lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
caa022c4d8ae3ad9b1daad19289ee988d22bb65d
hpr-knowledge-base/hpr_transcripts/hpr0297.txt
Lee Hanken 7c8efd2228 Initial commit: HPR Knowledge Base MCP Server 
- MCP server with stdio transport for local use
- Search episodes, transcripts, hosts, and series
- 4,511 episodes with metadata and transcripts
- Data loader with in-memory JSON storage

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00

595 lines
39 KiB
Plaintext
Raw Blame History

Episode: 297
Title: HPR0297: Open VPN
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0297/hpr0297.mp3
Transcribed: 2025-10-07 15:49:52
---
gek
nh
nh
The Utah Open Source Foundation brings the Utah Loves Home
Feel free to listen live at stream.UTOS.org or catch the audio afterward at
podcast.UTOS.org. The bandwidth there is provided by Tier 4. The following
presentation, OpenVPN, was given on February 7, 2009 by Will Smith at the
Ubuntu Utah user group. Visit their site at uta.abuntu-us.org.
The presentation is on OpenVPN. I wanted to give just a brief thing about VPNs. What is
a VPN? VPN stands for Virtual Private Network. Basically, it allows you to establish an encrypted
tunnel or basically establishes an encrypted tunnel creating a private network within
a larger network. You can have it between two nodes like across the internet or between
a couple of computers. The question then begs why use a VPN over just SSH into a box and
administering that way. There's a couple of things that like at work where I have several
boxes to administer rather than worrying about setting up a lot of port forwarding in my
firewall and having to know these different ports in order to SSH into every box. I can
just VPN in. Now I'm in and actually sitting at my network and I can then administer as
needed just like if I had my laptop there at work. Another instance, if you wanted to,
let's pretend we've got all these computers here in the lab. Let's say we wanted five
of them segregated out. They could have communication as just across themselves. You could establish
a VPN and push all their traffic through that. Even though they're in this network, they
can be on their own little sub thing because of the VPN. The other thing is it does, another
nice thing is it can encrypt any traffic, any traffic that goes across is encrypted. So
like it work where we have people that use RDP to come into a particular box. I have
them go through the VPN because RDP, of course being a Microsoft product, is inherently
insecure. And so it allows a little bit of encryption between it. No. Well, that's fine,
but if Microsoft did, it has broken some place and I'm sure we can find a security hole.
But no, you're right. And that's fine. But it still makes it so that I only have to open
one port on my firewall. And I can have once that one port is open to allow my VPN traffic
in, that already, they already have to have the certificates and everything to be able
to authenticate. And then once inside, it's just like they're sitting there and they can
get anywhere within the network. And I don't have to worry about opening multiple ports
to my firewall. So thank you for that update on RDP, Aaron. But that's fine. Anything else.
So if you're using VNC, you actually have to tell VNC to go over and encrypt a tunnel.
And so this is an easy way to just do it because you VPN in and then and then run your
VPN. You know what? That's a beautiful thing. We're going to talk about that later. Well,
we're not going to discuss in this presentation is tell net. Along with along with other VPN,
we're going to focus on open VPN, which is an open source VPN software. We won't focus
on other VPN options such as IP sac or PPP. There's some other stuff out there too that's
commercially available. But specifically, we want to focus on how to get your VPN server
and clients up and running and doing that on Ubuntu to install that and install open VPN
on Ubuntu as a simple as pseudo aptitude install open VPN. And it's going to grab everything
you need. It's also since the latest version of open VPN is 2.0.9 and was released in 2006,
it's even current in Ubuntu, which I know is sometimes amazing without doing the PPA repository.
But so you get you get the current stuff. All your once you do install that, all your examples
and documentation and that is in my opinion in a weird location, but is in this user share
doc open VPN. Inside of that folder is everything that you need to build your keys. It has sample
config files that you can use. It's got a lot of different things in there. I don't ever use that
because I have to be rude to edit anything in there or I have to be rude to it or I have to be
able to copy it out of there. It just seems to be a pain in the butt. So what I do is I install
the pseudo aptitude install open VPN and then I actually download the source tar file. And I'll show
you here. Once I do have that source file, I then for each VPN I set up, I have another copy
of the source. So for instance, for the Larkin's VPN, for Larkin mortar and my employer,
that's where I keep all of their stuff, including all of their keys and stuff for in here.
