Archive for the ‘OpenVPN’ Category
Posted by jpluimers on 2023/04/07
A while after I got a new smartphone, I noticed that when my MacBook was connected over Wi-Fi to the mobile hotspot of my Android phone, the Tunnelblick connections over OpenVPN to my family members would not work. A telnet from the Android phone to the OpenVPN TCP port 1194 woud succeed, but not from the MacBook. Connecting from the phone using JuiceSSH to the OpenSSH endpoints at those family members would work too, so I was a bit flabbergasted.
In the end this seems to be a set of coincidences that fails in this particular setup, but I am not totally aware why.
The solution was to both re-configure the APN (Access Point Name) the smartphone uses to connect to the internet from ipv4/ipv6 to ipv4, and to reboot the phone.
For Dutch provider KPN Mobile, the APN is named internet and apparently changed default to ipv4/ipv6 without properly supporting ipv4. Note the configuration parameters are all lowercase, although they should be written IPv4 and IPv6.
Here are a few posts that got me on the right track (all via [Wayback/Archive] openvpn fails over android hotspot – Google Search):
Note that sometimes the MTU can cause similar failures:
Note too: some links to check for OpenVPN responding are below.
Various sites with (often different) APNs that KPN mobile supports:
There are quite a few APNs, some with firewall and/or proxy and/or compression, some with external IP address (which means your smartphone really needs a firewall).
–jeroen
Posted in Android Devices, Hardware, Network-and-equipment, OpenVPN, Power User, VPN | Leave a Comment »
Posted by jpluimers on 2022/08/26
Last winter, I discovered that the OpenVPN version on Chocolatey was really old: it had not been updated since 2019.
Most Chocolatey maintainers are volunteers and sometimes the burden can become too large. Back then the maintainer was [Wayback/Archive] Chocolatey Software | wget, but luckily [Wayback/Archive] Chocolatey Software | dgalbraith has stepped in and in March 2022 bumped the version from [Wayback/Archive] Chocolatey Software | OpenVPN 2.4.7 to [Wayback/Archive] Chocolatey Software | OpenVPN – Open Source SSL VPN Solution 2.5.4 and kept maintaining (currently there is [Wayback/Archive] Chocolatey Software | OpenVPN – Open Source SSL VPN Solution 2.5.7).
Read the rest of this entry »
Posted in *nix, *nix-tools, Chocolatey, Hardware, Network-and-equipment, OpenVPN, Power User, ssh/sshd, VPN, Windows | Leave a Comment »
Posted by jpluimers on 2021/08/09
The chocolatey package for OpenVPN has not been updated for quite a while. It looks like it has to do with the current dependency to verify the OpenVPN signature.
The current [Wayback] Chocolatey Software | OpenVPN 2.4.7 version is both outdated on the major version number ([Wayback/Archive.is] Release OpenVPN v2.5.3 release · OpenVPN/openvpn) and minor version ([Wayback/Archive.is] Release OpenVPN v2.4.11 release · OpenVPN/openvpn). The version 2.4 Windows installers are now called “Legacy Windows Installers”.
Luckily less than a day after the start of the [Wayback/Archive.is] RFM – openvpn · Issue #1024 · chocolatey-community/chocolatey-package-requests, a volunteer stepped forward.
Hopefully by now the package is being maintained again.
–jeroen
Posted in Network-and-equipment, OpenVPN, Power User, VPN | Leave a Comment »
Posted by jpluimers on 2019/01/16
With the advent of WebSockets, it looks like TCP tunnels over HTTP/HTTPS are gaining more ground and I need to put some research time in them.
Some old to new links:
CONNECT requests are not supported by many HTTP proxies, especially in larger organisations, so chisel and crowbar have a much bigger chance there.
And of course there is SoftEtherVPN/SoftEtherVPN: A Free Cross-platform Multi-protocol VPN Software. * For support, troubleshooting and feature requests we have http://www.vpnusers.com/. For critical vulnerability please email us. (mail address is on the header.).
However, that is a VPN solution which is much broader than just a single TCP tunnel. You can so similar things with OpenVPN, but over HTTP/HTTPS, also requires CONNECT:
SoftEtherVPN seems to be more versatile though. I blogged about that before, but back then didn’t have needs for it yet. VPN over HTTPS: Ultimate Powerful VPN Connectivity – SoftEther VPN Project.
–jeroen
via: [WayBack] VPN through only http – Server Fault answer by [WayBack] neutrinus
Posted in Communications Development, Development, HTTP, https, Internet protocol suite, Network-and-equipment, OpenVPN, Power User, TCP, VPN, WebSockets, Windows-Http-Proxy | Leave a Comment »
Posted by jpluimers on 2017/08/07
sslh accepts connections on specified ports, and forwards them further based on tests performed on the first data packet sent by the remote client.
Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are implemented, and any other protocol that can be tested using a regular expression, can be recognised. A typical use case is to allow serving several services on port 443 (e.g. to connect to ssh from inside a corporate firewall, which almost never block port 443) while still serving HTTPS on that port.
Hence sslh acts as a protocol demultiplexer, or a switchboard. Its name comes from its original function to serve SSH and HTTPS on the same port.
sslh supports IPv6, privilege dropping, transparent proxying, and more.
Interesting…
–jeroen
Posted in *nix, https, Linux, OpenSSL, OpenVPN, Power User, Security | Leave a Comment »
Posted by jpluimers on 2017/06/23
For my blog archive as I already shared it on G+
[WayBack] With so many vulnerabilities out there, here is how to find out of if a fixed is applied to vulnerabilities on Debian/Ubuntu Linux using CVE. – Jeroen Wiert Pluimers – Google+
[WayBack] Debian/Ubuntu Linux: Find If Installed APT Package Includes a Fix/Patch Via CVE Number – nixCraft
Explains how to view the changelog of an installed package on a Debian or Ubuntu Linux server to find out if a fix/patch applied via CVE number.
Hans Wolters:
And find all packages that belong to one cve :-)
zgrep -i cve /usr/share/doc/*/changelog.Debian.gz|grep 1000364
–jeroen
Posted in OpenVPN, Power User, Security | Leave a Comment »
Posted by jpluimers on 2017/04/25
MikroTik has great hardware, but getting things to work can be a bit ehm intimidating.
So here are some links that were useful getting my CCR1009 and CRS226 configurations to do what I wanted.
Read the rest of this entry »
Posted in DNS, Hardware, Internet, IPSec, MikroTik, Network-and-equipment, OpenVPN, Power User, PPTP, routers, VPN, WinBox | Leave a Comment »
Posted by jpluimers on 2016/03/18
Nice summary for just saying “Use Tunnelblick”
This howto article explains how to obtain and setup a Mac openvpn client to connect to the OpenVPN Access Server.
Source: How to connect to Access Server from a Mac
–jeroen
Posted in Apple, Mac, Mac OS X / OS X / MacOS, Mac OS X 10.5 Leopard, Mac OS X 10.6 Snow Leopard, Mac OS X 10.7 Lion, MacBook, MacBook Retina, MacBook-Air, MacBook-Pro, MacMini, OpenVPN, OS X 10.11 El Capitan, OS X 10.8 Mountain Lion, OS X 10.9 Mavericks, Power User | Leave a Comment »
Posted by jpluimers on 2012/08/03
Another research item:
Need to provide access through OpenVPN to the same LAN as where the OpenVPN server runs on.
This is unusual, and requires a bridged OpenVPN solution.
Jürgen Schmidt wrote a nice article on this in 2008.
Endian community edition seems to support this out of the box:
Server configuration
In this panel you can enable the OpenVPN server and define in which zone it should run.
OpenVPN server enabled
Click this to make sure the OpenVPN server is started.
Bridged
If you want to run the OpenVPN server in one of the existing zones check this box. ..
note:
If the OpenVPN server is not bridged you must set the
firewall rules in the VPN firewall to make sure clients
can access any zone - unless you do not want them to.
VPN subnet
This option is only available if you disable bridged mode, which allows you to run the OpenVPN server in its own subnet that can be specified here.
Bridge to
If bridged mode has been selected here you can choose to which zone the OpenVPN server should be bridged.
Dynamic IP pool start address
The first possible IP address in the network of the selected zone that should be used for the OpenVPN clients.
Dynamic IP pool end address
The last possible IP address in the network of the selected zone that should be used for the OpenVPN clients.
–jeroen
via: The VPN Menu — Endian UTM Appliance v2.4 documentation.
Posted in *nix, Endian, Linux, OpenVPN, Power User | Leave a Comment »
Posted by jpluimers on 2010/10/12
While solving a problem with Windows 7 machines not being able to ping the machines on the GREEN LAN of an Endian when connecting through OpenVPN, but XP machines could, I did a few upgrades, then went on to solve the problem.
- Upgraded from ESX 3.5 to ESXi 4.1 (I needed this anyway because of Pass Through USB support)
- Upgraded the community edition appliance from Endian 2.2 to Endian 2.4 (which has more configuration options, and better ways for reporting and logging)
Then I went on solving the issue, which I suspected was a kind of routing problem. Read the rest of this entry »
Posted in Endian, ESXi4, ESXi5, ESXi5.1, Firewall, Infrastructure, OpenVPN, Power User, VMware, VMware ESXi | 8 Comments »
The Wiert Corner - irregular stream of stuff 