network – OpenVPN connection error: connection activation failed: source connection not found

This concerns Ubuntu 18.04 LTS.

The desktop environment of the XFCE4 GUI is installed.

After upgrading from 16.04 LTS to 18.04 LTS, my VPN connections, which previously worked, no longer work. I've set up PPTP and OpenVPN connections.

The netplan configuration is

ethernets:
enp1s0:
Address: []
        dhcp4: true
version 2

Please note that I have pretty much exhausted everything I can find on the Internet on this topic, but my knowledge and networking expertise at this level is limited.

With the desktop nm applet, the VPN connection elements are dimmed. By starting nm-applet with sudo, the elements seem active but do not respond.

I used nmcli.

nmcli con gives me

myOpenVPN 9439b05e-bc7e-419b-8679-95aa84394af2 vpn -

I notice that the column of the device is empty. Should it be?

Try

sudo nmcli c up myOpenVPN

Give me

Error: Failed to activate connection: Can not find source connection.

/ var / log / openvpn is empty

grep VPN / var / log / syslog 

Give me

/ etc / NetworkManager / system connections / myOpenVPN
(9439b05e-bc7e-419b-8679-95aa84394af2, "myOpenVPN") 15 Jun 14:55:21
mythserver02 NetworkManager[1961]: [1560576321.7239] verification:
op = "connection-activate" uuid = "9439b05e-bc7e-419b-8679-95aa84394af2"
name = "myOpenVPN" pid = 19429 uid = 0 result = "fail" reason = "Can not find
source connection.

"

journalctl -u NetworkManager.service

Jun 15 14:51:44 mythserver02 NetworkManager[1961]:
[1560576104.9623] authentication request error for
org.freedesktop.NetworkManager.reload: Authorization check failed:
Failed to open file "/ proc / 19299 / status": no such file or directory
Jun 15 14:51:44 mythserver02 NetworkManager[1961]:
[1560576104.9629] authentication request error for
org.freedesktop.NetworkManager.checkpoint-rollback: Authorization
check failed: Failed to open file "/ proc / 19299 / status": No such file
or directory Jun 15 14:51:44 mythserver02 NetworkManager[1961]:
[1560576104.9635] authentication request error for
org.freedesktop.NetworkManager.enable-disable-statistics:
Failed to check for permission: Failed to open file "/ proc / 19299 / status":
No file or directory of this type 15 Jun 14:51:44 mythserver02
Network Manager[1961]: [1560576104.9640] authentication request error
for org.freedesktop.NetworkManager.enable-disable-connectivity-check:
Failed to check for permission: Failed to open file "/ proc / 19299 / status":
No file or directory of this type 15 Jun 14:55:21 mythserver02
Network Manager[1961]: [1560576321.7239] verification:
op = "connection-activate" uuid = "9439b05e-bc7e-419b-8679-95aa84394af2"
name = "myOPenVPN" pid = 19429 uid = 0 result = "fail" reason = "Can not find
source connection. "

There is no / proc / 19222 – what is it?

Help. whoever?

Thank you

Authentication – WebUI Client OpenVPN Fails After OpenVPN AS Installation

I just installed OpenVPN on Ubuntu 16.04. After installation, I can access the web admin web interface and login with the user openvpn. None of the client connections work. I just received the message "Failed to connect".
screen capture

In the log reports of the administration page, the following error is logged.
– rolf-PE-860
– oclient
– 06/09/19 00:23
– WEB_CLIENT
192.168.10.215
– Local authentication failure: no digest of stored password found in authcred attributes:
auth / authlocal: 35, web / http: 1609, web / http: 750, web / server: 127, web / server: 134, xml / authrpc: 110, xml / authrpc: 164, internet / deferred: 102, xml / authsess: 50, sagent / saccess: 86, xml / authrpc: 244, xml / authsess: 50, xml / authsess: 103, auth / authdelegate: 308, util / delegate: 26, auth / authdelegate: 237, util / defer: 224, util / deferred: 246, internet / delayed: 190, internet / deferred: 181, internet / deferred: 323, util / deferred: 246, internet / deferred: 190, internet / deferred: 181, internet / deferred: 323, util / deferred: 245, internet / deferred: 102, auth / authdelegate: 61, auth / authdelegate: 240, user / delegate: 26, auth / authlocal: 35, util / error: 61, util / error: 44

Can someone help me understand what is the problem?

Thank you

vpn – Multiple OpenVPN sharing an IP address / external port

Situation: We must have several OpenVPN services (or equivalent) accessible via port 443 externally. In one ideal world would share a single external IP address and would be distinguished by the subnetwork (s) it supports. "The company" is afraid to give us several IP addresses accessible from the outside. So we are looking for a way to share the one we currently have between multiple VPN services.

We can not mix VPN traffic for security reasons. Hence the need to have multiple independent VPN services.