So that I always have their keys and can issue revocation and stuff if I need to.
So I'd encourage everybody to do that because it's the way I do it and obviously the best way.
I'm noticing that these users have their own keys.
Yes, and we will get to that.
So would you fire someone to say no access for you?
Yes. You can say it and we'll get to that part as we go through the configuration, but you can
tell it to let one certificate connect a million times, but obviously that's a concern.
You want one for each person so that you have granular control.
But to I thought that I'd just take a second and start up a really quick go through and set one
up, set up a, you know what I'm talking about. So I'm going to go to my downloads, open VPN.
Everything once you're in here, there's a bunch of stuff in this folder that I've downloaded
from the VPN website. Everything that we're concerned about is in the EZRSA 2.0 folder.
And in there, you'll notice that there is all of these things. Those are the scripts that are
going to be old or you can't see the one edge. Yeah, we've dickered around with that for a while, man.
Yes.
Control-shift plus.
Okay, so you can't see but on the left that actually says build CA, build DH, but it's in
this that does everything that we need.
The first one that we're concerned about is our various file right there.
Can you see that? We have highlighted that.
So we want to edit that and that's what does our default variables.
So there's a bunch of stuff up here at the top.
But our real concern is down here at the very bottom where it has your country,
province, city and state.
This information is put on all of your stuff so all of your keys and that.
So I like to edit it to whatever we're going to actually be doing.
Yeah. Well, the reason is if you change these defaults,
it will ask you on every key you generate to supply this information.
And if you change these defaults here, they're going to be already defaulted in for you and just enter through.
Otherwise, you got to type it out on every key.
Well, you may as well just do it in one spot, just to enter through the stuff.
The organization will put Ubuntu Uto.
And then email is a tow pons at p3.org.
Well, that's okay because no one's really going to use these keys.
But now that we've had that, we need to run source bears on it.
And now it actually takes all those variables.
And it's pulled them into memory so that when we go to run our stuff,
it's going to know exactly what we're doing.
Now our job.
Now that we've sort those variables, we need to just start building stuff.
So we clean everything out, which deletes any keys that were in there previously.
In this case, none.
Yeah.
And the next thing is to build our certificate authority.
Yeah, I'm forcing it.
Yeah.
So now you'll see them come up, but let me just do this.
Can you see the bottom now?
We better.
Oh, perfect.
Great.
So you see now that there's my U.S. thing so I can just hit enter Utah.
Salt Lake City for the city name company Ubuntu Utah.
Organizational unit.
You don't have to put this in.
I never do.
But if there was a specific division of this VPN was going to be before we can fill that in.
What was the command to run this?
Build CA.
Build hyphen CA.
Yeah.
There.
So then we need to give our server host name.
So whatever that's going to be, we'll just put local host.
And that is not in the various thing.
Email address is.
And now we have a certificate authority.
So if we list the keys folder, you can now see we have a.
CA dot CRT CA dot key.
And then a couple other files.
But that's what's going to sign everything else that we do now.
The next thing we do is build.
The called.
Diffie helmin.
Diffie helmin parameter file.
Anyways, that's what.
Yeah.
Well, it's a method of establishing a key exchange just like RSA.
It's an alternative of RSA.
So build DH.
And it's going to take a long time and it takes.
You have to make sure there's entropy.
So I moved my mouse around a bunch.
But you'll notice it is making a 1024 bit.
Everything is 1024, but you can change that in the various file.
How long stuff is.
But.
It builds this whole thing.
You.
So we can write.
Oh, cool.
Now that we've built that, we need to build our certificate.
Our key suit our server key.
So we'll just call it build key server server one.
Again, we go again through our variables we already set the defaults for.
You can, if you want additional security, you can have a password on all the keys for both the server and client.
I don't ever worry about it, but it is a way to do more security.
If you have somebody that, let's say it's a more of a public box and they fire up the VPN when they need to get in,
they can have a password on the VPN key so that they can't use the key until they enter the password.
