1024 bit keys

Hello,
I've used the certificate app to generate CSR for WLS 6.1 SP2. But I
couldn't find any field for key strength as mentioned in the documentation,
generating only 512 bit key. Anyone know how I can generate stronger key?
Thank you,
Makoto

Hello,
I checked the license.bea file. Apparently our server only has 512 bit
SSL/Export license.. So the server was probably generating 512 bit key (.der
file). I wonder if we have to specify that when we request a certificate
from Verisign....mmmmm
Thanks,
mk
"Yeshwant" <[email protected]> wrote in message
news:[email protected]..
Hi Makoto,
Do you have full strength (domestic)/128 bit ssl license
when the server starts it should print something like
<Jul 26, 2002 2:31:58 PM PDT> <Info> <WebLogicServer> <Loaded License :
c:\beas61sp2\license.bea>
<Jul 26, 2002 2:31:58 PM PDT> <Info> <WebLogicServer> <License allows full
strength (domestic) SSL.>
<Jul 26, 2002 2:31:58 PM PDT> <Info> <WebLogicServer> <Certificatecontents: 2
certificate(s):
Only in that case it will give you a choice to select 512,724 or 1068 bitkey
>
>
Makoto Suzuki wrote:
Hello,
I've used the certificate app to generate CSR for WLS 6.1 SP2. But I
couldn't find any field for key strength as mentioned in the
documentation,
generating only 512 bit key. Anyone know how I can generate strongerkey?
>>
Thank you,
Makoto

Similar Messages

  • Generation of 1024 bits key certificate signing request-sun one app srvr 7

    Kindly help to generate 1024 bits key certificate signing request in sun one application server 7. The problem faced by me is that during csr generation the key lengh is 512 as this is the default value.Now i would like to change this default value and would like to generate a key with length 1024.Kindly help me.
    Thanks in advance
    Vishnu Priyan

    OK, post a new Topic, title it Need help with self-signed certificate
    Before you post, search the forums for the problem. Do the footwork.
    Then, take your time, post exactly which of these steps you have taken, what the results were, and exactly where you are having problems, what the exact problem is (error message, whatever).
    You are going to have much better response if someone can easily figure out what the problem you are having is. If you look at this thread, you will see "I have tried these 10 steps and they don't work". You are going to get nowhere with that.
    I have to sleep now, good luck.

  • 1024-bit encryption

     

    One hand doesn't know what the other is doing...
    I got exactly the same run-around when we were obtaining the domestic
    version of WL 4.5. Your sales rep has a request form available for you to
    fill out. They just don't seem eagre to give it out. After you've faxed that
    back they'll send you the new keys required to enable 128-bit encryption.
    -Brendan
    "Alan Hoyt" <[email protected]> wrote in message
    news:[email protected]..
    Quoting from Weblogic's
    http://www.weblogic.com/docs/classdocs/API_secure.html
    documentation:
    The more bits in a key, the more possible keys, and the
    more difficult it is to guess your
    private key. United States export regulations limit the
    generally available version of
    WebLogic to 512-bit public keys. You can apply to
    WebLogic sales for the domestic
    version, which supports 512-, 768-, and 1024-bit keys.
    If you want to be able to support
    both domestic- and exportable-strength browsers, you
    need the domestic version of
    WebLogic, and you must obtain and install both domestic-
    and exportable-strength
    certificates.
    OK, sounds simple - we contacted sales to acquire the
    domestic version, but they had no idea what we are
    requesting, so they forwarded us to tech. support - tech.
    support sends us back to sales. We have been going back and
    forth between sales and tech. support for three weeks .
    What gives? Is a 1024-bit version even available?
    Extremely frustrated
    - A. Hoyt -

  • HT4865 Does iCloud email use 1024 bit or 2048 SSL encryption?

    In Security Now! Podcast #441, http://twit.tv/show/security-now/411 they discuss the need for SSL encryption to move to 2048 bit to be more secure. What level of encryption is iCloud email using?

    Sorry I didn't make my question specific enough. I'm referring to the encryption used in the browser while using the mail app on iCloud. I believe gmail currently uses 1024 SSL but will be changing to 2048 in several months. The reason being that a 1024 bit key can theoretically be broken my dedicated hardware (costing millions of dollars, I might add) in around one year. Listen to the link above for more details. This takes an extreme effort to crack, but given that it is possible I wanted to know what Apple does.