I imagine a service (possibly hypothetical) that would listen for port 443 and route VPN traffic based on subnet 10.xx for each VPN. Once the traffic was "internal" to our network, it could go to the host / service / port needed.

I do not know if it's feasible or practical, but for whatever reason, I think it should be possible.

port transfer – OpenVPN on Stunnel does not work when it is transferred via a router but internally

I'm trying to configure OpenVPN on Stunnel on my personal server.

openvpn is in tcp and connects very well outside stunnel, even when connected via a transfer port on the router.

OpenVPN encapsulated in stunnel works correctly when you do not connect via the router's transfer port, ie. That stunnel sends to an internal IP.

stunnel seems to work properly when connecting via a port redirected to the router, I configured a stunnel for SSH and it connects correctly, I even left it in a while loop emitting to the console for a few minutes to see if fail.

However, when you run openVPN on stunnel and via a port transferred to the router, the connection appears to be configured, but is dropped and I can not get web traffic.

I've been debugging it all day and any help would be greatly appreciated.

I receive the following warnings in the OVPN log:

WARNING: & mt; link-mtu & # 39; is used incoherently, local = link-mtu 1552, remote = link-mtu 1544 & # 39;
WARNING: "encryption" is used incoherently, local = "AES-256-GCM encryption", remote = "BF-CBC encryption"
WARNING: & # 39; auth & # 39; is used inconsistently, local = auth [null-digest]& # 39 ;, remote = & # 39; auth SHA1 & # 39;
WARNING: & # 39; keysize & # 39; is used incoherently, local = 256 keysize, remote = 128 keysize

stunnel parameter server (ssh test included):

[openvpn]



accept = 44444
connect = 127.0.0.1:1194
digits = DHE-RSA-AES256-SHA256

[sslssh]
accept = 55555
connect = 127.0.0.1:22

Customer stunnel settings:

[openvpn]

customer = yes
accept = 127.0.0.1:11194
connect = : 44444
; cert = /usr/local/etc/stunnel/cert.pem
; connect = 192.168.255.25:44444
digits = DHE-RSA-AES256-SHA256

[sslssh]
customer = yes
accept = 127.0.0.1:2222
connect = : 55555

ovpn config client:

remote localhost 11194
proto tcp
cert-remote server


customer
dev tun
resolve-retry infinite
Keepalive 10 120
nobind
comp-lzo
verb 3

ovpn server config:

port 1194
proto tcp
dev tun

comp-lzo
Keepalive 10 120

persistence key
persist-tun
user person
group group

chroot /etc/openvpn/easy-rsa/keys/crl.jail
crl-verify crl.pem

ca /etc/openvpn/easy-rsa/keys/ca.crt
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
key /etc/openvpn/easy-rsa/keys/server.key
cert /etc/openvpn/easy-rsa/keys/server.crt

ifconfig-pool-persist /var/lib/openvpn/server.ipp
config-client-dir /etc/openvpn/server.ccd
status /var/log/openvpn/server.log
verb 4

full ovpn client journal

2019-05-27 14:10:53 * Tunnelblick: openvpnstart from OpenVPN
* Tunnelblick: OS X 10.14.6; Tunnelblick 3.7.5a (build 5011); previous version 3.4.0 (build 4007)
2019-05-27 14:10:53 * Tunnelblick: Attempt connection with mikewarde_tcp_stunnel with the help of a snapshot. Set nameserver = 769; monitoring connection
2019-05-27 14:10:53 * Tunnelblick: openvpnstart starts mikewarde_tcp_stunnel.tblk 1337 769 0 1 0 1065264 -ptADGNWradsgnw 2.4.4-openssl-1.0.2o
2019-05-27 14:10:54 * Tunnelblick: openvpnstart log:
OpenVPN has started successfully. Command used to start OpenVPN (one argument per line displayed):

/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.4-openssl-1.0.2o/openvpn
--daemon
--log
/ Library / Application Support / Tunnelblick / Logs / -SUsers-Smikewarde-SLibrary-SApplication Support-STunnelblick-SConfigurations-Smikewarde_tcp_stunnel.tblk-SContents-SResources-Sconfig.ovpn.769_0_06264.33.
--CD
/ Library / Application Support / Tunnelblick / Users / mikewarde / mikewarde_tcp_stunnel.tblk / Summary / Resources
--setenv
IV_GUI_VER
"net.tunnelblick.tunnelblick 5011 3.7.5a (build 5011)"
--verb
3
--config
/ Library / Application Support / Tunnelblick / Users / mikewarde / mikewarde_tcp_stunnel.tblk / Summary / Resources / config.ovpn
--verb
3
--CD
/ Library / Application Support / Tunnelblick / Users / mikewarde / mikewarde_tcp_stunnel.tblk / Summary / Resources
--management
127.0.0.1
1337
/ Library / Application Support / Tunnelblick / fognhooiggkindigaihckcifckpilcfpnmgdikmh.mip
--management-query-passwords
- management-hold
--script-security
2
--up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw

2019-05-27 14:10:54 * Tunnelblick: established communication with OpenVPN
2019-05-27 14:10:54 OpenVPN 2.4.4 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD]    built on March 27, 2018
2019-05-27 14:10:54 library versions: OpenSSL 1.0.2o March 27, 2018, LZO 2.10
2019-05-27 14:10:54 MANAGEMENT: TCP Socket listening [AF_INET]127.0.0.1:1337
2019-05-27 14:10:54 Need a secure version of the management interface, waiting ...
2019-05-27 14:10:54 MANAGEMENT: Connected client of [AF_INET]127.0.0.1:1337
2019-05-27 14:10:54 MANAGEMENT: CMD & # 39; pid & # 39;
2019-05-27 14:10:54 MANAGEMENT: CMD & # 39; state on & # 39;
2019-05-27 14:10:54 MANAGEMENT: CMD & # 39; state & # 39;
2019-05-27 14:10:54 MANAGEMENT: CMD & # 39; bytecount 1 & # 39;
2019-05-27 14:10:54 MANAGEMENT: CMD "put on hold"
2019-05-27 14:10:54 NOTE: The current --script-security setting can allow this configuration to invoke user-defined scripts.
2019-05-27 14:10:54 Outbound Control Channel Authentication: Use 160-bit Message Hash SHA1 & # 39; for HMAC authentication
2019-05-27 14:10:54 Inbound Control Channel Authentication: Use 160-bit Message Hash SHA1 & # 39; for HMAC authentication
2019-05-27 14:10:54 MANAGEMENT:> STATE: 1558962654, RESOLVE ,,,,,,,
2019-05-27 14:10:54 TCP / UDP: Retention of the recently used remote address: [AF_INET]127.0.0.1:11194
2019-05-27 14:10:54 Socket buffers: R =[131072->131072] S =[131072->131072]
2019-05-27 14:10:54 Attempt to establish a TCP connection with [AF_INET]127.0.0.1:11194 [nonblock]
2019-05-27 14:10:54 MANAGEMENT:> STATE: 1558962654, TCP_CONNECT ,,,,,,,
2019-05-27 14:10:55 TCP connection established with [AF_INET]127.0.0.1:11194
2019-05-27 14:10:55 local TCP_CLIENT link: (unbound)
2019-05-27 14:10:55 TCP_CLIENT link remote: [AF_INET]127.0.0.1:11194
2019-05-27 14:10:55 MANAGEMENT:> STATE: 1558962655, WAIT ,,,,,,,
2019-05-27 14:10:55 MANAGEMENT:> STATE: 1558962655, AUTH ,,,,,,,
2019-05-27 14:10:55 TLS: initial package of [AF_INET]127.0.0.1:11194, sid = c58c277c 5918dc12
2019-05-27 14:10:55 VERIFY OK: depth = 1, C = US, ST = CA, L = San Francisco, O = turnkey Linux, OU = OpenVPN, CN = server, name = openvpn, emailAddress = vpn @ radged.com
2019-05-27 14:10:55 CHECK KU OK
2019-05-27 14:10:55 Validation of the use of the extended key of the certificate
2019-05-27 14:10:55 ++ The certificate has authentication of TLS EKU web server (str), waits for TLS web server authentication
2019-05-27 14:10:55 CHECK EKU OK
2019-05-27 14:10:55 VERIFY OK: depth = 0, C = US, ST = AC, L = San Francisco, O = turnkey Linux, OU = OpenVPN, CN = server, name = openvpn, emailAddress = vpn @ radged.com
2019-05-27 14:10:55 Control channel: TLSv1.2, TLSv1 / SSLv3 encryption ECDHE-RSA-AES256-GCM-SHA384, RSA 2048 bits
2019-05-27 14:10:55 [server] Peer connection initiated with [AF_INET]127.0.0.1:11194
2019-05-27 14:10:57 MANAGEMENT:> STATE: 1558962657, GET_CONFIG ,,,,,,,
2019-05-27 14:10:57 CHECKING THE SHIPMENT [server]: & # 39; PUSH_REQUEST & # 39; (status = 1)
2019-05-27 14:10:57 PUSH: Control message received: P PUSH_REPLY, gateway redirector def1 bypass-dhcp, dhcp-option DNS 208.67.222.222, dhcp-option DNS 208.67.220.220, route 10.222. 29.1, network topology30, ping 10, ping-restart 120, ifconfig 10.222.29.6 10.222.29.5, peer-identifier 0, encryption AES-256-GCM & # 39;
2019-05-27 14:10:57 IMPORTING OPTIONS: timers and / or modified deadlines
2019-05-27 14:10:57 IMPORT OPTIONS: --ifconfig / up options modified
2019-05-27 14:10:57 IMPORT OPTIONS: modified route options
2019-05-27 14:10:57 IMPORT OPTIONS: --ip-win32 and / or --dhcp-option options modified
2019-05-27 14:10:57 OPTIONS IMPORT: set of identifiers
2019-05-27 14:10:57 IMPORTING OPTIONS: adjusting link_mtu to 1627
2019-05-27 14:10:57 IMPORT OPTIONS: Changing data channel encryption options
2019-05-27 14:10:57 Data channel: use of negotiated encryption AES-256-GCM & # 39;
2019-05-27 14:10:57 Outbound data channel: encryption AES-256-GCM & # 39; initialized with a 256-bit key
2019-05-27 14:10:57 Incoming data channel: AES-256-GCM encryption & # 39; initialized with a 256-bit key
2019-05-27 14:10:57 Opening of the utility (login (AF_SYS_CONTROL)): busy resource (error code = 16)
2019-05-27 14:10:57 Opening of the utility (login (AF_SYS_CONTROL)): busy resource (error code = 16)
2019-05-27 14:10:57 Open device utun utun2