So that would be an additional key opposed to that personal.
No, it's actually in there.
It's actually in their key.
Yeah.
So.
Sign the certificate.
You have to hit why you can't just hit enter or else you have to go through the whole bloody mess again,
kind of frustrating when you're doing a whole bunch.
Yeah, actually, yes.
So now we've made a certificate for our server.
So if we look in there, you'll notice that we now have the DH1024.pem, which is our Diffie-Hillman parameters,
and we've got the server one certificate and key.
Now we need to build stuff for our clients.
So I always name them easy things like client one, client two, client three, client four.
You unfortunately cannot, I have not found a way to automate this process.
Say build clients one through 32 and it just goes a maximum.
You have to go through, at least from everything I've seen to do one at a time.
Okay.
That's an excellent way to get around that.
What I'm going to mention too for our, I name them by using the first name.
Right.
Because I've done it with the keys of the names of who I'm going to give them out to,
but what I've found is ultimately I forget somebody that is going to need a key.
So I always, when I'm building client keys, I have a whole bunch more than I'm actually going to need.
You don't hand them out, it doesn't matter.
But I'll usually build like 25.
You can build keys later.
You just have to, again, source your various file and then do the build key and then client name.
But I just make a whole bunch.
But in this case, we can just make the client, this is very important.
The common name right here, it has taken the names that I put in their client one as its default.
It's very important that that's different between every single client.
The way the open VPN distinguishes between clients is by the common name that's actually right here.
If you have two clients with the same name, what it does is they fight each other.
So client A will end up disconnecting the other client A, which will then disconnect the other client A.
And they just sit there and fight back and forth. Nobody gets connections.
It's a big pain in the ass.
Forgive my language.
I apologize to all those listening out there in the world.
What's happened?
Because I'm a good nature person, Dave.
Right on.
Anyways, so we'll skip the optional company name and stuff.
Sign the certificate.
If we list the keys now, you'll see that I now have not only my server keys, but the client CRT,
CSR, and client one key.
The CSR is for, I think, certificate revocation.
I've never had to use the CSR file.
The key dot key files are secret.
So you should never ever give out to a client or anyone like the dot CA, or the CA dot key.
That should be yours.
You keep all to your little ones themselves.
Same with the server key.
There's one spot in the server config that it needs it.
Otherwise, don't give it to people.
So any questions so far about building the keys or why we need to build keys or anything like that?
If you do it later.
Because it's grabbing global variables that are not actually set until you source the virus file.
So inside the virus file, if we go back into that, you'll see that it's export wherever the easy RSA is.
And export the open SSL stuff, and export your key config, and export your key dirt,
which is where it's actually going to put all the keys and look for the certificate authority.
So none of these global variables are set until you source this file.
So that's why you have to do that first.
So same for the browser here.
If you don't have a password, tell it to export them all to the session.
Which is another reason that I do a separate folder, a separate thing for each VPN,
is because then I don't have to try and guess what my original virus file was to resource it.
But it's just all in there. I just go into the Larkens VPN, and later I can go into the Ubuntu VPN,
and everything's all the same, I just say, Source Bear Build Key.
So any other questions about keys?
Part of the reason that you build all the keys is because OpenVPN,
it can do it the other way, but the way that it works is through what they call
private key infrastructure, is the type of authentication it does,
is that the keys need to be on both sides.
So that's that's that.
The next thing now that we've set up all of our keys, all we have to do is create a server config file.
And let me go back to my notes here.
Yeah, editor create a server.conf. You can see right there in my notes.
It's very, very plain and simple for everyone to understand.
There is a default server.conf.
Is it?
It's in the sample config files.
So this is for a standard multi-clance server.
This is like your road warrior setup, where you've got a bunch of guys out of the office
that need to remote back into work.
This is a sample configuration for that.
There's a couple of things that you have to have in a configuration file.
The first is what I, okay, it says you don't have to have this,
but I always set this, is the IP address that OpenVPN should listen on.
It's only needed if you've got multiple IPs, really.
You can distinguish what does what.
But you do have to have what port it's going to listen on.
The default is 1194.
And you do also have to have what protocol.