  • Invalid Key Exception: Unsupported key type: Sun RSA public key, 1024 bits

    I am trying to retrieve certificates from Microsoft Keystore and extract its keys using SunMSCAPI in jdk 1.6. It gives me an invalid key exception, when I am trying to wrap the Symmetric key (which was previously used to perform AES encryption on data), using RSA algorithm.
    Code snippet:
               // RSA 1024 bits Asymmetric encryption of Symmetric AES key             
                // List the certificates from Microsoft KeyStore using SunMSCAPI.
                      System.out.println("List of certificates found in Microsoft Personal Keystore:");
                       KeyStore ks = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
                       ks.load(null, null) ;
                       Enumeration en = ks.aliases() ;
                       PublicKey RSAPubKey = null;
                       Key RSAPrivKey = null;
                       int i = 0;
                       while (en.hasMoreElements()) {
                            String aliasKey = (String)en.nextElement() ;              
                            X509Certificate c = (X509Certificate) ks.getCertificate(aliasKey) ;     
                            String sss = ks.getCertificateAlias(c);
                            if(sss.equals("C5151997"))
                            System.out.println("---> alias : " + sss) ;
                            i= i + 1;
                            String str = c.toString();
                            System.out.println(" Certificate details : " + str ) ;
                          RSAPubKey = c.getPublicKey();
                            RSAPrivKey = ks.getKey(aliasKey, null);  //"mypassword".toCharArray()
                            Certificate[] chain = ks.getCertificateChain(aliasKey);     
                       System.out.println("No of certificates found from Personal MS Keystore: " + i);
                // Encrypt the generated Symmetric AES Key using RSA cipher      
                        Cipher rsaCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding", ks.getProvider().getName());            
                       rsaCipher.init(Cipher.WRAP_MODE, RSAPubKey);
                       byte[] encryptedSymmKey = rsaCipher.wrap(aeskey);   
                       System.out.println("Encrypted Symmetric Key :" + new String(encryptedSymmKey));
                       System.out.println("Encrypted Symmetric Key Length in Bytes: " + encryptedSymmKey.length);
                       // RSA Decryption of Encrypted Symmetric AES key
                       rsaCipher.init(Cipher.UNWRAP_MODE, RSAPrivKey);
                       Key decryptedKey = rsaCipher.unwrap(encryptedSymmKey, "AES", Cipher.SECRET_KEY);Output:
    List of certificates found in Microsoft Personal Keystore:
    ---> alias : C5151997
    Certificate details : [
    Version: V3
    Subject: CN=C5151997, O=SAP-AG, C=DE
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
    Key: Sun RSA public key, 1024 bits
    modulus: 171871587533146191561538456391418351861663300588728159334223437391061141885590024223283480319626015611710315581642512941578588886825766256507714725820048129123720143461110410353346492039350478625370269565346566901446816729164309038944197418238814947654954590754593726047828813400082450341775203029183105860831
    public exponent: 65537
    Validity: [From: Mon Jan 24 18:17:49 IST 2011,
                   To: Wed Jan 23 18:17:49 IST 2013]
    Issuer: CN=SSO_CA, O=SAP-AG, C=DE
    SerialNumber: [    4d12c509 00000005 eb85]
    Certificate Extensions: 6
    [1]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 07 E5 83 A1 B2 B7 DF 6B 4B 67 9C 1D 42 C9 0D F4 .......kKg..B...
    0010: 35 76 D3 F7 5v..
    [2]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: E4 C4 2C 93 20 AF DA 4C F2 53 68 4A C0 E7 EC 30 ..,. ..L.ShJ...0
    0010: 8C 0C 3B 9A ..;.
    [3]: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 30 30 2E 06 26 2B 06 01 04 01 82 37 15 08 82 .00..&+.....7...
    0010: D1 E1 73 84 E4 FE 0B 84 FD 8B 15 83 E5 90 1B 83 ..s.............
    0020: E6 A1 43 81 62 84 B1 DA 50 9E D3 14 02 01 64 02 ..C.b...P.....d.
    0030: 01 1B ..
    [4]: ObjectId: 2.5.29.17 Criticality=false
    SubjectAlternativeName [
    RFC822Name: [email protected]
    [5]: ObjectId: 2.5.29.15 Criticality=true
    KeyUsage [
    DigitalSignature
    Non_repudiation
    Key_Encipherment
    Data_Encipherment
    [6]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:false
    PathLen: undefined
    Algorithm: [SHA1withRSA]
    Signature:
    0000: B3 C5 92 66 8D D7 ED 6D 51 12 63 CC F4 52 18 B9 ...f...mQ.c..R..
    0010: B8 A6 78 F7 ED 7D 78 18 DA 71 09 C9 AE C8 49 23 ..x...x..q....I#
    0020: F5 32 2F 0F D1 C0 4C 08 2B 6D 3C 11 B9 5F 5B B5 .2/...L.+m<.._[.
    0030: 05 D9 CA E6 F9 0A 94 14 E7 C6 7A DB 63 FE E5 EC ..........z.c...
    0040: 48 94 8C 0D 77 92 59 DE 34 6E 77 1A 24 FE E3 C1 H...w.Y.4nw.$...
    0050: D8 0B 52 6A 7E 22 13 71 D7 F8 AF D1 17 C8 64 4F ..Rj.".q......dO
    0060: 83 EA 2D 6A CA 7F C3 84 37 15 FE 99 73 1D 7C D1 ..-j....7...s...
    0070: 6D B4 99 09 62 B9 0F 18 33 4C C6 66 7A 9F C0 DB m...b...3L.fz...
    No of certificates found from Personal MS Keystore: 1
    Exception in thread "main" java.security.InvalidKeyException: Unsupported key type: Sun RSA public key, 1024 bits
    modulus: 171871587533146191561538456391418351861663300588728159334223437391061141885590024223283480319626015611710315581642512941578588886825766256507714725820048129123720143461110410353346492039350478625370269565346566901446816729164309038944197418238814947654954590754593726047828813400082450341775203029183105860831
    public exponent: 65537
         at sun.security.mscapi.RSACipher.init(RSACipher.java:176)
         at sun.security.mscapi.RSACipher.engineInit(RSACipher.java:129)
         at javax.crypto.Cipher.init(DashoA13*..)
         at javax.crypto.Cipher.init(DashoA13*..)
         at com.sap.srm.crpto.client.applet.CryptoClass.main(CryptoClass.java:102)
    Edited by: sabre150 on 18-Jul-2011 03:47
    Added [ code] tags to make code readable.

    A bit of research indicates that the classes of the keys obtained by
                          RSAPubKey = c.getPublicKey();
                               RSAPrivKey = ks.getKey(aliasKey, null);  //"mypassword".toCharArray()are sun.security.rsa.RSAPublicKeyImpl and sun.security.*mscapi*.RSAPrivateKey . It seems that for Cipher objects from the SunMSCAPI provider cannot accept RSA public keys of class sun.security.rsa.RSAPublicKeyImpl and that the SunMSCAPI will only accept RSA private keys of class sun.security.mscapi.RSAPrivateKey.
    This came up under different guise a couple of years ago. It makes sense since encrypting/wrapping with a public key does not represent a security problem (there is nothing secret in any of the encryption operations) when done outside of MSCAPI so one can use any provider that has the capability BUT the decryption/unwrapping must be done with the SunMSCAPI provider which delegates it to the MSCAPI.
    My working test code based on your code implementing this approach is :
            // RSA 1024 bits Asymmetric encryption of Symmetric AES key             
            // List the certificates from Microsoft KeyStore using SunMSCAPI.
            System.out.println("List of certificates found in Microsoft Personal Keystore:");
            KeyStore ks = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
            ks.load(null, null);
            Enumeration en = ks.aliases();
            PublicKey RSAPubKey = null;
            Key RSAPrivKey = null;
            int i = 0;
            while (en.hasMoreElements())
                String aliasKey = (String) en.nextElement();
                X509Certificate c = (X509Certificate) ks.getCertificate(aliasKey);
                String sss = ks.getCertificateAlias(c);
                if (sss.equals("rsa_key")) // The alias for my key - make sure you change it back to your alias
                    System.out.println("---> alias : " + sss);
                    i = i + 1;
                    String str = c.toString();
                    System.out.println(" Certificate details : " + str);
                    RSAPubKey = c.getPublicKey();
             System.out.println(RSAPubKey.getClass().getName());
                   RSAPrivKey = ks.getKey(aliasKey, null);  //"mypassword".toCharArray()
            System.out.println(RSAPrivKey.getClass().getName());
                    Certificate[] chain = ks.getCertificateChain(aliasKey);
            System.out.println(ks.getProvider().getName());
            System.out.println("No of certificates found from Personal MS Keystore: " + i);
            Cipher rsaCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");//, ks.getProvider().getName());       !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
                rsaCipher.init(Cipher.WRAP_MODE, RSAPubKey);
            byte[] keyBytes =
                1, 2, 3, 4, 5, 6, 7, 8, 2, 3, 4, 5, 6, 7, 8, 9
            SecretKey aeskey = new SecretKeySpec(keyBytes, "AES");
            byte[] encryptedSymmKey = rsaCipher.wrap(aeskey);
            System.out.println("Encrypted Symmetric Key :" + Arrays.toString(encryptedSymmKey));
            System.out.println("Encrypted Symmetric Key Length in Bytes: " + encryptedSymmKey.length);
            // RSA Decryption of Encrypted Symmetric AES key
            Cipher unwrapRsaCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding", ks.getProvider().getName());       //!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
            unwrapRsaCipher.init(Cipher.UNWRAP_MODE, RSAPrivKey);
            Key decryptedKey = unwrapRsaCipher.unwrap(encryptedSymmKey, "AES", Cipher.SECRET_KEY);
            System.out.println("Decrypted Symmetric Key :" + Arrays.toString(decryptedKey.getEncoded())); // Matches the 'keyBytes' above

