General Discussion General discussion on...anything!

Reply
 
Thread Tools Display Modes
  (#21) Old
trickyzach trickyzach is offline
Junior Member
 
Posts: 17
Join Date: Jun 2009
Default 06-23-2009, 01:56 PM

@somms

Is it worth the upgrade?

Thanks
Zach
Reply With Quote
  (#22) Old
trickyzach trickyzach is offline
Junior Member
 
Posts: 17
Join Date: Jun 2009
Default 06-23-2009, 02:20 PM

At work cant get it to connect.

Here is the error log:

Tue Jun 23 10:15:41 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Tue Jun 23 10:15:41 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Jun 23 10:15:41 2009 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jun 23 10:15:41 2009 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jun 23 10:15:41 2009 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jun 23 10:15:41 2009 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jun 23 10:15:41 2009 LZO compression initialized
Tue Jun 23 10:15:41 2009 Data Channel MTU parms [ L:1579 D:1450 EF:47 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Jun 23 10:15:41 2009 Local Options hash (VER=V4): '62518268'
Tue Jun 23 10:15:41 2009 Expected Remote Options hash (VER=V4): 'cef5322e'
Tue Jun 23 10:15:41 2009 Attempting to establish TCP connection with XX.X.X.XX:8080
Tue Jun 23 10:15:41 2009 TCP connection established with XXXXXX:8080
Tue Jun 23 10:15:41 2009 Send to HTTP proxy: 'CONNECT xxxx.gotdns.com:1194 HTTP/1.0'
Tue Jun 23 10:15:42 2009 HTTP proxy returned: 'HTTP/1.0 403 Forbidden'
Tue Jun 23 10:15:42 2009 HTTP proxy returned bad status
Tue Jun 23 10:15:42 2009 TCP/UDP: Closing socket
Tue Jun 23 10:15:42 2009 SIGUSR1[soft,init_instance] received, process restarting
Tue Jun 23 10:15:42 2009 Restart pause, 5 second(s)
Tue Jun 23 10:15:47 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Jun 23 10:15:47 2009 Re-using pre-shared static key
Tue Jun 23 10:15:47 2009 LZO compression initialized
Tue Jun 23 10:15:47 2009 Data Channel MTU parms [ L:1579 D:1450 EF:47 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Jun 23 10:15:47 2009 Local Options hash (VER=V4): '62518268'
Tue Jun 23 10:15:47 2009 Expected Remote Options hash (VER=V4): 'cef5322e'
Tue Jun 23 10:15:47 2009 Attempting to establish TCP connection with XXXXXX:8080
Tue Jun 23 10:15:47 2009 TCP connection established with XX.X.X.XX:8080
Tue Jun 23 10:15:47 2009 Send to HTTP proxy: 'CONNECT XXXX.gotdns.com:1194 HTTP/1.0'
Tue Jun 23 10:15:48 2009 HTTP proxy returned: 'HTTP/1.0 403 Forbidden'
Tue Jun 23 10:15:48 2009 HTTP proxy returned bad status
Tue Jun 23 10:15:48 2009 TCP/UDP: Closing socket
Tue Jun 23 10:15:48 2009 SIGUSR1[soft,init_instance] received, process restarting
Tue Jun 23 10:15:48 2009 Restart pause, 5 second(s)



Client Config

dev tap0
up-delay
secret static.key
proto tcp-client
ifconfig 192.168.1.126 255.255.255.0
route-gateway 192.168.1.1
redirect-gateway def1
http-proxy xxx.xx.xx.xxx 8080
remote xxxx.gotdns.com
keepalive 10 60
http-proxy-retry
resolv-retry infinite
nobind
persist-key
persist-tun
cipher BF-CBC
comp-lzo
verb 3
float


I think it has something to do with the web filter here at work? Any suggestions?

Thanks
Reply With Quote
  (#23) Old
somms somms is offline
Super Moderator
 
somms's Avatar
 
Posts: 883
Join Date: Oct 2008
Location: FAA
Default 06-23-2009, 04:04 PM

OpenVPN 2.1

Yeah, looks like you can't get connect thru the proxy...

