[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Openvpn-users Digest, Vol 14, Issue 16


  • Subject: Re: [Openvpn-users] Openvpn-users Digest, Vol 14, Issue 16
  • From: "sivasubramani" <sivasubramanian@xxxxxxxxxxxxxxxxx>
  • Date: Tue, 10 Jul 2007 10:49:57 -0000

hi,
   I have using openvpn in both windows and linux.... i want to connect client to client through tunnel. its working if i try to ping
virtual client ip from one client its takes  too long

my ping result is

 sh-3.00# ping 10.1.0.142
PING 10.1.0.142 (10.1.0.142): 56 data bytes
64 bytes from 10.1.0.142: icmp_seq=0 ttl=64 time=976.2 ms
64 bytes from 10.1.0.142: icmp_seq=1 ttl=64 time=627.2 ms
64 bytes from 10.1.0.142: icmp_seq=2 ttl=64 time=646.9 ms
64 bytes from 10.1.0.142: icmp_seq=3 ttl=64 time=643.6 ms
64 bytes from 10.1.0.142: icmp_seq=4 ttl=64 time=648.8 ms
64 bytes from 10.1.0.142: icmp_seq=5 ttl=64 time=637.1 ms
64 bytes from 10.1.0.142: icmp_seq=6 ttl=64 time=665.8 ms
64 bytes from 10.1.0.142: icmp_seq=7 ttl=64 time=854.4 ms
64 bytes from 10.1.0.142: icmp_seq=8 ttl=64 time=647.5 ms
64 bytes from 10.1.0.142: icmp_seq=9 ttl=64 time=633.2 ms

--- 10.1.0.142 ping statistics ---
11 packets transmitted, 10 packets received, 9% packet loss
round-trip min/avg/max = 627.2/698.0/976.2 ms

     some times it takes 1000 and above so how i can improve my vpn speed

my client config file is

port 1194

dev tun

proto tcp-client

remote 221.134.108.209


tls-client

persist-key

persist-tun

ca ca.crt

cert client.crt

key client.key

cipher AES-256-CBC

pull

verb 3


Thangs and Regards,


----- Original Message -----
From: openvpn-users-request@xxxxxxxxxxxxxxxxxxxxx [mailto:openvpn-users-request@xxxxxxxxxxxxxxxxxxxxx]
To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Sent: Mon, 09 Jul 2007 13:36:28 -0700
Subject: Openvpn-users Digest, Vol 14, Issue 16

Send Openvpn-users mailing list submissions to
	openvpn-users@xxxxxxxxxxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/openvpn-users
or, via email, send a message with subject or body 'help' to
	openvpn-users-request@xxxxxxxxxxxxxxxxxxxxx

You can reach the person managing the list at
	openvpn-users-owner@xxxxxxxxxxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Openvpn-users digest..."


Today's Topics:

   1. Re: openVPN through Cisco firewall! (Peter Njiiri)
   2. Re: OpenVPN with Cisco VPN (Eero Volotinen)
   3. Re: Client-local PKCS#10 CSR generation (Etienne V. Depasquale)
   4. Building own windows packages (Ruben Puettmann)
   5. Untangle and OpenVPN (Andrew N. Gray)
   6. ifconfig-push doesn't give me what I expect (Alain Williams)
   7. Re: ifconfig-push doesn't give me what I expect (Erich Titl)
   8. Visual Studio project build files for OpenVPN (Cory Albrecht)


----------------------------------------------------------------------

Message: 1
Date: Mon, 09 Jul 2007 11:44:11 +0400
From: "Peter Njiiri" <pnjiiri@xxxxxxxxx>
Subject: Re: [Openvpn-users] openVPN through Cisco firewall!
To: "Erich Titl" <erich.titl@xxxxxxxx>
Cc: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Message-ID: <46921F8B.95EF.00F3.0@xxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"

Thanks Erich,
Didn't need routes and now the LDAP service is installed over VPN, thanks again for the feedback.

Kind Regards
Peter

>>> Erich Titl <erich.titl@xxxxxxxx> 07/09/07 12:05 AM >>>
Peter Njiiri schrieb:
> Hi
> Again thanks for the feedback. Yes,you are correct with the
> interpretation of the network. The software I'm installing (LDAP client)
> that needs no NAT requires that the destination IP be 192.168.1.2. This
> is because the openVPN is running the LDAP server listening on
> eth0,192.168.1.2.