2019-05-27 14:10:57 do_ifconfig, tt-> did_ifconfig_ipv6_setup = 0
2019-05-27 14:10:57 MANAGEMENT:> STATE: 1558962657, ASSIGN_IP ,, 10.222.29.6 ,,,,
2019-05-27 14:10:57 / sbin / ifconfig utun2 delete
ifconfig: ioctl (SIOCDIFADDR): unable to assign the requested address
2019-05-27 14:10:57 NOTE: Attempt to delete a pre-existing tun / tap instance - no problem in case of failure
2019-05-27 14:10:57 / sbin / ifconfig utun2 10.222.29.6 10.222.29.5 mtu 1500 net mask 255.255.255.255 high
2019-05-27 14:10:57 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun2 1500 1555 10.222.29.6 10.222.29.5 init
*********************************************
Start of the exit of client.up.tunnelblick.sh
IPv6 disabled for "iPhone USB & # 39;
IPv6 disabled for & # 39; Wi-Fi & # 39;
IPv6 disabled for & # 39; Bluetooth PAN & # 39;
IPv6 disabled for "Thunderbolt Bridge"
Recovered from OpenVPN: name server (s) [ 208.67.222.222 208.67.220.220 ]field (s) of research [  ] and SMB server (s) [  ] and using the default domain name [ openvpn ]
                                        WARNING: Skip ServerAddresses 208.67.222.222 208.67.220.220 & # 39; because ServerAddresses has been set manually and -allowChangesToManuallySetNetworkSettings & # 39; has not been specified.
Set search domains on & # 39; openvpn & # 39; because running under OS X 10.6 or later and that the search domains were not defined manually (or can be modified) and that Add domain name to search domains & # 39; was not selected
Saved the DNS and SMB configurations so that they can be restored
It has not changed the DNS ServerAddresses setting of "1.1.1.1 1.0.0.1". (but has redefined it)
Changing the DNS SearchDomains setting of & # 39; & # 39; at & # 39; openvpn & # 39;
Changing the DNS DomainName setting of & # 39; at & # 39; openvpn & # 39;
It has not changed the NetBIOSName SMB setting of & # 39; & # 39;
It has not changed the SMB Workgroup setting from "& # 39;
Did not change the SMB WINSAddresses setting of & # 39; & # 39;
DNS servers 1.1.1.1 1.0.0.1 & # 39; have been manually defined
DNS servers 1.1.1.1 1.0.0.1 & # 39; will be used for DNS queries when the VPN is active
NOTE: DNS servers do not include any free public DNS servers known to Tunnelblick. This can result in the failure of DNS requests, their interception or falsification, even if they are routed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
Clear the DNS cache via dscacheutil
/ usr / sbin / discoveryutil not present. Do not empty the DNS cache via discoveryutil
MDNSResponder notified that the DNS cache has been cleared
Configuration to monitor system configuration with process, network changes
End of the exit of client.up.tunnelblick.sh
*********************************************
2019-05-27 14:11:00 * Tunnelblick: No script & # 39; connected.sh & # 39; to execute
2019-05-27 14:11:00 / sbin / route add -net 127.0.0.1 192.168.255.1 255.255.255.255
net add 127.0.0.1: gateway 192.168.255.1
2019-05-27 14:11:00 / sbin / route add -net 0.0.0.0 10.222.29.5 128.0.0.0
net add 0.0.0.0: gateway 10.222.29.5
2019-05-27 14:11:00 / sbin / route add -net 128.0.0.0 10.222.29.5 128.0.0.0
net add 128.0.0.0: gateway 10.222.29.5
2019-05-27 14:11:00 MANAGEMENT:> STATE: 1558962660, ADD_ROUTES ,,,,,,,
2019-05-27 14:11:00 / sbin / route add -net 10.222.29.1 10.222.29.5 255.255.255.255
net add 10.222.29.1: gateway 10.222.29.5
2019-05-27 14:11:00 WARNING: this configuration can cache passwords in memory - use the auth-nocache option to prevent this
2019-05-27 14:11:00 Sequence of initialization completed
2019-05-27 14:11:00 MANAGEMENT:> STATE: 1558962660, CONNECTED, SUCCESS, 10.222.29.6, 127.0.0.1, 11194, 127.0.0.1,55166
2019-05-27 14:11:24 Resetting the connection, rebooting [-1]
2019-05-27 14:11:24 / sbin / route delete -net 10.222.29.1 10.222.29.5 255.255.255.255
delete net 10.222.29.1: gateway 10.222.29.5
2019-05-27 14:11:24 / sbin / route delete -net 127.0.0.1 192.168.255.1 255.255.255.255
delete net 127.0.0.1: gateway 192.168.255.1
2019-05-27 14:11:24 / sbin / route delete -net 0.0.0.0 10.222.29.5 128.0.0.0
delete net 0.0.0.0: gateway 10.222.29.5
2019-05-27 14:11:24 / sbin / route delete -net 128.0.0.0 10.222.29.5 128.0.0.0
delete net 128.0.0.0: gateway 10.222.29.5
2019-05-27 14:11:24 Closing the TUN / TAP interface
