[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

RE: [Openvpn-users] resolved: new openvpn problem


  • Subject: RE: [Openvpn-users] resolved: new openvpn problem
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Sun, 5 Dec 2004 18:30:08 -0700 (MST)

On Sun, 5 Dec 2004, Tibbs, Richard wrote:

> Thanks very much, Jim.
> If you don't mind I have a few additional questions.
> 1) If I recall correctly the mode command (mode server, mode client)
> came in with 2.0, right?  Does this relate to the openvpn.conf directive
> "tls-server"? IAW, is mode server the same as tls-server, or a different
> feature?

They are different, but related.  For example, you might want to use TLS
authentication with a point-to-point tunnel (i.e. not client/server).  In
this case you could use --mode p2p --tls-server or --mode p2p 
--tls-client.  You need this because TLS is always client/server, even if 
you are using it with a point-to-point OpenVPN config.

If you are using OpenVPN 2.0's --mode server directive, you should always
use --tls-server on the server and --tls-client on the client.  The new
"client" and "server"  directives simplify this.

> 2) When you say client/server mode below -- do you mean in either client
> or server mode?  I am a bit confused here.

Yes.  Either a client or server running OpenVPN 2.0 must use --key-method 
2.  Only a point-to-point tunnel (i.e. where both peers are symmetrically 
configured) can use --key-method 1.

> 3) As I mentioned, someone from leaf-user compiled in ip(2) support
> using the 1.6 tarball. Is the same true of the openvpn 1.6 pre-compiled
> binaries from openvpn.sourceforge.net? 

Yes, that support is still there in 2.0.  You can enable it with 
./configure --enable-iproute2

James


> 
> TIA
> Rick.
> 
> 
> 
> -----Original Message-----
> From: James Yonan [mailto:jim@xxxxxxxxx] 
> Sent: Sunday, December 05, 2004 7:22 PM
> To: Tibbs, Richard
> Cc: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> Subject: Re: [Openvpn-users] resolved: new openvpn problem
> 
> On Sun, 5 Dec 2004, Tibbs, Richard wrote:
> 
> > OK, what I had to do, since I had compiled in ip(2) support is get rid
> > of the up script altogether and add a route command.
> > I have now a working tun0 link. What works in openvpn.conf is shown
> > below.
> > I did a little documentation for my own sanity.
> > I am still confused by one thing. In the openvpn 2.x readme (installed
> > on my winXP wireless laptop) it says
> > "
> > * To get OpenVPN 2.0 to talk with the 1.5/1.6 versions, put this in
> the
> > 1.x
> > config file:
> > 
> >   tun-mtu 1500
> >   tun-mtu-extra 32
> >   mssfix 1450
> >   key-method 2
> > 
> > * For TLS usage, --key-method 2 is now the default.  Use --key-method
> 1
> > to
> > communicate with 1.x.
> > "
> > The last sentence seems to contradict the 1.x configs above it.
> > 
> > I assume they mean to say key-method 1 the first time, Right??
> 
> No, both statements are correct.  The main point is that the
> --key-method 
> parameter must be the same on both sides of the connection.
> 
> The best thing would be to add "key-method 2" to 1.x configs, to be 
> compatible with the default 2.0 key method which is 2.
> 
> But you could also leave the 1.x key-method at 1 (the default) and then 
> explicitly add "key-method 1" to the 2.0 config.  2.0 can use key-method
> 
> 1, but not in client/server mode.
> 
> James
> 
> 
> 

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users