UDP is faster than TCP.
But TCP just by the nature of TCP is, yeah, more reliable.
Because you actually have to have a connection.
Right.
So I do use TCP on mine just because I do want to have that reliability.
But you can use UDP and it is faster.
I know a lot of people that what they do is they start,
and they do all their tests and stuff with TCP because it's a reliability.
And then once it's set up and everything seems to be working fine,
they flip it to UDP and go.
On, you need to decide what type of tunnel you're going to create
or what type of device you're going to use, DevTap or DevTun.
I've never, ever gotten it to really work with DevTap.
I always use DevTunnel.
This is where, in fact, anybody know the difference
between that actual tap interface and the tunnel interface?
Okay.
If we read the comments, which I do not,
and let's just establish that in all of my configs,
I delete all the comments out because it's a bunch of crap.
And I don't even care.
I just write down the things I want and I start the server.
Nope.
I only need the part that's going to give me flame and hold the mate.
That's the only two faces I need.
Never.
Which is why I enjoy writing the bus so much is because it's not an issue.
But, so, you specify it.
That is the number of bits for the key.
It's 128-bit key that we're using for encryption.
So, DevTunnel is what I already put it to.
If you're using Windows, you have to specify the device name that you're using.
So, you actually open VPN installs a virtual Ethernet device
and you have to actually say the name of it there.
You don't have to with Linux because it's smart like that.
And then you do need to specify where those keys are that you've done.
In Windows, you have to comment any slashes.
So, for Linux, this might just be home user directory,
C-A.C-R-T.
In Windows, you actually have to specify out the whole C slash slash program slash files, etc., etc.
Yes, you have to, you have to escape the slash.
You have to escape the spaces and you have to escape quotes in the configuration file.
So, for what?
Nope, that'll work.
Oh, it's a file.
So, you have to specify it all out like that and escape stuff in Windows.
So, you have to specify it all out like that and escape stuff in Windows.
Yeah, you have to do that's that's a common thing with all dot comp files is if if you're on Windows,
you have to escape slashes in spaces.
You should just put the direct path and you should do the whole path.
You shouldn't just try to at least slash, write the whole path out.
You have to put the path to the, this is only on the server.
You have to put the path to the Diffie-Helman parameters.
This particular piece of configuration, this says the subnet that is going to be handed out.
So, it specifies the subnet is going to be handed out to all your clients.
Yes, yes, hearts.
Yeah, I'm going to talk about that.
I've got a special odd things notes at the bottom.
So, if you're, this should be a subnet that's not used in any place else.
So, for example, at larkins where I use the VPN all the time, our main subnet is 10.0.0.0.
Oh, in a 24 bit subnet.
Our open VPN is on 10.0.4.0.
And to, so that's what it hands out.
I just leave that. I have pull config server bridge.
If you're actually are using what you can do is let's pretend that your internal subnet was the 10.0, 10.8.0 subnet.
What you can do is you can actually have this act as a server for just a portion of that subnet.
So, you can have this be trying to hand out IPs from 50 to 100,
whereas your other DHCP server that's internal and locally will be handing out IPs maybe from 0 to 50.
So, that's another option. I don't ever use it. I just do the full subnet.
This is always good. You can push routes.
So, you can say that to the client, we'll get these routes and they'll be added to their routing table.
So, you can tell it what routes are going to go through that current interface.
You can also push DNS and say your new default DNS server is this.
And you can also push a wind server.
And I think there's a couple of things you can push. It was the ones I used.
This is if you want to set up for separate clients I never do because I just let the DHCP handle it.
Okay, so here's the DNS options. This push redirect gateway.
If you are out on the road and you wanted every piece of your internet traffic to go across your encrypted tunnel,
push redirect gateway will send all traffic from the client through the VPN to your server and then from your server route.
By default, when it's set up, it's with tunnel.
By default, only the things that need to be routed through the VPN tunnel are routed through there and everything else is routed at your default gateway.
When you do this, it just changes your default gateway to the VPN tunnel and everything gets routed out there.
Client to client, this is if you want to your clients to be able to see each other.
I've heard some people say you should always, you should never ever have this.