2019-05-27 14:11:24 /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun2 1500 1555 10.222.29.6 10.222.29.5 init
*********************************************
Start of the exit of client.down.tunnelblick.sh
Canceled monitoring of system configuration changes
Restored the DNS and SMB configurations
Reactivation of IPv6 (automatic) for iPhone's USB & # 39;
Reactivation of IPv6 (automatic) for 'Wi-Fi & # 39;
Reactivation of IPv6 (automatic) for & # 39; Bluetooth PAN & # 39;
Reactivation of IPv6 (automatic) for 'Thunderbolt Bridge & # 39;
Clear the DNS cache via dscacheutil
/ usr / sbin / discoveryutil not present. Do not empty the DNS cache via discoveryutil
MDNSResponder notified that the DNS cache has been cleared
End of the exit of client.down.tunnelblick.sh
*********************************************
2019-05-27 14:11:25 SIGUSR1[soft,connection-reset] received, process being restarted
2019-05-27 14:11:25 MANAGEMENT:> STATE: 1558962685, RECONNECTION, reset connection ,,,,,
2019-05-27 14:11:25 * Tunnelblick: No scripts & # 39; reconnecting.sh & # 39; to execute
2019-05-27 14:11:25 MANAGEMENT: The CMD press release is pending
2019-05-27 14:11:25 MANAGEMENT: The CMD press release is pending
2019-05-27 14:11:25 NOTE: The current --script-security setting can allow this configuration to invoke user-defined scripts.
2019-05-27 14:11:25 Outbound Control Channel Authentication: Use 160-bit Message Hash SHA1 & # 39; for HMAC authentication
2019-05-27 14:11:25 Inbound Control Channel Authentication: Use 160-bit Message Hash SHA1 & # 39; for HMAC authentication
2019-05-27 14:11:25 TCP / UDP: Retention of the recently used remote address: [AF_INET]127.0.0.1:11194
2019-05-27 14:11:25 Socket buffers: R =[131072->131072] S =[131072->131072]
2019-05-27 14:11:25 Attempt to establish a TCP connection with [AF_INET]127.0.0.1:11194 [nonblock]
2019-05-27 14:11:25 MANAGEMENT:> STATE: 1558962685, TCP_CONNECT ,,,,,,,
2019-05-27 14:11:26 TCP connection established with [AF_INET]127.0.0.1:11194
2019-05-27 14:11:26 local TCP_CLIENT link: (unbound)
2019-05-27 14:11:26 TCP_CLIENT link remote: [AF_INET]127.0.0.1:11194
2019-05-27 14:11:26 MANAGEMENT:> STATE: 1558962686, WAIT ,,,,,,,
2019-05-27 14:11:26 MANAGEMENT:> STATE: 1558962686, AUTH ,,,,,,,
2019-05-27 14:11:26 TLS: initial package of [AF_INET]127.0.0.1:11194, sid = 072914d3 4912c8a0
2019-05-27 14:11:26 VERIFY OK: depth = 1, C = US, ST = AC, L = San Francisco, O = turnkey Linux, OU = OpenVPN, CN = server, name = openvpn, emailAddress = vpn @ radged.com
2019-05-27 14:11:26 VERIFY KU OK
2019-05-27 14:11:26 Validation of the use of the extended key of the certificate
2019-05-27 14:11:26 ++ The certificate has authentication of TLS web server EKU (str), waiting for TLS web server authentication
2019-05-27 14:11:26 CHECK EKU OK
2019-05-27 14:11:26 VERIFY OK: depth = 0, C = US, ST = AC, L = San Francisco, O = turnkey Linux, OU = OpenVPN, CN = server, name = openvpn, emailAddress = vpn @ radged.com
2019-05-27 14:11:26 WARNING: & mt; link-mtu & # 39; is used incoherently, local = link-mtu 1552, remote = link-mtu 1544 & # 39;
2019-05-27 14:11:26 WARNING: & # 39; encryption & # 39; is used inconsistently, local = AES-256-GCM encryption, remote = BF-CBC encryption & # 39;
2019-05-27 14:11:26 WARNING: & # 39; auth & # 39; is used inconsistently, local = auth [null-digest]& # 39 ;, remote = & # 39; auth SHA1 & # 39;
2019-05-27 14:11:26 WARNING: & # 39; keysize & # 39; is used incoherently, local = 256 keysize, remote = 128 keysize
2019-05-27 14:11:26 Control channel: TLSv1.2, TLSv1 / SSLv3 encryption ECDHE-RSA-AES256-GCM-SHA384, RSA 2048 bits
2019-05-27 14:11:26 [server] Peer connection initiated with [AF_INET]127.0.0.1:11194
2019-05-27 14:11:26 * Tunnelblick: Disconnection; disconnection button of the notification window pressed
2019-05-27 14:11:27 * Tunnelblick: No scripting pre-disconnect.sh & # 39; to execute
2019-05-27 14:11:27 * Tunnelblick: disconnection with the help of 'kill & # 39;
2019-05-27 14:11:27 event_wait: System interrupted call (code = 4)
2019-05-27 14:11:27 SIGTERM[hard,] received, outgoing process
2019-05-27 14:11:27 MANAGEMENT:> STATE: 1558962687, EXITING, SIGTERM ,,,,,
2019-05-27 14:11:27 * Tunnelblick: No script 'post-disconnect.sh' to execute
2019-05-27 14:11:27 * Tunnelblick: Expected disconnection.