  • Messaging server with 2048 bit key

    I am in the process of renewing my SSL certificates and a change requires the use of 2048 bit keys.
    Is there a way using msgcert to specify key length?
    It looks like certutil will allow a different key length. If I use certutil to create the database, will the message server work with a longer key?
    I am using SSL for POP/IMAP proxy and SMTP on Messaging Server 6.3.

    randyloch wrote:
    I am in the process of renewing my SSL certificates and a change requires the use of 2048 bit keys.
    Is there a way using msgcert to specify key length? Both certutil and msgcert can import 2048 bit certs and SHA-signed certs although msgcert cannot generate such cert requests.
    It looks like certutil will allow a different key length. If I use certutil to create the database, will the message server work with a longer key?Yes shouldn't be an issue.
    I am using SSL for POP/IMAP proxy and SMTP on Messaging Server 6.3.Please in future provide the exact version of Messaging Server that you are running (./imsimta version).
    Regards,
    Shane.

  • Windows Server 2008 OEM 64-bit key cannot activate 32-bit

    My client purchased Windows Server 2008R2 OEM 64-bit. However it was found an old application can only run on 32-bit Windows. Then he tried to find another installation disk and install 32-bit Windows Server 2008R2. Unfortunatly the 64-bit key
    cannot be applied to it.
    Many posts saying that 32-bit and 64-bit keys are interchangable, and doing a clean installation would be fine.
    Any one can enlight me on this? Thanks a lot in advance.

    Server 2008 R2 is x64 only so must be vista kernel 2008 you're asking about. I'd be surprised if they're interchangeable but you can ask them here.
    https://www.microsoft.com/licensing/existing-customers/activation-centers.aspx
    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

  • Generating AES 256 bit key using seed

    Hi
    As part of encryption requirements for encrypting the body of the SOAP Message while calling an external Web Service, it is requried to encrypt using a shared symmetric key.
    First step is to create a password digest
    Base64(sha1(nonce + createdTimestamp + password)) - This step is working completely fine and produces a 160 bit Hash
    The next step is to generate an AES 256 bit key using the above hash as the Seed. This should generate a 256 bit encrytpion key which can then be used to encrypt the message body.
    Would appreciate if anyone who knows how to generate AES 256 bit key using a hash seed in Java (v1.4.2) can provide some guidance.
    P:S. I am using WSS4J API to use WS-Security

    I have to generate 256-bit AES key with a 128-bit IV using the above password digest and the IV used for in the creation of the AES key prefixes the cipher text.
    The external WebService is .net webservice.
    Edited by: GUPTAG on Nov 25, 2008 3:05 AM

  • Windows Vista 32 and 64 bit key number

    Hello
    XP has been installed from a disk partition (D)
    My notebook has been upgraded from XP to Vista 32 bit with the CD I got from the pakage.
    In the buttom the is a stamp with the key number.
    I have CDs both with Vista 32 and Vista 64
    1. Is the key number the same to the 32 and to the 64 bit
    2. I would like to format the C drive.
    3. Can I install Vista 64, from the CD?
    Thank you for your help 
    This question was solved.
    View Solution.

    No worries. Yes, you can perform an install of Vista with the DVDs that you have. You can  reformat the hard disk as part of the installation.
    Before you begin, go into the Device Manager to see which wireless adapter, graphics adapter  and lan adapter is installed and write it down. Doing that will save you some time.
    You will need the following DVDs from what you have stated the notebook was delivered with..
    Operating System DVD Windows Vista Business SP1 (64-it)
    Application and Driver Recovery DVD 32-bit & 64-bit for Windows Vista
    Write down the twenty five character  license activation key before you begin. Enter it when requested to by the Windows installation script. After the installation is complete use the driver disk to install the drivers. If HP Support Assistant is available on the driver and application disk, install that also.
    ****Please click on Accept As Solution if a suggestion solves your problem. It helps others facing the same problem to find a solution easily****
    2015 Microsoft MVP - Windows Experience Consumer

  • Generate CSR public key 2048 bit

    Hello all,
    I apologize if the answer is already posted here.
    Trying to generate a certificate that uses a 2048 bit.
    Going through the UI, there is no option to define the bit and it generates a 1024 bit key.
    Looked at the CLI certconfig and the option there was to paste the PEM content.
    Async OS 7.5.0-833.
    Any help is appreciated.
    Thanks
    Paul

    Paul,
    There is currently no way to generate keys other than 1024 bit keys.  It is a feature request with the current bug id's.
    CSCzv70884 - [Feature Request] Support Generating 2048bit Certificates in HTTPS Proxy
    Christian Rahl
    Customer Support Engineer
    Cisco Web Content Security Appliance
    Cisco Technical Assistance Center RTP

  • Messaging Server 7.3 msgcert key size

    Does anyone know what key size msgcert uses when generating key pairs? I suspect 1024 bits, but haven't been able to confirm.

    il_postino wrote:
    Does anyone know what key size msgcert uses when generating key pairs? I suspect 1024 bits, but haven't been able to confirm.The msgcert utility does indeed create 1024 bit keys.
    Regards,
    Shane.

  • Replacing SSL keys and certificates for already defined services

    I have about 10 new 2048-bit keys and certs to replace existing 1024 bit keys and certs on my CSS11500 with SSL modules.
    I'm trying to figure out my options, now that I've got the files SFTP'ed to the CSS.
    I can create a new startup-config file for the CSS with the new files referenced by the SSL associate commands in the startup-config. This will require a reboot (not desired).
    I can come up with new associations for the new files, then suspend the ssl-proxy-list and edit it to use the new associations. This doesn't require a reboot but then I have to clear out the old associations before I can delete the old key/cert files.
    Is there any way to force the CSS to "overwrite" an existing SSL association without rebooting the CSS?

