Just to bring full-closure to this thread: that WAS indeed the problem. The “ca.crt” that I had received (“Virginia”) WAS NOT in fact the one that my colleague was using (“VA”), and neither one of us noticed at the time. So… basically (and purely in layman’s terms) VPN was trying to take a walk up … Read more
Well. On the server side, specifying “proto” twice doesn’t actually do anything – “proto udp6” will make it bind a dual-stack socket to handle v4+v6, overwriting the “proto udp” in the previous line. On a 2.3 client, having two remotes, with “udp6” and “udp” is the way to go, as the old socket code cannot … Read more
While looking for a solution for this I came across Gate. It automates OpenVPN profile creation behind OAuth and supports MFA. It’s also got an admin console for user management. Here is a blog post from the developers outlining its use-case and features. UPDATE 06/2019 – Pritunl is now my go-to solution for this. It … Read more
Context I have been using the very good Docker container from Kyle Manna (https://github.com/kylemanna/docker-openvpn). I’m using the so-called “paranoid” documentation to set-up my OpenVPN server, but in my view this should be the standard way and not the paranoid way. Configuration In order to allow bi-directional connection between selected Docker containers and the VPN clients, … Read more
If you’re on windows then start a dos window and run the tracert command. e.g. tracert www.google.com You can also use an IP address instead of a DNS name. If you’re on Linux you can do the same with the traceroute command. With both utilities you should hopefully get a trace of the route that … Read more
You should be able to do this with the ifconfig-pool-persist config option. You can pre-configure the file and set seconds = 0 to tell OpenVPN to only read the file. We use it to ensure the same user is assigned the same IP when connected via VPN for audit purposes. From the man page: –ifconfig-pool-persist … Read more
Just add “route-nopull” to the client openvpn config, then all pushed commands from the server are ignored. To get access to the local net, you must now add e.g. “route 192.168.5.0 255.255.255.0” to the client openvpn config, if the local net you want to connect to is 192.168.5.0/24.
It looks like you have Negotiable Crypto Parameters (NCP) enabled. You should specify ncp-disable Disable “negotiable crypto parameters”. This completely disables cipher negotiation. When two OpenVPN instances have NCP enabled (default for recent versions) they will negotiate which cipher to use from a set of ciphers defined by ncp-ciphers. The default for that is ‘AES-256-GCM:AES-128-GCM’ … Read more
The culprit seems to be your authentication configuration. You are using plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login which would require the client to supply a valid username/password combination to connect. Apparently, this is also required upon rekeying and your OpenVPN client seems unable to request the user name from stdin (ERROR: could not read Auth username from stdin). … Read more
From researching this with a different angle, I have found with openvpn routes that it can be possible to traffic specific content. I’ve found the following type of setup could be used: # redirect all default traffic via the VPN redirect-gateway def1 # redirect the Intranet network 192.168.1/24 via the VPN route 192.168.1.0 255.255.255.0 # … Read more