[ale] OpenVPN help

Jim Kinney jim.kinney at gmail.com
Sat Nov 7 20:36:09 EST 2015


You'll want to disable tls 1 (1.1 is ok) and ssl 3 (all bad). Looks
encrypted.
On Nov 7, 2015 4:44 PM, "Alex Carver" <agcarver+ale at acarver.net> wrote:

> On 2015-11-07 12:45, Phil Turmel wrote:
> > On 11/07/2015 02:58 PM, dev null zero two wrote:
> >> did you set up routes and ip forwarding?
> >
> > You'll probably also need nat in the openvpn server for any external
> > traffic originating in the vpn.
>
> Ok, the NAT worked (I didn't have iptables installed at all on this
> particular machine).  Got that installed, masqueraded the VPN subnet
> over to the machine's network card and can now reach the internal traffic.
>
> Next step, trying to verify that the link is encrypted.  I've got
> debugging turned up a bit and am watching the logs.  When a connection
> is established I see the following:
>
> Sat Nov  7 16:28:28 2015 us=998372 MULTI: multi_create_instance called
> Sat Nov  7 16:28:29 2015 us=1250 166.170.49.84:20242 Re-using SSL/TLS
> context
> Sat Nov  7 16:28:29 2015 us=3046 166.170.49.84:20242 LZO compression
> initialized
> Sat Nov  7 16:28:29 2015 us=12627 166.170.49.84:20242 Control Channel
> MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
> Sat Nov  7 16:28:29 2015 us=15443 166.170.49.84:20242 Data Channel MTU
> parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
> Sat Nov  7 16:28:29 2015 us=17017 166.170.49.84:20242 Local Options
> String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto
> UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize
> 128,tls-auth,key-method 2,tls-server'
> Sat Nov  7 16:28:29 2015 us=21830 166.170.49.84:20242 Expected Remote
> Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto
> UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize
> 128,tls-auth,key-method 2,tls-client'
> Sat Nov  7 16:28:29 2015 us=24194 166.170.49.84:20242 Local Options hash
> (VER=V4): '14168603'
> Sat Nov  7 16:28:29 2015 us=25583 166.170.49.84:20242 Expected Remote
> Options hash (VER=V4): '504e774e'
> Sat Nov  7 16:28:29 2015 us=27203 166.170.49.84:20242 TLS: Initial
> packet from [AF_INET]166.170.49.84:20242, sid=53399d05 59f52b6e
> Sat Nov  7 16:28:37 2015 us=252588 166.170.49.84:20242
> Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3
> / time = (1446942506) Sat Nov  7 16:28:26 2015 ] -- see the man page
> entry for --no-replay and --replay-window for more info or silence this
> warning with --mute-replay-warnings
>
>
> (This last set of TLS messages gets repeated a few times.)
>
> After those get repeated I get:
>
>
> Sat Nov  7 16:28:47 2015 us=176814 166.170.49.84:20242 Data Channel
> Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
> Sat Nov  7 16:28:47 2015 us=178102 166.170.49.84:20242 Data Channel
> Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
> Sat Nov  7 16:28:47 2015 us=179541 166.170.49.84:20242 Data Channel
> Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
> Sat Nov  7 16:28:47 2015 us=180685 166.170.49.84:20242 Data Channel
> Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
> Sat Nov  7 16:28:47 2015 us=253723 166.170.49.84:20242 Control Channel:
> TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
> Sat Nov  7 16:28:47 2015 us=255138 166.170.49.84:20242 [vpntest2] Peer
> Connection Initiated with [AF_INET]166.170.49.84:20242
>
> Is it encrypted or not?
>
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20151107/5f8e6ca0/attachment.html>


More information about the Ale mailing list