Code:
auto-proxy 
Try to sense HTTP or SOCKS proxy settings automatically. If no settings are present, a direct connection will be attempted. If both HTTP and SOCKS settings are present, HTTP will be preferred. If the HTTP proxy server requires a password, it will be queried from stdin or the management interface. If the underlying OS doesn't support an API for returning proxy settings, a direct connection will be attempted. Currently, only Windows clients support this option via the InternetQueryOption API. This option exists in OpenVPN 2.1 or higher.
May want to try auto-proxy setting instead of http-proxy otherwise, suggest changing your port to 443 and giving it another shot...

Client config: remote xxxx.gotdns.com 443
Server config: --port 443

and don't forget to adjust the firewall port under Administration/Commands in DD-WRT firmware: iptables -I INPUT -p tcp --dport 443 -j ACCEPT


Reply With Quote
  (#24) Old
trickyzach trickyzach is offline
Junior Member
 
Posts: 17
Join Date: Jun 2009
Default 06-23-2009, 04:52 PM

Doesnt look like using port 443 makes a difference.

Without http-proxy

Tue Jun 23 12:48:02 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Tue Jun 23 12:48:02 2009 LZO compression initialized
Tue Jun 23 12:48:02 2009 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{B26E1A0C-EFCB-43C4-B304-58FB1F1DB0B7}.tap
Tue Jun 23 12:48:02 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.1.126/255.255.255.0 on interface {B26E1A0C-EFCB-43C4-B304-58FB1F1DB0B7} [DHCP-serv: 192.168.1.0, lease-time: 31536000]
Tue Jun 23 12:48:02 2009 Successful ARP Flush on interface [4] {B26E1A0C-EFCB-43C4-B304-58FB1F1DB0B7}
Tue Jun 23 12:48:02 2009 UDPv4 link local (bound): [undef]:443
Tue Jun 23 12:48:02 2009 UDPv4 link remote: xxxxxx:443

It just hangs.

With http proxy

Tue Jun 23 12:51:33 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Tue Jun 23 12:51:33 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Jun 23 12:51:33 2009 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jun 23 12:51:33 2009 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jun 23 12:51:33 2009 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jun 23 12:51:33 2009 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jun 23 12:51:33 2009 LZO compression initialized
Tue Jun 23 12:51:33 2009 Data Channel MTU parms [ L:1579 D:1450 EF:47 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Jun 23 12:51:33 2009 Local Options hash (VER=V4): '62518268'
Tue Jun 23 12:51:33 2009 Expected Remote Options hash (VER=V4): 'cef5322e'
Tue Jun 23 12:51:33 2009 Attempting to establish TCP connection with xxxxxx:8080
Tue Jun 23 12:51:33 2009 TCP connection established with xxxxxx:8080
Tue Jun 23 12:51:33 2009 Send to HTTP proxy: 'CONNECT xxxxx.gotdns.com:443 HTTP/1.0'
Tue Jun 23 12:51:39 2009 recv_line: TCP port read timeout expired
Tue Jun 23 12:51:39 2009 TCP/UDP: Closing socket
Tue Jun 23 12:51:39 2009 SIGUSR1[soft,init_instance] received, process restarting
Tue Jun 23 12:51:39 2009 Restart pause, 5 second(s)


Couldnt figure out where to put the parm auto proxy.

Shame if I cant get this to work at work, but not the end of the world. More just a curiosity thing at this point.
Reply With Quote
  (#25) Old
menders menders is offline
Member
 
Posts: 31
Join Date: May 2009
Default 06-23-2009, 06:55 PM

Without http-proxy looks like it's using UDP, not TCP. That's the problem in that case.

I don't know why it fails when configured for an HTTP proxy, but I don't use one to connect to my server and never have. I'm afraid I won't be much help there.
Reply With Quote
  (#26) Old
palawan palawan is offline
Senior Member
 
palawan's Avatar
 
Posts: 110
Join Date: Oct 2008
Default 06-29-2009, 09:10 AM

Quote:
Originally Posted by somms View Post
FWIW: Latest DD-WRT 12360M EKO vpn build now contains OpenVPN rc18!