Can't you make it listen also on the tun interface 10.8.0.1?

So in this scenarios should I
> 1. use the destination IP as the VPN IP, i.e 10.8.0.1 as it seems using
> 192.168.1.2 doesn't works as the communication back from the LDAP server
> is going through NAT.

You could do some tricky routing.

> 2. Is the 10.8.0.1 address bound to the eth0 IP thus use it as the
> destination IP??

No, it is bound to the tun interface.

> 3. I tried ethernet bridging but it didn't work

What can I say, I don't like bridging.

>
> Please note that the remote IP the VPN client is referencing is
> configured on a switch behind the firewall which maps the internal nic
> to external access. Is this a problem?

Switches (most of the time) are layer 2, so they should be transparent
to IP.


> I did a traceroute from the remote client (10.30.7.100) to the openVPN
> internal nic (192.168.1.2) and it shows only one hop to the destination
> (the hop is the destination address 192.168.1.2) whereas a traceroute
> from 192.168.1.2 to 10.30.7.9 shows three hops (hops through
> firewall,remote router then remote destination). When I ping 192.168.1.2
> from 10.30.7.100, I can see tcpdump activity on tun0 on the
> openVPNserver but if I ping 10.30.7.9 from 192.168.1.2 I DO NOT see
> tcpdump activity on tun0 on the client, it's received on eth1 on the
> client interface. Why is happening???

Your routing is incomplete. iproute2 is your friend if needed, else try
to make your LDAP server also listen on the tun interface, for a try
make it listen on all interfaces.

cheers

Erich

-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Mon, 9 Jul 2007 12:39:00 +0300 (EEST)
From: "Eero Volotinen" <eero.volotinen@xxxxxxxxxxx>
Subject: Re: [Openvpn-users] OpenVPN with Cisco VPN
To: "Rio Martin" <riomartin@xxxxxxxxxxxxx>
Cc: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Message-ID: <49705.80.222.172.74.1183973940.squirrel@xxxxxxxxxxxxx>
Content-Type: text/plain;charset=iso-8859-1


> Dear all,
> I need to deploy VPN Connection between my box and Cisco Routers.
> Does OpenVPN support any patch / addtional for Cisco ? Thanks

No. If you mean that openvpn connection with cisco router. It is
impossible to do.

--
Eero







------------------------------

Message: 3
Date: Mon, 09 Jul 2007 12:00:23 +0200
From: "Etienne V. Depasquale" <evdepa@xxxxxxxxxxxxx>
Subject: Re: [Openvpn-users] Client-local PKCS#10 CSR generation
To: OpenVPN <openvpn-users@xxxxxxxxxxxxxxxxxxxxx>
Message-ID: <000701c7c20f$f7a82b80$5c143e0a@xxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=windows-1250


Some more digging has shown that the tarball source versions of OpenVPN
2.1_rc4 includes such goodies as the build-req script - which is basically a
wrapper script around pkitool, the kind of tool that I need to generate the
CSR. The CSR can then be handed to the OpenVPN administrator for signing at
the CA. This is the functionality I need.

However, there appears to be no equivalent tool in the Windows installer
version.

Can anyone corroborate this statement?


Cheers,

Etienne


-----Original Message-----
From: Erich Titl [mailto:erich.titl@xxxxxxxx]
Sent: 07 July 2007 10:23
To: evdepa@xxxxxxxxxxxxx
Cc: OpenVPN
Subject: Re: [Openvpn-users] Client-local PKCS#10 CSR generation

Etienne

Etienne V. Depasquale wrote:
> Thanks for the point made regarding separating the VPN server from the CA.
>
> However, I don't see how using a RoCA as a stand-alone CA will help
> (admitting that I haven't used it yet!); is there a client part to RoCA
that
> the end-user can run on his computer to generate the CSR? That's the core
> problem. If this is the case, I would have preferred to avoid introducing
> the end-user to a second item of software.
>
I see, building a certificate request does not meed much, Your clients
can of course build their own keys and certificate requests which you
can then import to whatever CA you like for signng.

cheers

Erich

No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.476 / Virus Database: 269.10.2/891 - Release Date: 08/07/2007
18:32


No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.476 / Virus Database: 269.10.2/891 - Release Date: 08/07/2007
18:32





------------------------------

Message: 4
Date: Mon, 9 Jul 2007 12:20:21 +0200
From: Ruben Puettmann <ruben@xxxxxxxxxxxxx>
Subject: [Openvpn-users] Building own windows packages
To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Message-ID: <20070709102021.GA22905@xxxxxxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"


            Hello,

I will build a little openvpn projekt. In this projekt I will build own
windows packages with certificates and configuration files.