    "Clear file filename "password" commad will help you to clear SSL certificates and private keys from the CSS that are no longer valid.
    Please check if the below URL: could help:
    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/command/reference/CmdGenA.html#wp1030153

  • Cannot publish Flash Updates Verification of file signature failed for file SCUP 2011, SCCM 2012 R2 and WSUS all on same Windows Server 2012 machine

    I am attempting to distribute Adobe Flash updates using SCUP 2011, SCCM 2012 R2, WSUS ver4 and Windows Server 2012.  Everything installs without error.  I have acquired a certificate for SCUP signing from the internal Enterprise CA.  I have
    verified the signing certificate has a 1024 bit key.  I have imported the certificate into the server's Trusted Publishers and Trusted Root CA stores for the computer.  When I attempt to publish a Flash update with Full content I receive the following
    error:
    2015-02-13 23:00:48.724 UTC Error Scup2011.21 Publisher.PublishPackage PublishPackage(): Operation Failed with Error: Verification of file signature failed for file:
    \\SCCM\UpdateServicesPackages\a2aa8ca4-3b96-4ad2-a508-67a6acbd78a4\3f82680a-9028-4048-ba53-85a4b4acfa12_1.cab
    I have redone the certificates three times with no luck.  I can import metadata, but any attempt to download content results in the verification error.
    TIA

    Hi Joyce,
    This is embarrassing, I used that very post as my guide when deploying my certificate templates, but failed to change the bit length to 2048.  Thank you for being my second set of eyes.
    I changed my certificate key bit length to 2048, deleted the old cert from all certificate stores, acquired the a new signing cert, verified the key length was 2048, exported the new cert to pfx and cer files, imported into my Trusted publishers
    and Trusted Root Authorities stores, reconfigured SCUP to use the new pfx file, rebooted the server and attempted to re-publish the updates with the following results:
    2015-02-16 13:35:44.006 UTC Error Scup2011.4 Publisher.PublishPackage PublishPackage(): Operation Failed with Error: Verification of file signature failed for file:
    \\SCCM\UpdateServicesPackages\a2aa8ca4-3b96-4ad2-a508-67a6acbd78a4\3f82680a-9028-4048-ba53-85a4b4acfa12_1.cab.
    Is there a chance this content was already created and signed with the old cert, so installing the new cert has no effect?  In ConfigMgr software updates I see 4 Flash updates, all marked Metadata Only (because they were originally published as "Automatic." 
    No Flash updates in the ConfigMgr console are marked as downloaded.  I can't find any documentation on how the process of using SCUP for downloading content for an update marked Metadata Only actually works. 
    Comments and suggestions welcome.