BTW: Don't forget to add 'management localhost 5001' in the OpenVPN Config box setting of OpenVPN Daemon to enable the status tab of DD-WRT pictured above...
i just want to say thank you very much, somms, for alerting all of us to this wonderful project called dd-wrt (especially the openvpn component). got my openvpn eko build 12360 running on the buffalo whr-g54s i purchased solely for the purpose of this dd-wrt/openvpn project.

winxp was surprisingly easy to configure. os x had some hiccups that needed some "--push" commands on the router startup script. i also ended up purchasing viscosity as an os x client, but i have no regrets because of the cool interface it provides

i'm just using startup script with static key coz i got my pki certificates all mixed up and just cost me too much time. i don't get the nice interface, but there is a management server that i can telnet to on the command prompt of the router that gives useful info using "log " and "state" commands.

i was very pleasantly surprised that it is less than 10 percent impact on the bandwidth and it works very well with slow connections! the only downside (in my case) is that the download/upload bandwidth is "reversed" and since my upload (as provided by my home ISP) is limited to 450kb/s, that is now my new download speed limit. i think it's more than enough for the convenience of having a secure connection when using free wifi or untrusted networks.

thanks.


my notebook: dell inspiron 11z - 11.6" display | intel core i3 330um | 6gb ddr3 ram | 80gb Intel ssd | Linux Mint 12 OS - Cinnamon 1.4 [Virtual Machine - WinXP SP3]
Reply With Quote
  (#27) Old
somms somms is offline
Super Moderator
 
somms's Avatar
 
Posts: 883
Join Date: Oct 2008
Location: FAA
Default 06-29-2009, 02:37 PM

Glad you got it workin'!

BTW: Using OpenVPN w/certificates is really the way to go and the hardest part is generating the keys/cert., after that initial headache the rest is downhill!

Services/VPN/OpenVPN Daemon/OpenVPN Config:
Code:
server-bridge 192.168.1.1 255.255.255.0 192.168.1.200 192.168.1.224
management localhost 5001
comp-lzo
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "persist-tun"
push "persist-key"
port 1194
cipher BF-CBC
dev tap0
proto tcp-server
keepalive 10 60
max-clients 3
duplicate-cn
client-to-client
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
Client Config:
Code:
up-delay
tls-client
dev tap
proto tcp-client
remote my.dyndns.net 1194
ns-cert-type server
cipher BF-CBC
comp-lzo
verb 3
float
nobind
pull
redirect-gateway def1
http-proxy amcproxy.faa.gov 8080
http-proxy-retry
ca keys\\ca.crt
cert keys\\client1.crt
key keys\\client1.key
FWIW: Above is my 100% working Server/Client configs using rc18 OpenVPN TCP proto thru proxy server...

Administration/Commands/Startup:
Code:
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
Administration/Commands/Firewall:
Code:
iptables -I INPUT -p tcp --dport 1194 -j ACCEPT


Reply With Quote
  (#28) Old
palawan palawan is offline
Senior Member
 
palawan's Avatar
 
Posts: 110
Join Date: Oct 2008
Default 06-30-2009, 02:45 AM

@somms, you're very generous! i'm absolutely copying that down and putting it away when i'm ready to switch to pki certificates! muchas gracias! i'm sure you changed your local subnet from 192.168.1.1 as that easily conflicts with the local subnet of most open wifi's (or most "jump-off" subnets) and your outside port shouldn't be the default that every hacker would try to "hit" (imho).

funny thing is that i bought a used buffalo router from amazon to save money , and it came with dd-wrt (old version, though). i wiped it out and put the new version and i also did the 30/30/30 reset when i went on the eko build 12360 (openvpn rc18). i don't want any malware trojan scripts on the nvram to be active . there's a few ebay sellers on ebay that are selling routers with dd-wrt preloaded...