networking – OpenVpn multiple client proxy

I confess that I have almost no idea, but what I want to achieve looks like this

scheme

Thus, the system (container or docker machine) would be responsible for managing open vpn profile tunnels and forwarding http requests and proxy responses.
Is such a system feasible? What tasks should I focus on?
If you have better suggestions, I would also like to read them.

vpn – OpenVPN on any device, only DNS forwarding

I'm exploring all the things that I can do with OpenVPN and one of the main issues is the DNS.

I have a raspberrypi at home with OpenVPN and the OpenVPN client on my idevices.

Everything works perfectly. However, all traffic is tunneled. Although it's ok, what I would prefer is to tunnel only the DNS and everything that goes to the local network.

For example, if I wanted to broadcast netflix, there is no reason to transmit all this traffic on the tunnel (the bandwidth is not a problem as much as the energy of the processor …).

Ideas? I think this can be done (cloudflare as a service "vpn" dns only).

Thank you!

rsa – How to limit the size of an openssl physical key to 2048 bytes for openvpn?

I'm trying to run a personal VPN with OpenVPN and I'm experiencing a fatal error when starting the service …

The openvpn key file can contain up to 2048 bytes.

I'm using openssl to generate my keys like this …

openssl genrsa -out /etc/ssl/my.key 2048

And the resulting key is 3272 bytes. I'm not sure what I'm supposed to do here to reduce the size of the key file. Should I reduce the strength of the key to 1024? This would seem counterintuitive because I would prefer a higher strength key, is not it?

Just to add additional details, I use LETCENSCrypt to sign the key and produce the public keys … Should I generate self-signed keys, would this have any connection to the errors above? In addition, I use a 4096bit DH, not sure that this has an effect on the size of the key.

NOTE: This is x-posted from SO, I did not know where to ask the best … -2048-bytes-for-openvpn

How to configure OpenVPN on your VPS: Ubuntu 18.04

Who should read this tutorial:

This tutorial is for novice Linux users and DevOps users who need to add encryption to their Internet traffic. A virtual private network (public Internet encrypted network) allowing access to specific networks or services from outside is the solution.

What are we going to cover

  1. Browse the installation of OpenVPN on Ubuntu 18.04
  2. How to install the OpenVPN client on a Windows workstation
  3. Generate a certificate and connect to the VPN server

Why would you do that?

The key advantage of a VPN is to access otherwise inaccessible resources from external networks while maintaining a minimum level of network security.

Adding an encrypted virtual private network connection to your infrastructure is usually a good idea if:

  • you are not sure of the security of the network to which you connect (public wifi, do you like it?)
  • the resources you want to use do not have intrinsic security (such as network communications that do not support high encryption levels)
  • Attempt to access resources protected by multiple levels of network security that should never be publicly available, such as systems that contain payment card, health, or security data.