  • [SOLVED] Openvpn configuration issues

    Hello,
    To better illustrate the following here's an overview of my network:
    LAN: 10.0.0.0/24; VPN (shall be): 10.0.2.0/24
    Alyx: 10.0.0.1 / 10.0.2.1 (i presume) - Is the router and openvpn server (running Debian 5.0)
    Praseodym: 10.0.0.4 / 10.0.2.4 (according to ipp.txt) - Is the client (currently local; may connect from internet eventually) (running Archlinux)
    When trying to connect praseodym the tun interface gets created properly (according to ifconfig) but it not only get's sent the wrong adress (10.0.2.6) but also the wrong routes (10.0.2.5 as default gateway)
    This of course makes it impossible to ping either alyx or any other host in 10.0.0.0/24
    I'm sure i misconfigured somewhere but i just don't manage to actually find the error; any help would be greatly appreciated :-D
    This is the server.conf on Alyx (with comments removed for length):
    port 1194
    proto udp
    dev tun
    ca /etc/openvpn/keys/ca.crt
    cert /etc/openvpn/keys/alyx.crt
    key /etc/openvpn/keys/alyx.key # This file should be kept secret
    dh /etc/openvpn/keys/dh1024.pem
    server 10.0.2.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "route 10.0.0.0 255.255.255.0"
    push "redirect-gateway"
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"
    client-to-client
    keepalive 10 120
    comp-lzo
    persist-key
    persist-tun
    status openvpn-status.log
    verb 4
    This is the server.conf on Praseodym:
    dev tun
    remote alyx.lan.k-progs.org
    tls-client
    pull
    ca /etc/openvpn/ca.crt
    cert /etc/openvpn/praseodym.crt
    key /etc/openvpn/praseodym.key
    port 1194
    comp-lzo
    ping 15
    ping-restart 45
    ping-timer-rem
    verb 3
    Also, here are the log files of a connection attempt:
    Log of openvpn --config /etc/openvpn/server.conf --verb 6 (On Alyx)
    Tue May 3 13:51:49 2011
    Tue May 3 13:51:49 2011 us=343679 Current Parameter Settings:
    -- the entire config --
    Tue May 3 13:51:49 2011 us=399621 OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
    Tue May 3 13:51:49 2011 us=488787 Diffie-Hellman initialized with 1024 bit key
    Tue May 3 13:51:49 2011 us=494972 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
    Tue May 3 13:51:50 2011 us=491474 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Tue May 3 13:51:50 2011 us=532928 TUN/TAP device tun0 opened
    Tue May 3 13:51:50 2011 us=533460 TUN/TAP TX queue length set to 100
    Tue May 3 13:51:50 2011 us=533981 /sbin/ifconfig tun0 10.0.2.1 pointopoint 10.0.2.2 mtu 1500
    Tue May 3 13:51:50 2011 us=539295 /sbin/route add -net 10.0.2.0 netmask 255.255.255.0 gw 10.0.2.2
    Tue May 3 13:51:50 2011 us=543053 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Tue May 3 13:51:50 2011 us=543631 Socket Buffers: R=[111616->131072] S=[111616->131072]
    Tue May 3 13:51:50 2011 us=544091 UDPv4 link local (bound): [undef]:1194
    Tue May 3 13:51:50 2011 us=544469 UDPv4 link remote: [undef]
    Tue May 3 13:51:50 2011 us=544868 MULTI: multi_init called, r=256 v=256
    Tue May 3 13:51:50 2011 us=545386 IFCONFIG POOL: base=10.0.2.4 size=62
    Tue May 3 13:51:50 2011 us=545812 IFCONFIG POOL LIST
    Tue May 3 13:51:50 2011 us=546241 Initialization Sequence Completed
    Tue May 3 13:52:25 2011 us=915080 MULTI: multi_create_instance called
    Tue May 3 13:52:25 2011 us=915641 10.0.0.4:1194 Re-using SSL/TLS context
    Tue May 3 13:52:25 2011 us=916094 10.0.0.4:1194 LZO compression initialized
    Tue May 3 13:52:25 2011 us=917062 10.0.0.4:1194 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Tue May 3 13:52:25 2011 us=917483 10.0.0.4:1194 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Tue May 3 13:52:25 2011 us=918064 10.0.0.4:1194 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
    Tue May 3 13:52:25 2011 us=918525 10.0.0.4:1194 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
    Tue May 3 13:52:25 2011 us=919070 10.0.0.4:1194 Local Options hash (VER=V4): '530fdded'
    Tue May 3 13:52:25 2011 us=919514 10.0.0.4:1194 Expected Remote Options hash (VER=V4): '41690919'
    Tue May 3 13:52:25 2011 us=920072 10.0.0.4:1194 UDPv4 READ [14] from 10.0.0.4:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
    Tue May 3 13:52:25 2011 us=920566 10.0.0.4:1194 TLS: Initial packet from 10.0.0.4:1194, sid=665595c2 97acdb17
    Tue May 3 13:52:25 2011 us=921066 10.0.0.4:1194 UDPv4 WRITE [26] to 10.0.0.4:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
    Tue May 3 13:52:25 2011 us=922376 10.0.0.4:1194 UDPv4 READ [22] from 10.0.0.4:1194: P_ACK_V1 kid=0 [ 0 ]
    Tue May 3 13:52:25 2011 us=923078 10.0.0.4:1194 UDPv4 READ [114] from 10.0.0.4:1194: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=100
    -- repeats for a while --
    Tue May 3 13:52:26 2011 us=144189 10.0.0.4:1194 VERIFY OK: depth=1, /C=DE/ST=<censored>/L=<censored>/O=K-Progs/CN=K-Progs_CA/emailAddress=<censored>
    Tue May 3 13:52:26 2011 us=147233 10.0.0.4:1194 VERIFY OK: depth=0, /C=DE/ST=<censored>/L=<censored>/O=K-Progs/CN=praseodym/emailAddress=<censored>
    -- continues repeating --