when i have some time (maybe tomorrow) i'm going to use a wired connection and span the switch port and see what kind of traffic (if any) i can sniff out when i'm connected on the openvpn. i saw a little bit of what to expect, because the aruba wifi system i administer shows the (layer 3) ip connections of my laptop and as soon as i connected to openvpn, it couldn't see the stuff i'm connecting to, anymore. i go to www dot whatismyip dot com to check my ip on the internet and as soon as i connect on the openvpn, it changes and shows my ip address as the home router.


the only thing is that my absolute limit on the bandwidth is my home upload limit which is a respectable ~500kb. more than enough when accessing the internet for one person but a little disappointing when i know the aruba wireless connection can do more than 12mb/s the bandwidth impact of openvpn is probably around 5%. just really small, which is very good! maybe if i had a much higher upload limit, i would see the overhead to be a higher percentage... i can bring it to work and maybe test it on a connection that has equal bandwidth on the upload/download. maybe someday...

here's mine (but changed a little bit on the port and local/vpn subnet):
the --push commands were not needed by winxp but needed by os x.

startup:
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
echo "
-----BEGIN OpenVPN Static key V1-----
blah... certificate... blah
-----END OpenVPN Static key V1-----
" > /tmp/static.key
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --dev tap0 --secret /tmp/static.key --comp-lzo --port 6655 --proto udp --verb 5 --daemon --push "dhcp-option DNS 192.168.13.13" --push "redirect-gateway def1" --management localhost 5001

firewall:
iptables -I INPUT 1 -p udp --dport 6655 -j ACCEPT

management:
root@dd-wrt-vpn:~# telnet localhost 5001
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
version
OpenVPN Version: OpenVPN 2.1_rc18 mipsel-unknown-linux-gnu [SSL] [LZO1] [EPOLL] built on Jun 22 2009
Management Version: 1
END
state
1246325202,CONNECTED,SUCCESS,,10.10.10.10 (changed to hide actual address)
log all (shows all history connections with foreign ip addresses and command history)


my notebook: dell inspiron 11z - 11.6" display | intel core i3 330um | 6gb ddr3 ram | 80gb Intel ssd | Linux Mint 12 OS - Cinnamon 1.4 [Virtual Machine - WinXP SP3]
Reply With Quote
  (#29) Old
somms somms is offline
Super Moderator
 
somms's Avatar
 
Posts: 883
Join Date: Oct 2008
Location: FAA
Default 06-30-2009, 01:39 PM

Quote:
Originally Posted by palawan View Post
i'm sure you changed your local subnet from 192.168.1.1 as that easily conflicts with the local subnet of most open wifi's (or most "jump-off" subnets) and your outside port shouldn't be the default that every hacker would try to "hit" (imho).
OpenVPN - Site-to-Site Bridged VPN Between Two Routers - DD-WRT Wiki

Nah, kept it 192.168.1.1 since no conflict when connecting from work and my kid's DD-WRT router is also 192.168.1.xx which is necessary for remote site to site bridge between our routers...


Reply With Quote
  (#30) Old
palawan palawan is offline
Senior Member
 
palawan's Avatar
 
Posts: 110
Join Date: Oct 2008
Default 07-01-2009, 05:42 PM

very nice! i'm glad i don't have to tackle a site-to-site project with dd-wrt for now

on a good news for me yesterday late afternoon, i was getting over 700kb (down/up) from www speedtest net while connected on dd-wrt vpn. i said, hmmmnn, must be wrong data, i went to www dslreports com / stest, and similar results... hmmnn, must be some caching of files. so, when i got home i tested my cable modem last night, i was getting over 900kb upload! the download has always been fast (over 15mb/s), but this upload speed was my bottleneck when connecting on vpn. i'm at work and just tested it while connected on vpn, i got 870kb/s. i hope it stays this way...


my notebook: dell inspiron 11z - 11.6" display | intel core i3 330um | 6gb ddr3 ram | 80gb Intel ssd | Linux Mint 12 OS - Cinnamon 1.4 [Virtual Machine - WinXP SP3]
Reply With Quote
Reply

« VGA vs HDMI? | Mini 9 - Refurb or New »
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Copyright © 2008-2016 MyDellMini.com.