It should always be commented out. I really don't care if client one can see client two while in the VPN.
But...
Would you prevent, like, if the client or Windows talk to you that would prevent them like one of them is infected from infecting another?
Sure. But it doesn't prevent them from affecting your server and they probably shouldn't be on your network anyways.
So, I would do that. Duplicate CN.
This is where you could have everybody have one key or multiple keys have the same common name and everybody attach.
But since it's the common name that OpenVPN uses to distinguish between clients, I would encourage you never to uncomment this and to never allow duplicate common names.
One client, one common name, and that way you can cut off anybody you want to and different things like that.
Keep alive. I always leave this default.
This, you can actually select your ciphers, how you want the encryption to happen.
The default is a blowfish using CBC mode.
You can select any type of mode. You don't have to use the cipher block chaining.
You can use ECB and COB.
Anyways, there's a bunch and you can list these out and I get to a spot later where I show you where you can actually list out all your options.
And you can use 128 AES. You can use 256. You can do, there's a whole slew of options.
In fact, if we do OpenVPN with the option of show ciphers, it shows me all of them that I can do.
And it's a pretty good list. You can really do whatever you want. I'm fine with blowfish.
And one thing, it doesn't seem to use an initialization vector which is not required for CBC mode.
Cipher block chaining is a pretty good way of completely randomizing everything.
Maximum clients, this is a hairy one that I'll talk about later. I always, I never uncomment that.
This one I do uncomment though. And that is that because this is actually starting up a new Ethernet device.
In our case, from our configuration DevTun, probably DevTun0, it has to run with root privileges.
But after it starts up that device, there's no reason it needs root privileges anymore.
And by uncommenting these, you can specify the user and group to run that as, to, to demote its privileges too.
And it adds a little bit of, of the security there. You have to make sure that root user nobody and group nobody exist though.
Because it, it'll crap if you, they don't really exist. But persistent can, persistent ton of good.
The log default goes into, very log. And you can be, you can say how verbose you want to be on it.
The client, the client config is very, very similar. The really big difference is up at the top. It says client instead of saying server.
So, all the commands to run them are the same. You put them in the same spot to auto start. Everything's pretty much the same.
But certain things have to match. DevTun has to match DevTun and your server config. They have to be both on the same side.
Obviously, your protocol has to be the same on both sides. This, this option is new specifically to the client.
It says what server address and port to go to. So, you can have one client config have multiple entries for the remotes.
They just all have to have the same certificate authority on the remote side.
Remote random is if you're doing failover. I haven't ever done that. So, I don't worry about it.
Again, you can demote your user privileges and set your, set where your keys are. And you're like verbose on your logs and stuff like that.
Yeah, go ahead.
Once, no. Those options get pushed from the server. And if you want to be connected to the VPN, you have to take its options.
You, you probably could go in afterwards and manually remove the routing and remove those like DNS push options and things like that.
But you, if at all, you'd have to manually do it. So, I want to show you mine because this is my client config that I use for, for hooking to work.
You see, it's infinitely smaller because I don't have all my comments. I just specify the port and tunnel type.
Protocol TCP client is the same as saying client proto TCP. Doing the TCP hyphen client is the exact same.
This is the actual address to our remote server. I know you're all going to run it down and try to break in.
I demote my privileges once it starts. I don't know what the ping does. I just leave it.
I specify the cipher. If you change the cipher on the server config, you have to specify the exact same cipher in the client config.
You have to specify if you leave, if you leave it default on the server, you don't have to say anything in the client because it's just going to assume default.
But if you change it there, you have to have matching parameters on each side.
Then the location, my certificates. What's that? You know where those are. I hope so. It says right there.
Anyways, I want to talk to just go over a couple of the notes, interesting things on the dot comp files. On any unix type system, they need to end with dot clnf.
On a window system, they need to end with dot opvn. If you try to pass the windows one as a dot comp file, it won't know what in the world to do with that.
Yeah, I said that the examples are loaded with comments. You don't have to have all those comments. You can take out those comments.
I mentioned how you do have to escape everything in windows. In windows, you must specify the device name. We talked about that. We talked about demoting privileges.