    Tue May 3 13:52:26 2011 us=266154 10.0.0.4:1194 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue May 3 13:52:26 2011 us=266590 10.0.0.4:1194 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue May 3 13:52:26 2011 us=267443 10.0.0.4:1194 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue May 3 13:52:26 2011 us=267804 10.0.0.4:1194 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue May 3 13:52:26 2011 us=268951 10.0.0.4:1194 UDPv4 WRITE [126] to 10.0.0.4:1194: P_CONTROL_V1 kid=0 [ 28 ] pid=37 DATA len=100
    Tue May 3 13:52:26 2011 us=269516 10.0.0.4:1194 UDPv4 WRITE [114] to 10.0.0.4:1194: P_CONTROL_V1 kid=0 [ ] pid=38 DATA len=100
    Tue May 3 13:52:26 2011 us=270109 10.0.0.4:1194 UDPv4 WRITE [80] to 10.0.0.4:1194: P_CONTROL_V1 kid=0 [ ] pid=39 DATA len=66
    Tue May 3 13:52:26 2011 us=270733 10.0.0.4:1194 UDPv4 READ [22] from 10.0.0.4:1194: P_ACK_V1 kid=0 [ 37 ]
    Tue May 3 13:52:26 2011 us=271968 10.0.0.4:1194 UDPv4 READ [22] from 10.0.0.4:1194: P_ACK_V1 kid=0 [ 38 ]
    Tue May 3 13:52:26 2011 us=274646 10.0.0.4:1194 UDPv4 READ [22] from 10.0.0.4:1194: P_ACK_V1 kid=0 [ 39 ]
    Tue May 3 13:52:26 2011 us=275075 10.0.0.4:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Tue May 3 13:52:26 2011 us=275567 10.0.0.4:1194 [praseodym] Peer Connection Initiated with 10.0.0.4:1194
    Tue May 3 13:52:26 2011 us=276425 praseodym/10.0.0.4:1194 MULTI: Learn: 10.0.2.6 -> praseodym/10.0.0.4:1194
    Tue May 3 13:52:26 2011 us=276825 praseodym/10.0.0.4:1194 MULTI: primary virtual IP for praseodym/10.0.0.4:1194: 10.0.2.6
    Tue May 3 13:52:30 2011 us=780827 praseodym/10.0.0.4:1194 UDPv4 READ [104] from 10.0.0.4:1194: P_CONTROL_V1 kid=0 [ ] pid=29 DATA len=90
    Tue May 3 13:52:30 2011 us=781588 praseodym/10.0.0.4:1194 PUSH: Received control message: 'PUSH_REQUEST'
    Tue May 3 13:52:30 2011 us=782566 praseodym/10.0.0.4:1194 SENT CONTROL [praseodym]: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,redirect-gateway,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.0.2.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.0.2.6 10.0.2.5' (status=1)
    Tue May 3 13:52:30 2011 us=783091 praseodym/10.0.0.4:1194 UDPv4 WRITE [22] to 10.0.0.4:1194: P_ACK_V1 kid=0 [ 29 ]
    Tue May 3 13:52:30 2011 us=783693 praseodym/10.0.0.4:1194 UDPv4 WRITE [114] to 10.0.0.4:1194: P_CONTROL_V1 kid=0 [ ] pid=40 DATA len=100
    -- repeats itself --
    Tue May 3 13:53:15 2011 us=3722 praseodym/10.0.0.4:1194 UDPv4 WRITE [16] to 10.0.0.4:1194: P_CONTROL_V1 kid=0 [ ] pid=42 DATA len=2
    Tue May 3 13:53:17 2011 us=72864 praseodym/10.0.0.4:1194 UDPv4 WRITE [16] to 10.0.0.4:1194: P_CONTROL_V1 kid=0 [ ] pid=42 DATA len=2
    Tue May 3 13:53:17 2011 us=73807 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) -- This should be about where i killed it on praseodym
    Tue May 3 13:53:19 2011 us=194021 praseodym/10.0.0.4:1194 UDPv4 WRITE [16] to 10.0.0.4:1194: P_CONTROL_V1 kid=0 [ ] pid=42 DATA len=2
    Tue May 3 13:53:19 2011 us=194842 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    -- repeats --
    Tue May 3 13:53:29 2011 us=659866 event_wait : Interrupted system call (code=4)
    Tue May 3 13:53:29 2011 us=662316 TCP/UDP: Closing socket
    Tue May 3 13:53:29 2011 us=662509 /sbin/route del -net 10.0.2.0 netmask 255.255.255.0
    Tue May 3 13:53:29 2011 us=666153 Closing TUN/TAP interface
    Tue May 3 13:53:29 2011 us=666297 /sbin/ifconfig tun0 0.0.0.0
    Tue May 3 13:53:29 2011 us=687981 SIGINT[hard,] received, process exiting
    Log of openvpn --config /etc/openvpn/server.conf --verb 6 (On Praseodym)
    Tue May 3 14:06:03 2011
    Tue May 3 14:06:03 2011 us=797132 Current Parameter Settings:
    -- entire config --
    Tue May 3 14:06:03 2011 us=799467 OpenVPN 2.1.4 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Nov 13 2010
    Tue May 3 14:06:03 2011 us=799532 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Tue May 3 14:06:03 2011 us=799543 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Tue May 3 14:06:03 2011 us=831145 LZO compression initialized
    Tue May 3 14:06:03 2011 us=831289 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Tue May 3 14:06:03 2011 us=831353 Socket Buffers: R=[114688->131072] S=[114688->131072]
    Tue May 3 14:06:03 2011 us=833330 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Tue May 3 14:06:03 2011 us=833386 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
    Tue May 3 14:06:03 2011 us=833398 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
    Tue May 3 14:06:03 2011 us=833426 Local Options hash (VER=V4): '41690919'
    Tue May 3 14:06:03 2011 us=833443 Expected Remote Options hash (VER=V4): '530fdded'
    Tue May 3 14:06:03 2011 us=833466 UDPv4 link local (bound): [undef]:1194
    Tue May 3 14:06:03 2011 us=833480 UDPv4 link remote: 10.0.0.1:1194
    Tue May 3 14:06:03 2011 us=833551 UDPv4 WRITE [14] to 10.0.0.1:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
    Tue May 3 14:06:03 2011 us=840770 UDPv4 READ [26] from 10.0.0.1:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
    Tue May 3 14:06:03 2011 us=840831 TLS: Initial packet from 10.0.0.1:1194, sid=a0c0d596 fa3b4a5c
    Tue May 3 14:06:03 2011 us=840898 UDPv4 WRITE [22] to 10.0.0.1:1194: P_ACK_V1 kid=0 [ 0 ]