I found this little howto: http://openvpn.se/howto.html on the net.
But I have two little Problems with it:

a) I  must build the installer on an Linux 32 bit System
   So It seems that it not possible building Windows 64 bit
   packages on Linux.

b) No install_packages_source for openvpn 2.1 ( rc4 would be
   nice). But many things has changed so that I can't use the 2.0 nsis
   file.

No I found the little news that 2.1_rc4 was now packaged with the
OpenVPN GUI. I will need 2.1 cuase I must build packages for Vista.


Does somebody know hwo to build customized windows packages from the
original openvpn binary's like in the howto above? I must build the
packages on Linux 32 bit.


            Thx


                Ruben


--
Ruben Puettmann
ruben@xxxxxxxxxxxxx
http://www.puettmann.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature

------------------------------

Message: 5
Date: Mon, 9 Jul 2007 09:09:48 -0400
From: "Andrew N. Gray" <agray@xxxxxxxxxxx>
Subject: [Openvpn-users] Untangle and OpenVPN
To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Message-ID: <DE52BEDE-AD0B-466D-8B25-58A7D5284DF1@xxxxxxxxxxx>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed

I was wondering if anyone one this list had any experiance running
OpenVpn as part of the Untangle bundle of opensource apps.
(www.untangle.com)

Untangle has a  knopoix based .iso that installs everything from a
firewall to openvpn and snort all in a pretty dumbed down interface.

I have it running virtually and it look decent.

Does anyone have any experience with this package and are there any
others that compete with it with better features such as QOS.

Andrew




------------------------------

Message: 6
Date: Mon, 9 Jul 2007 18:34:56 +0100
From: Alain Williams <addw@xxxxxxxxxxxx>
Subject: [Openvpn-users] ifconfig-push doesn't give me what I expect
To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Message-ID: <20070709173456.GA32214@xxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii

I have set up an OpenVPN on a Linux box (CentOS 4.5, running openvpn 2.0.9).
The client in this case is another Linux box (CentOS 4.5, running openvpn 2.0.9).

I expect the client to have VPN IP 10.200.200.7 and the server 10.200.200.1.
The server is as I expect, the client ends up as 10.200.200.6.

What appears in the system logs on each machine matches what netstat tells me and
is correct for the local end - but wrong for the peer end.

Why:

1) does the client IP address not take on the value given in the ifconfig-push line ?
2) do the values in the log files not match anything for the peer ?

I am confused.

Explanations gratefully received -- particularly for (1).

TIA

**** Diagnostic:

I can connect on the client to the server using IP 10.200.200.1 and 'who' tells me that
I have logged in from 10.200.200.6.

In the system log in the client I see:

	/sbin/ip link set dev tun2 up mtu 1500
	/sbin/ip addr add dev tun2 local 10.200.200.6 peer 10.200.200.5

The command 'netstat -rn' on the client gives:

	Kernel IP routing table
	Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
	10.200.200.1    10.200.200.5    255.255.255.255 UGH       0 0          0 tun2
	10.200.200.5    0.0.0.0         255.255.255.255 UH        0 0          0 tun2


In the system log in the server I see:

	/sbin/ip link set dev tun2 up mtu 1500
	/sbin/ip addr add dev tun2 local 10.200.200.1 peer 10.200.200.2

The command 'netstat -rn' on the server gives:

	Kernel IP routing table
	Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
	10.200.200.2    0.0.0.0         255.255.255.255 UH        0 0          0 tun2
	10.200.200.0    10.200.200.2    255.255.255.0   UG        0 0          0 tun2


(Irrelevant lines removed above)

**** The config files:

On the server I have:

/etc/openvpn/Clients/remoteMachine.example.com:

	ifconfig-push 10.200.200.7 10.200.200.0

/etc/openvpn/Server.conf:
	
	local 192.168.0.2
	port 1194
	proto udp
	dev tun2
	ca ca.crt
	cert server.crt
	key server.key
	dh dh1024.pem
	tls-auth ta.key 0

	server 10.200.200.0 255.255.255.0

	reneg-sec 60
	keepalive 10 120
	ifconfig-pool-persist ipp.txt
	comp-lzo
	cipher BF-CBC        # Blowfish (default)

	user nobody
	group nobody
	persist-key
	persist-tun

	client-config-dir Externalmint-Clients

On remoteMachine.example.com I have in :

/etc/openvpn/Client.conf:

	client
	proto udp
	dev tun2
	nobind
	remote server.example.com 1194

	user nobody
	group nobody
	persist-tun
	persist-key

	ca ca.crt
	cert client.crt
	key client.key
	dh dh1024.pem
	tls-auth ta.key 1

	comp-lzo
	cipher BF-CBC        # Blowfish (default)

	reneg-sec 300
	keepalive 10 120



--
Alain Williams
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
#include <std_disclaimer.h>



------------------------------

Message: 7
Date: Mon, 09 Jul 2007 22:16:19 +0200
From: Erich Titl <erich.titl@xxxxxxxx>
Subject: Re: [Openvpn-users] ifconfig-push doesn't give me what I
	expect
To: Alain Williams <addw@xxxxxxxxxxxx>
Cc: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Message-ID: <46929793.8000201@xxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1

Alain

I guess you are expecting the wrong values.

Alain Williams schrieb:
...
>
> On the server I have:
>
> /etc/openvpn/Clients/remoteMachine.example.com:
>
> 	ifconfig-push 10.200.200.7 10.200.200.0

This is not the way it is set down in the docs.

>>>>>>>>>>>>>>>>>>>>

from the manual

--ifconfig-push local remote-netmask
    Push virtual IP endpoints for client tunnel, overriding the
--ifconfig-pool dynamic allocation.

    The parameters local and remote-netmask are set according to the
--ifconfig directive which you want to execute on the client machine to
configure the remote end of the tunnel. Note that the parameters local
and remote-netmask are from the perspective of the client, not the
server. They may be DNS names rather than IP addresses, in which case
they will be resolved on the server at the time of client connection.

>>>

the name remote-netmask for the second parameter may be a bit misleading.

>>>>>>>>>>>>>>>>>>>>>>

and on the HowTo you find an example

ccd/sysadmin1

    ifconfig-push 10.8.1.1 10.8.1.2

which gives the client address 10.8.1.1 and the server end
of the tunnel 10.8.1.2


cheers

Erich



------------------------------

Message: 8
Date: Mon, 09 Jul 2007 16:36:19 -0400
From: Cory Albrecht <openvpn@xxxxxxxxxxxxxx>
Subject: [Openvpn-users] Visual Studio project build files for OpenVPN
To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Message-ID: <46929C43.50002@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=UTF-8; format=flowed

Are there any build/project files for OpenVPN for Visual Studio?

Googling didn't turn up any. I'd like to try altering the TAP driver
code so I can have it be a 1 gigabit virtual adaptor instead of a 10
megabit one, but since I already have VS2k5 really want to install Ming
for just this.

BTW, why was it made to only be 10Mb/s instead of a higher bitrate?
TapAdapterQuery.m_Long is a ULONG value, so it could handle the 1 000
000 000 / 100 value needed for a gigabit link. Is this a limitation of
virtual adaptors with the Windows Driver Kit?

I noticed one day, when I forgot to disable OpenVPN on my laptop when I
got home, that I was only getting the expected speeds of being on a 10
megabit wireline ethernet link rather than on a 54 megabit wifi link.
Since I'm VPNing to home that 10 megabit rate is obviously faster than
my DSL so I never noticed, but at home I certainly *did* notice an 80%
drop in my link speed!

So if anybody could point me to some VS project files for OpenVPN, I'd
appreciate it.

Thanks in advance.




------------------------------
---------------------------

_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users


End of Openvpn-users Digest, Vol 14, Issue 16
*********************************************

_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users