My personal use case is to access my home security system (MotionEye) when I travel on my laptop or mobile device so that I can keep an eye on my cats, my dogs and protect me from porch pirates .


Random internet chat

PRECONDITIONS

We recommend:

  • Start with a clean VPS
  • At least 512 MB of RAM
  • 15 GB of available disk space
  • This tutorial is written for Ubuntu 18.04

Skills and tools

  • You need to know how to SSH and bypass the command line
  • An SSH client like mastic
  • A SFTP client like WinSCP
  • The ability to work with files and transfer files

Step One – Make sure you are at the latest and at the best

Log in to your VPS via SSH

Upgrade your repositories to make sure they are up to date. We install git because it's about 500% faster if we use the fantastic Angristan script.

$ sudo apt-get update & sudo apt-get upgrade

$ sudo apt-get install git

Do you know your public IP address and private IP address if you are behind a NAT device (like a router?)

Get the IP of your server

$ ifconfig
eth0: flags = 4163  1500 mtu
inet network mask 192.168.1.166 255.255.255.0 broadcast 192.168.1.255
inet6 fe80 :: 216: 3cff: fe43: prefixlen ba41 64 scopeid 0x20
        ether 00: 16: 3c: 43: ba: 41 txqueuelen 1000 (Ethernet)
RX Packages 11672693 bytes 1049010192 (1.0 GB)
RX Errors 0 Aborted 0 exceed 0 image 0
TX packets 347581 bytes 57193541 (57.1 MB)
TX errors 0 missed 0 exceedances 0 carrier 0 collisions 0

-

If you are behind a device such as a firewall or a router, I visit http://www.whatismyip.com to find my public IP address because it is easier than connecting directly to the router.

Write down these IP addresses on your notebook. You might need them later

The actual installation starts here

The process with the openvpn-install.sh script is extremely simple. We are going to clone the script from github. Then go to the directory that was created and make sure the script is executable, then run it, run it as root or sudo! This will launch the installation dialogs and it is gone.

$ cd ~ 
$ git clone https://github.com/angristan/openvpn-install    openvpn-install
$ cd openvpn-install /
$ ls -l 
$ chmod + x openvpn-install.sh
$ ./openvpn-install.sh

Welcome to the OpenVPN installer!
The git repository is available at: https://github.com/angristan/openvpn-install
I have to ask you a few questions before starting the setup.

You can leave the default options and simply press Enter if you agree with them.

I need to know the IPv4 address of the network interface that you want OpenVPN to listen to.
Unless your server is behind NAT, it should act from your public IPv4 address.

IP address: 192.168.1.111

Verifying IPv6 Connectivity ...

Your host does not seem to have IPv6 connectivity.

Do you want to enable IPv6 support (NAT)? [y/n]: not

Which port do you want OpenVPN to listen to?

        1) Default: 1194
        2) custom
        3) random [49152-65535]

Port selection [1-3]: 2

Custom port [1-65535]: 7777     #You may want 80 or 443 if your local network is filtering elements

Which protocol do you want OpenVPN to use?

UDP is faster. Unless it is not available, you should not use TCP.

        1) UDP
        2) TCP

Protocol [1-2]: 1

Which DNS resolvers do you want to use with VPN?

        1) Current system resolvers (from /etc/resolv.conf)
        2) Self-hosted DNS resolver (Unbound)
        3) Cloudflare (Anycast: worldwide)
        4) Quad9 (Anycast: worldwide)
        5) Quad9 uncensored (Anycast: worldwide)
        6) FDN (France)
        7) DNS.WATCH (Germany)
        8) OpenDNS (Anycast: worldwide)
        9) Google (Anycast: worldwide)
        10) Yandex Basic (Russia)
        11) DNS AdGuard (Russia)

DNS [1-10]: 9

Do you want to use compression? It is not recommended because the VORACLE attack makes use of it.

Enable compression? [y/n]: not

Do you want to customize the encryption settings?

Unless you know what you are doing, you should stick to the default settings provided by the script.

Note that whatever you choose, all the choices presented in the script are safe. (Unlike the default values ​​of OpenVPN)
See https://github.com/angristan/openvpn-install#security-and-encryption for more information.

Customize the encryption settings? [y/n]: not

Ok, that was all I needed. We are ready to configure your OpenVPN server now.
You will be able to generate a customer at the end of the installation.

Press any key to continue ...

Tell me a name for the customer.
Use one word, no special characters.

Customer Name: chad

Do you want to protect the configuration file with a password?

