace all of them if any client is compromised), prevents you
| from using the CN as a key to do Useful Things in your scripting (like
| handing out IP addresses, adding DNS entries, etc), and makes it pretty
| darned easy for any client to pretend to be any other (since they don't
| have distinct keys, they only need to change their IP addresses).
|
| You should seriously rethink using this.
|
|
|>mtu-test
|>tun-mtu 1500
|>tun-mtu-extra 32
|>mssfix 1450
|
|
| Just curious -- did you really need to set these? I'm accustomed to
| current versions of OpenVPN doing The Right Thing quite out-of-the-box.
|
|
|>ping 10
|>ping-restart 120
|>push "ping 10"
|>push "ping-restart 60"
|
|
| I find that the keepalive directive helps keep things more readable.
|
|
|>ifconfig 192.168.3.1 255.255.255.0 # openvpn gateway
|>push "route 192.168.1.0 255.255.255.0 192.168.3.1" # add route to to
protected network
|>push "route 192.168.0.0 255.255.255.0 192.168.3.1" # add route to to
protected network
|>push "route 192.168.3.0 255.255.255.0 192.168.3.1"
|>push "redirect-gateway"
|
|
| Granted, I don't know that much about your network configuration, but this
| could probably be simplified. Considered using the server directive?
|
|
|>My script:
|
|
| I'm a really, really big fan of Python -- but this just cries out to be a
| single line of shell:
|
| #!/usr/bin/bash
| VPN_IP=$(echo $1 | sed -re 's_([0-9]{1,3})\.([0-9]{1,3})$_3.\2_')
| echo "ifconfig-push ${VPN_IP} 255.255.255.0"
|
|
|>port 5000
|
|
| Call me a stickler, but I prefer using the IANA-assigned port, given the
| chance.
|
|
|>tls-client
|>pull
|
|
| The "client" directive does both of these, and is easier to read.
|
|
| Finally, I don't notice any mechanism in use to validate that the server's
| certificate really _is_ the server's certificate (see the whole
| man-in-the-middle brouhaha here a while ago). You should seriously
| consider using ns-cert-type (with an appropriately created server key), or
| tls-verify, or something of the like.
|
|
|
| -------------------------------------------------------
| The SF.Net email is sponsored by: Beat the post-holiday blues
| Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
| It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
| _______________________________________________
| Openvpn-users mailing list
| Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
| https://lists.sourceforge.net/lists/listinfo/openvpn-users




- ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows XP) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB5hXhXuDuuXe+pHkRAnTjAJ9zeg354K31s+72jrSM7JRCmVTarwCfd0NT
PuoJ8CkXSvMWe95wAInceXA=
=Tb5Z
-----END PGP SIGNATURE-----



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users