The thing that the client needs is not only his dot comp file, but also the certificate authority certificate file, the client certificate and the client key.
Once you have that, you can start the VPN. To start it, you can run the command pseudo open VPN and wherever the comp file is. For example, I can right now.
I can connect. If I'm in the right directory.
To larkens. Right now. It goes to reduce the handshakes. It says everything's fine. Pushes the routes. The most of the user privileges and I'm done.
Once I've done that, if I do an IF config, you can see there is my tunnel O interface with a hardware address of zero because it's not an actual physical interface.
I have my internet address, my point-to-point stuff and my subnet mass. This is basically my local broadcast. This is my actual IP.
This is what we'll talk about there. Now, it's just like I'm sitting there at work. I can, for example, if I open up Firefox, we have an internal web application that's only accessible to those inside of our network.
From here, I can say. There it is. Lark and mortuary pre-need accounts. I can only get to that when I'm inside. It hands me an IP and I can get to anywhere from inside.
This is just an example. I can't SSH into the web server to get that application. But with the VPN, because it's just like I'm sitting there at my location, I can go ahead and grab up our web application.
Any questions so far on any of that stuff? Any at all? Anybody want to say a joke? Right in the mid? Yes. Pino, you have a joke.
Why is a chapel with time? I mean, why... Does that sound lower tap? No, I mean, I'm a little bit more confused about the tap-up. What would that be? It was forward protocol other than PC3.
So ethernet tunnel versus routed IP tunnel. I just do the routed IP tunnel.
Because I've gotten it to work more often than not. I've had to fight the tap tunnel stuff. When I used it at the tap device, I sit there.
Then you can map those through the VPN, doing your IPX and stuff. That makes sense. If you still have NetWorth35, please just throw it away and then use DevTun.
We had a network server, NetWorth35, up until about a year ago. They're at Larkins that did everything. There's a big pain in the butt and the IPX protocol took up tons of bandwidth and it's just a...
They also didn't implement IP until four. We had to run IPX. Yeah, so it kind of sucked. IPX is weird, so I didn't like doing that.
Anyways, another option other than running the SudoOpenVPN.conf file, if you want to run it on StartUp, is that you can take any.conf file and put it in the Etsy OpenVPN folder.
And when OpenVPN runs it at runtime, when the Damon runs it runtime, it'll scan that folder and start up the.conf file. And you're done. Server and client. Both of those can be dropped in there.
Because all your parameters are already in your.conf file, you just drop it in there. It'll start you up. Your tunnel device will be there. Precisionally connected, you're done.
And so that's an easy way to do it. I don't do that because I don't like on my laptop. I don't always want to be connected as a client. I want to connect only when I actually need to administer work.
But as a server, obviously we want that running all the time because that's why we haven't.
Or if it's like a company laptop that you're sending with your representative. Right. And they're too dumb to actually start it up. Yeah. Another great.
In Windows, it's a little bit different. You've got to drop it in. You have to in Windows, you actually have to go into the services and start OpenVPN as a service to start as a service.
And then go and put in the config folder in their program files, OpenVPN. Program files, I think it's config. You drop in the dot opvn file and it'll start that on startup.
And I do that with like some folks that that remote in that are clients, Windows clients that come into into my OpenVPN. That's where I put theirs and it works.
You can also use the init script to start and stop OpenVPN. So if you do need to, let's say that you revoke a client and you want it to be enacted immediately, you can just do a restart through the init script and it'll do it.
The advanced stuff, client revocation. Again, you got to source your various file. This is why I always separate all the different VPNs out. So I always have my very file normal and have all my keys in just one spot.
You source your various file and just say revoke full in the name. And it gives you this weird air 23 message, but you actually want to see the error message.
And then you put in your server config, make sure that it you put in the parameter to CRL verify so that actually checks for a certificate revocation list and point it to your certificate revocation list that's been generated by this above command. And then that client can't connect anymore.
So that's which is kind of cool. You also can run multiple servers. The problem is the server needs to be listening on a different port.
Obviously, unless you specified which IP to listen to and you have two IPs, then you can have one on each IP listening on the same port, but they have to be on different IPs.