    Tue May 3 14:06:03 2011 us=840991 UDPv4 WRITE [114] to 10.0.0.1:1194: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=100
    Tue May 3 14:06:03 2011 us=841034 UDPv4 WRITE [114] to 10.0.0.1:1194: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=100
    Tue May 3 14:06:03 2011 us=841079 UDPv4 WRITE [25] to 10.0.0.1:1194: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=11
    Tue May 3 14:06:03 2011 us=843441 UDPv4 READ [22] from 10.0.0.1:1194: P_ACK_V1 kid=0 [ 1 ]
    -- repeats --
    Tue May 3 14:06:03 2011 us=996540 VERIFY OK: depth=1, /C=DE/ST=<censored>/L=<censored>/O=K-Progs/CN=K-Progs_CA/emailAddress=<censored>
    Tue May 3 14:06:03 2011 us=996859 VERIFY OK: depth=0, /C=DE/ST=<censored>/L=<censored>/O=K-Progs/CN=alyx/emailAddress=<censored>
    Tue May 3 14:06:03 2011 us=996908 UDPv4 WRITE [22] to 10.0.0.1:1194: P_ACK_V1 kid=0 [ 19 ]
    Tue May 3 14:06:03 2011 us=996973 UDPv4 READ [114] from 10.0.0.1:1194: P_CONTROL_V1 kid=0 [ ] pid=20 DATA len=100
    -- repeats --
    Tue May 3 14:06:04 2011 us=193026 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue May 3 14:06:04 2011 us=193041 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue May 3 14:06:04 2011 us=193066 UDPv4 WRITE [22] to 10.0.0.1:1194: P_ACK_V1 kid=0 [ 39 ]
    Tue May 3 14:06:04 2011 us=193113 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Tue May 3 14:06:04 2011 us=193140 [alyx] Peer Connection Initiated with 10.0.0.1:1194
    Tue May 3 14:06:06 2011 us=525590 SENT CONTROL [alyx]: 'PUSH_REQUEST' (status=1)
    Tue May 3 14:06:06 2011 us=525689 UDPv4 WRITE [104] to 10.0.0.1:1194: P_CONTROL_V1 kid=0 [ ] pid=29 DATA len=90
    Tue May 3 14:06:08 2011 us=697435 UDPv4 WRITE [104] to 10.0.0.1:1194: P_CONTROL_V1 kid=0 [ ] pid=29 DATA len=90
    Tue May 3 14:06:08 2011 us=700865 UDPv4 READ [22] from 10.0.0.1:1194: P_ACK_V1 kid=0 [ 29 ]
    Tue May 3 14:06:08 2011 us=702337 UDPv4 READ [114] from 10.0.0.1:1194: P_CONTROL_V1 kid=0 [ ] pid=40 DATA len=100
    Tue May 3 14:06:08 2011 us=702401 UDPv4 WRITE [22] to 10.0.0.1:1194: P_ACK_V1 kid=0 [ 40 ]
    Tue May 3 14:06:08 2011 us=704448 UDPv4 READ [114] from 10.0.0.1:1194: P_CONTROL_V1 kid=0 [ ] pid=41 DATA len=100
    Tue May 3 14:06:08 2011 us=704484 UDPv4 WRITE [22] to 10.0.0.1:1194: P_ACK_V1 kid=0 [ 41 ]
    Tue May 3 14:06:08 2011 us=704814 UDPv4 READ [16] from 10.0.0.1:1194: P_CONTROL_V1 kid=0 [ ] pid=42 DATA len=2
    Tue May 3 14:06:08 2011 us=704881 PUSH: Received control message: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,redirect-gateway,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.0.2.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.0.2.6 10.0.2.5'
    Tue May 3 14:06:08 2011 us=704976 OPTIONS IMPORT: timers and/or timeouts modified
    Tue May 3 14:06:08 2011 us=704989 OPTIONS IMPORT: --ifconfig/up options modified
    Tue May 3 14:06:08 2011 us=704999 OPTIONS IMPORT: route options modified
    Tue May 3 14:06:08 2011 us=705008 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Tue May 3 14:06:08 2011 us=705169 ROUTE default_gateway=10.0.0.1
    Tue May 3 14:06:08 2011 us=757964 TUN/TAP device tun0 opened
    Tue May 3 14:06:08 2011 us=758006 TUN/TAP TX queue length set to 100
    Tue May 3 14:06:08 2011 us=758056 /sbin/ifconfig tun0 10.0.2.6 pointopoint 10.0.2.5 mtu 1500
    Tue May 3 14:06:08 2011 us=759929 OpenVPN ROUTE: omitted no-op route: 10.0.0.1/255.255.255.255 -> 10.0.0.1
    Tue May 3 14:06:08 2011 us=759970 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
    Tue May 3 14:06:08 2011 us=772882 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.0.2.5
    Tue May 3 14:06:08 2011 us=773671 /sbin/route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.2.5
    Tue May 3 14:06:08 2011 us=774548 WARNING: potential route subnet conflict between local LAN [10.0.2.0/255.255.255.0] and remote VPN [10.0.2.0/255.255.255.0]
    Tue May 3 14:06:08 2011 us=774590 /sbin/route add -net 10.0.2.0 netmask 255.255.255.0 gw 10.0.2.5
    Tue May 3 14:06:08 2011 us=775248 Initialization Sequence Completed
    Tue May 3 14:06:15 2011 us=480014 TUN READ [1500]
    Tue May 3 14:06:15 2011 us=480068 UDPv4 WRITE [1541] to 10.0.0.1:1194: P_DATA_V1 kid=0 DATA len=1540
    -- repeats until the logfile is about 80 MB O.o --
    Tue May 3 14:06:53 2011 us=371147 TCP/UDP: Closing socket
    Tue May 3 14:06:53 2011 us=371194 /sbin/route del -net 10.0.2.0 netmask 255.255.255.0
    Tue May 3 14:06:53 2011 us=372114 /sbin/route del -net 10.0.0.0 netmask 255.255.255.0
    Tue May 3 14:06:53 2011 us=372807 /sbin/route del -net 10.0.0.1 netmask 255.255.255.255
    SIOCDELRT: No such process
    Tue May 3 14:06:53 2011 us=373472 ERROR: Linux route delete command failed: external program exited with error status: 7
    Tue May 3 14:06:53 2011 us=373511 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
    Tue May 3 14:06:53 2011 us=374202 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.0.0.1
    Tue May 3 14:06:53 2011 us=374869 Closing TUN/TAP interface
    Tue May 3 14:06:53 2011 us=374896 /sbin/ifconfig tun0 0.0.0.0
    Tue May 3 14:06:53 2011 us=407592 SIGINT[hard,] received, process exiting
    Last edited by Greg10 (2011-05-07 06:38:43)