(for example, encrypting the private key with a password)
        1) Add a customer without a password
        2) Use a password for the client

Select an option [1-2]: 2

You will be asked for the client password below




Note: Using the Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.0g Nov 2, 2017
Generate an EC private key
write a new private key in &etc./openvpn/easy-rsa/pki/private/chad.key.hYBMPyHfHV'
Enter the PEM passphrase:
Verification - Enter the PEM passphrase:
-----
Using the configuration of /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Check that the request matches the signature

Signature ok

The distinctive name of the subject is the following
commonName: ASN.1 12: 'chad & # 39;
The certificate must be certified until April 9th. 3:48:48 8:22 GMT (1080 days)

Write the database with 1 new entry
Database updated
Client chad added, the configuration file is available at the address /root/chad.ovpn.

Download the .ovpn file and import it into your OpenVPN client.

Check our work

I like to hit https://www.whatismyip.com while I am logged in and seeing the remote network in the returned page rather than the external IP address of my local network.

Then I like to visit https://speedtest.net and see what kind of flow I get out of the system. I had 28.75 Mbps and 73.31 Mbps. Not bad at all!

User Management

To manage OpenVPN users on the system, simply visit the installation program again. This will detect that OpenVPN has already been installed and gives us 4 management options.

  1. Add a new user
  2. Revoke an existing user
  3. Delete OpenVPN
  4. Exit
-
$ ./openvpn-install.sh 
Looks like OpenVPN is already installed.

What do you want to do?
        1) Add a new user
        2) Revoke an existing user
        3) Remove OpenVPN
        4) exit 

Select an option [1-4]: 1

Tell me a name for the client certificate.
Please, use one word, no special characters.

Customer Name: chad

Using SSL: openssl OpenSSL 1.1.0g Nov 2, 2017
Generating a 2048-bit RSA private key
............ +++
......................... +++
write a new private key in &etc./openvpn/easy-rsa/pki/private/chad.key.YjDIHqlesv'
-----
Using the configuration of /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The distinctive name of the subject is the following

commonName: ASN.1 12: 'chad & # 39;
The certificate must be certified until April 22 02:45:13 20h29 GMT (3650 days)
Write the database with 1 new entry
Database updated
Client chad added, the configuration is available at: /root/chad.ovpn
root @ ubuntu: ~ / openvpn-install #
-

Enter your SFTP client and upload the username.ovpn certificate file to the workstation where the OpenVPN client will be running.

Installing the client on a Windows 10 workstation

On the workstation, download the appropriate client from OpenVPN to https://openvpn.net/community-downloads/

Supposing Windows 10 download and run the installer, then right-click in the system tray the little monitorh a lock on it and import your file chad.ovpn! Then Chad> Connect and you should be ready to go. I like to hit https://whatismyip.com while I am logged in and check that I show the IP address of the OpenVPN server to which I am connected and not the public IP address of my local network.

Installing the OpenVPN Client on your iPhone

https://itunes.apple.com/us/app/openvpn-connect/id590379981 get this thing on the App Store, then use a cloud file utility such as google drive to get the chad.ovpn file or do something really unsafe and send it by email …

References and other options

Alternatives to OpenVPN

About the author

Sean Richards, CISSP, is a 20-year-old Linux enthusiast and security practitioner. He loves family, animals, barbecue and cycling.
https://www.linkedin.com/in/seangrichards/
https://github.com/seangrichards/
https://twitter.com/seangrichards

VPN / OpenVPN behind a private WAN IP

I have a NAS server and a Raspberry PI running some services on my home network that I would like to be able to remotely access from my cellphone or my laptop while I'm traveling. The problem is that my router, which connects to the ISP's network via PPPoE, does not have a publicly available IP address. Asking the ISP to transfer port to my private IP address is out of the question.

I now have the feeling that OpenVPN should be able to solve this problem, but until now, I can not understand how. Do I need help from an intermediary to access my home network remotely? Should I install OpenVPN on all devices I want to access from the outside or a device with OpenVPN can it serve all others on the same network? enter the description of the image here

networking – openvpn profile for the connection to palo alto

I'm trying to make an OpenVPN profile to connect to palo alto vpn. I know that they have GlobalProtect for the client side to log in, but this requires a license. In addition, I understand that openvpn clients should be able to connect, so I played with a new configuration profile for macOS and ios, and so far I have not had a chance to connect .

here is the configuration that I have for the moment

dev tun
proto tcp-client
xxxx.org remotely 443
resolve-retry infinite
customer
auth-user-pass
verify-client-cert optional
nobind
persistence key
persist-tun
cert-remote server
comp-lzo
verb 3
route 10.0.80.177/32   

and I continue to have mistakes

        Option error: --client-cert-not-required and --verify-client-cert require a --mode server

I searched on Google, but I found nothing useful.

Does anyone know how to fix this?

Note: During the test, the client certificate is set to optional or none, and TLS 1.2 is primarily used for encryption. Authentication is done by username and password.