It you can set up failover. I've never done it, but it does have a way to do failover like that. And which which case part of the part of the client config is is like remote random or something like that where it will allow any remote to hand it off to anybody else.
For the security, I mentioned this, you can have a password for each client key. Open VPN can also run if you're really worried about it taking over stuff. Open VPN can run in a shirute environment.
You just need to make sure that all your keys and stuff are within the shirute environment so they can get to it.
Well, I've never run it in a shirute environment. I don't think open VPN is that going to get taken over, particularly if I demote its privileges when I run it.
Should be. So anyways, you can also change the side for we talked about that. This is something that's weird with open VPN. And I've never quite understood it, but for each client that connects, that client is handed four IP addresses.
And the client uses three IP addresses and doesn't use the fourth. So the one IP address is the gateway, the point to point gateway that you saw. The other IP address is its actual address.
The last IP address is its broadcast. And because you can't use sider notation is just send three keys. It sends four and the last one is just thrown away.
So out of your potential of, you know, 254 keys to hand out, you really can only have 60 something clients connect because each client uses four IPs.
In which case, if you need more than 60 clients, you got to set up multiple servers. So yeah.
One of two one of these is server config. Where do you want me to look?
So what if you change to a 23?
You know, that's an excellent question. I've never tried it. I've never had a need really in my, my stuff that I've set up to have more than 15 or 20 clients connected at the time. I know we have had this conversation.
But, you know, it's like you said, that conversation, you and I, right. We need more than 60 VPN clients. We need an environment for that right now.
Yeah, I started a lot of VMs. And this would be a fun environment like with these to try that out and see how many people we could get connected and stuff.
Because you can actually, if you hand one client multiple client keys, they can connect to the VPN multiple times and they'll just keep making tunnel devices.
And Windows, it'll keep making more of the tap with 32 devices.
Yeah, you can have one machine hooked to the same VPN multiple times. They just have to have different clients.
So you could, you could test that and just have the one machine hooked to the one server 600 times and try.
But you can change that on the, on the, the CNAME, the duplicate CNAME parameter that we talked about. Again, the client's client right here.
So the thing is, those you really should, on the keys you generate, have everyone have a different common name and have everyone of your clients have a different key set.
This is just an easy way to do added security. If you had somebody, let's say that there was a compromise and somebody stole their keys and configuration.
If you just have one common name, you have no way of just blocking that one certificate and issuing a new one.
You would have to cut off the certificate for anybody that had that same common name and issue new certificates. See what I'm saying?
I use the word certificate a lot. You doing okay? If someone would please raise a little.
The darkness is exciting.
Whoa, you're sitting next to a panel.
Anyways, so, yeah.
Okay. No, that's, that would be a fun thing to try out. I've never done it changing it from a six, 24-bit, 7-bit mask.
Yeah? Well, the 23, it'd give you two from the previous architect and it'd give you the full 256 of this one.
So, it'd give you 500 IPs to do that. Yeah. Well, you're right.
So, another thing though, once you do have a client that's connected into your server, the client to be able to talk beyond the server, you need to make sure that you either have routing setup on your server side or bridging done so that your client can get beyond the actual server.
So, I fought with that one for a long time where I could always get to the server IP and I could do whatever I wanted on that server, but I couldn't get beyond.
So, you neither need to bridge that or, like I said, actually put in your routes manually.
Another option is something that I've, I've done here at Larkin, just because it's pretty easy, is to actually use my pf-sense box to act as the server and it does all the routing for me and I don't have to worry about it.
So, I'm just going here and open VPN and I put in the stuff and it just makes it and I'm done.
And so, I could, we could test it just by changing this to the slash 23 on this little scenario, this particular scenario.
But I don't have enough.
Should, but then I just, it's a set to persistence so it'll try to, it'll retry to connect.
You want me to do it?
No.
Okay.
Which I'd really, I've done a very, I've worked very hard to avoid going into work the past couple of days.
So, I've had many opportunities to go into work.
I've been called a couple times to go into work and I've been able to finagle my way out of it.
So, try and not to go in.
They pay for the phone.
I don't pay for my cell phone, Larkin, is that so?
You know?
They also bought me my laptop.