    Shouldn't the push "redirect-gateway" directive take care of that?
    Also I unfortunatly can only test whether I'm able to connect from the outside on saturday.
    I'll see if I can get Praseodym to work in my DMZ (that'd be 10.0.1.0/24) later this day though.
    Thanks for the tip :-)
    Edit: Thanks a lot indeed;
    Having Praseodym be 10.0.1.2 (alyx being 10.0.1.1 in the dmz) actually solved the problems i've been having (for local connectivity that is; i can't really know if it's working unless i test it from the web)
    Last edited by Greg10 (2011-05-04 15:27:04)

  • How to configure Firefox to use OpenVPN?

    summary: I'm running OpenVPN from a Debian client through a Debian jumpbox/server. After I [start the server, start the client] most IP-based applications (DNS, ping, ssh) seem to work from the client, but client's Firefox cannot connect to http://www.whatismyip.com/ (or any other URI). How to configure Firefox to use the VPN? or otherwise fix the problem? or further debug it?
    details:
    I have a laptop running debian_version==jessie/sid with Firefox version=33.0 which needs to access a compute cluster. The cluster formerly required only an SSL VPN (enabled by a Firefox plugin) to access, but now has several additional requirements, which I seek to satisfy by running the SSL VPN through a jumpbox running an OpenVPN server. The jumpbox is running a "vanilla" Debian 7.7.
    I have been using the laptop successfully for a few years without network problems. Currently I have the laptop connected by wire directly to an ISP-supplied modem/router. With `openvpn` NOT running on the laptop, I see:
    * `ifconfig` shows no entry='tun0' (just "the usual" entries for 'eth0', 'lo', 'wlan0'), and shows the expected client IP# bound to 'eth0'.
    * I can `ping` my jumpbox/server using its real IP#, but cannot `ping 10.8.0.1`
    * I can `ssh` to my jumpbox/server using its real IP#, but cannot `ssh 10.8.0.1`
    * `nslookup www.whatismyip.com` gives correct results
    * browsing to http://www.whatismyip.com/ shows my client's IP# (as also shown in `ifconfig`)
    Both my client/laptop and server/jumpbox setups are quite generic OpenVPN-wise, and are almost exactly as described on the Debian wiki
    https://wiki.debian.org/openvpn%20for%20server%20and%20client
    me@jumpbox:~$ date ; cat /etc/openvpn/server.conf
    Sat Nov 8 16:49:00 EST 2014
    port 1194
    proto udp
    dev tun
    ca /etc/openvpn/ca.crt
    cert /etc/openvpn/server.crt
    key /etc/openvpn/server.key
    dh /etc/openvpn/dh1024.pem
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "redirect-gateway def1 bypass-dhcp"
    push "dhcp-option DNS 8.8.8.8" # google public DNS
    keepalive 10 120
    comp-lzo
    user nobody
    group nogroup
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3
    me@laptop:~$ date ; cat /etc/openvpn/client1.conf
    Sat Nov 8 16:51:31 EST 2014
    client
    dev tun
    proto udp
    remote ser.ver.IP.num 1194
    resolv-retry infinite
    nobind
    user nobody
    group nogroup
    persist-key
    persist-tun
    mute-replay-warnings
    ca /etc/openvpn/ca.crt
    cert /etc/openvpn/client1.crt
    key /etc/openvpn/client1.key
    ns-cert-type server
    comp-lzo
    verb 3
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf
    My jumpbox/server firewall is currently set to forward everything, using `iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE`:
    me@jumpbox:~$ date ; sudo iptables -L
    Sat Nov 8 16:42:06 EST 2014
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    Chain fail2ban-ssh (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere
    After I start `openvpn` on first the server and then the client, I see no OpenVPN errors on either the server or the client:
    me@jumpbox:~$ sudo openvpn --script-security 2 --config /etc/openvpn/server.conf &
    Sat Nov 8 17:48:25 2014 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 18 2013
    Sat Nov 8 17:48:25 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Sat Nov 8 17:48:25 2014 Diffie-Hellman initialized with 1024 bit key
    Sat Nov 8 17:48:25 2014 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Sat Nov 8 17:48:25 2014 Socket Buffers: R=[212992->131072] S=[212992->131072]
    Sat Nov 8 17:48:25 2014 ROUTE default_gateway=ser.ver.gate.way
    Sat Nov 8 17:48:25 2014 TUN/TAP device tun0 opened
    Sat Nov 8 17:48:25 2014 TUN/TAP TX queue length set to 100
    Sat Nov 8 17:48:25 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Sat Nov 8 17:48:25 2014 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
    Sat Nov 8 17:48:25 2014 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
    Sat Nov 8 17:48:25 2014 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Sat Nov 8 17:48:25 2014 GID set to nogroup
    Sat Nov 8 17:48:25 2014 UID set to nobody
    Sat Nov 8 17:48:25 2014 UDPv4 link local (bound): [undef]
    Sat Nov 8 17:48:25 2014 UDPv4 link remote: [undef]
    Sat Nov 8 17:48:25 2014 MULTI: multi_init called, r=256 v=256
    Sat Nov 8 17:48:25 2014 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
    Sat Nov 8 17:48:25 2014 ifconfig_pool_read(), in='TomRoche,10.8.0.4', TODO: IPv6
    Sat Nov 8 17:48:25 2014 succeeded -> ifconfig_pool_set()
    Sat Nov 8 17:48:25 2014 IFCONFIG POOL LIST
    Sat Nov 8 17:48:25 2014 TomRoche,10.8.0.4
    Sat Nov 8 17:48:25 2014 Initialization Sequence Completed
    me@laptop:~$ sudo openvpn --script-security 2 --config /etc/openvpn/client1.conf &
    Sat Nov 8 17:49:12 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Sat Nov 8 17:49:12 2014 Socket Buffers: R=[212992->131072] S=[212992->131072]
    Sat Nov 8 17:49:12 2014 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
    Sat Nov 8 17:49:12 2014 UDPv4 link local: [undef]
    Sat Nov 8 17:49:12 2014 UDPv4 link remote: [AF_INET]jump.box.IP.num:1194
    Sat Nov 8 17:49:12 2014 TLS: Initial packet from [AF_INET]jump.box.IP.num:1194, sid=25df7af6 0ece4089
    Sat Nov 8 17:49:13 2014 VERIFY OK: depth=1, <my config data/>
    Sat Nov 8 17:49:13 2014 VERIFY OK: nsCertType=SERVER
    Sat Nov 8 17:49:13 2014 VERIFY OK: depth=0, <my config data/>
    Sat Nov 8 17:49:14 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Sat Nov 8 17:49:14 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sat Nov 8 17:49:14 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Sat Nov 8 17:49:14 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sat Nov 8 17:49:14 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Sat Nov 8 17:49:14 2014 [TomRoche] Peer Connection Initiated with [AF_INET]jump.box.IP.num:1194
    Sat Nov 8 17:49:16 2014 SENT CONTROL [TomRoche]: 'PUSH_REQUEST' (status=1)
    Sat Nov 8 17:49:16 2014 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
    Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: timers and/or timeouts modified
    Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: --ifconfig/up options modified
    Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: route options modified
    Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Sat Nov 8 17:49:16 2014 ROUTE_GATEWAY lap.top.gate.way/255.255.255.0 IFACE=eth0 HWADDR=la:pt:op:MAC:ad:dr
    Sat Nov 8 17:49:16 2014 TUN/TAP device tun0 opened
    Sat Nov 8 17:49:16 2014 TUN/TAP TX queue length set to 100
    Sat Nov 8 17:49:16 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Sat Nov 8 17:49:16 2014 /sbin/ip link set dev tun0 up mtu 1500
    Sat Nov 8 17:49:16 2014 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
    Sat Nov 8 17:49:16 2014 /etc/openvpn/update-resolv-conf tun0 1500 1542 10.8.0.6 10.8.0.5 init
    dhcp-option DNS 8.8.8.8
    Sat Nov 8 17:49:16 2014 /sbin/ip route add lap.top.IP.num/32 via lap.top.gate.way
    Sat Nov 8 17:49:16 2014 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5
    Sat Nov 8 17:49:16 2014 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
    Sat Nov 8 17:49:16 2014 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
    Sat Nov 8 17:49:16 2014 GID set to nogroup
    Sat Nov 8 17:49:16 2014 UID set to nobody
    Sat Nov 8 17:49:16 2014 Initialization Sequence Completed
    I then see the following on my client:
    * `ifconfig` shows a new entry=`tun0`, which looks correct
    * I can `ping` the server using either its real IP# or `10.8.0.1`
    * I can `ssh` to the server using either its real IP# or `10.8.0.1`
    * `nslookup www.whatismyip.com` gives correct results
    ... but I get no connection if I open a new instance of Firefox and browse to http://www.whatismyip.com/ :-( "Looking up www.whatismyip.com..." succeeds quickly but the status line continues to display "Connecting to www.whatismyip.com..." until the attempt times out. I also get the same behavior (connection timeout) if I open a new instance of Chrome, or if I browse to http://www.whatismyip.com/ with a Firefox opened prior to starting OpenVPN. FWIW I get the same behavior browsing to any URI, including (e.g.) Google.
    This is a major problem for me! For the SSL VPN to work, I need to start a Firefox and run it (since the SSL VPN's vendor only supports it on Linux via a Firefox plugin) to access a particular remote-access website. Furthermore I need the SSL VPN to run through the jumpbox/OpenVPN. (Don't ask, it's a long, sad story ...)
    Is there something I must do to configure Firefox to use the VPN? Or is there some other way to fix this?
    Alternatively, what should I do to further debug the problem? It just seems odd to me that the other services work (e.g., `nslookup`, `ssh`) but Firefox does not. That being said, both Firefox and Chrome fail in this usecase, so the problem might be generic to web browsers.
    your assistance is appreciated, Tom Roche <[email protected]>

    You're kidding. You have to go through that rigamarole just to put your bookmarks on your own server? Where's the simple FTP option?
    Also, the above-linked article has a broken link. The link to the weaveserver (which is what you have to set up on your own server) is no good, and there is no obvious replacement. There are plenty of Weave-related repositories here:
    http://hg.mozilla.org/labs
    but it's not clear what you need.

Maybe you are looking for

  • Recurring calendar event bug from Exchange

    In Outlook, we can create a recurring meeting for things like the first Monday of the month, or the 5th of every month.  But if we schedule a meeting to occur the second weekday of every month, it appears wrong on our phones for every date except the

  • AirPort is on and everything is conected but nothing is happening?

    Trying to play speakers and print but nothing is happening. Just need a little help with this Express. All software has been down loaded. It's telling me the airport is on and I'm conected to my wireless hub in the office. When I open itunes the bar

  • Post XML to a HTTP service

    Hi, I have an XML file created by PL/SQL procedure. I need to send the xml document to a http service. Any help on how to post xml document in PL/SQL to a http site would be higly appriciated. Kumar

  • ICal works in test user mode but only a spinning disc in original

    I have reinstalled but it still only works in under my created test user. Since the application works, how do I clean out the problem in my user account? Thanks

  • Limit items in content search web part on carousel view.

    Hey,  I want to use CSWP Carousel to view photos.  Currently I have six images in my library (and nothing else), but tomorrow may be sixteen. In the WP settings I can have up to fifty items and can not leave this section blank.  In the CSWP I'm searc