I just don't dig her with them on it.
And they gave me $100 because I asked for it to go to scale.
It says sure, here you go, here's a hundred bucks.
So, it's in my bag.
This bag, it's a non-block, main pocket.
90 of it is anyways.
Long and short.
So, that's really my thought on VPN.
Further information is OpenVPN does have a pretty thorough how-to on their website.
They also have their man page actually on their website so you can look at all the different parameters.
There is an OpenVPN channel on FreeNode.
And so, you can go sit in there.
It says, pound OpenVPN on rc.frino.net.
I've gone in there and asked questions.
They're pretty nice to help.
They're pretty good about it.
You know, some of those channels, you know, people are a little log on.
What's that?
And then, you know, I can answer any questions.
So, is there any questions about OpenVPN or anything like that?
Do you prefer to do it?
I do.
You know, the network manager does have an applet that you can put your configuration stuff into.
I have had a problem.
Like here, I've got the Larkins ones.
Let me kill it here.
But it doesn't, there is a bug that comes in and out of the network manager one.
And so, sometimes it works and sometimes it doesn't.
So, you can see now, oh, you can't really.
Network manager now has a little lock.
And there's a swirling star as it's attempting to connect to the VPN.
And it doesn't look like it's going to.
Seriously, it's a little padlock.
You can come look.
It doesn't work at all.
At least you can go into.
There's a bug in it.
And the bug comes and goes.
I've reported it on the bug several times.
But in a second here, it'll pop up and say, no, we won't do it.
Thanks for asking.
So, it's kind of annoying.
So, because of the bug, I always just use the command line.
So, can you see the little thing?
VPN connection failed.
Yeah, there is a bug on launch pad about it.
And it keeps coming up and going away and coming up and going away.
When it does work, it is pretty, pretty cool.
You just basically manually add all of your stuff.
So, you put in your gateway server address and where your different things are.
And you say go.
It does not allow for you to put in advanced settings, such as if you needed to use.
So, oh, so it does allow you to do the cipher.
I didn't think it did, but it does.
Maybe that's new with this with this open VPN.
But anyways, so you can set in your settings and say go.
When it works.
Drop down.
Yeah, the push, the push stuff from the server.
There is a bug on launch pad that I reported on it.
And it's not just me with the bug.
It is a confirmed bug on launch pad.
I apologize that I did not have the bug number.
But with network manager, you do need to not only install the open VPN stuff,
but you also need to install network manager, hyphen, open VPN or whatever it's a little modular.
Remember the number of keys?
Just given your reminder, kid.
So long and short.
That's that.
Any other questions about it?
One thing I want to mention.
There is a version of dd work that has a VPN built into it.
Right.
You can have your little house router doing your VPN.
Right.
Which is, which is cool on those.
I'm sure it's the same on dd work, but right.
But it's.
But on open VPN, you actually open your, your CA dot CRT.
Copy its contents and paste it into a box.
That's how it works on pfsense.
I'm sure it does on here too.
And it goes and stores them itself and puts them where it needs to.
So.
Yeah.
Now you will have to have a router that has at least four mages of flash.
And it makes it brown.
This one only has two mages of flash.
And four mages of brown.
And it can only run the time.
It's one of the newer ones that I can both deal with.
This one is.
Yeah.
But it does.
You hack it right.
Or just buy an old one.
Yeah.
Yeah.
Any other questions about open VPN.
No.
Any.
I'm curious.
Yes.
On my.
Just.
Just because you asked all.
I'll do it.
But as Dave was mentioning earlier, I have conky running and it shows me my different.
Network devices in this case.
E zero is connected.
Now it shows that some.
Oops.
Excuse me.
Now it shows that my VPN tunnel is connected as well.
And it will show me any traffic that actually specifically has to go through the VPN.
So we're just kind of nice because.
If I want to see that it's actually split and stuff, I watch it.
Yeah.
Anyways.
Any other questions?
Let's go ahead and make calls.
Thank you for listening to Half the Public Radio.
HPR is sponsored by Carol.net.
So head on over to CARO.nc for all of those meetings.
Thank you.
Reference in New Issue View Git Blame Copy Permalink