| === smb` is now known as smb | ||
| frojnd | Aloha | 14:34 |
|---|---|---|
| daChris | seas | 14:43 |
| frojnd | daChris: do you have any experinece with openVPN on ubuntuServer? | 14:46 |
| frojnd | or anyone else for that matter | 14:46 |
| frojnd | I keep getting TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) and TLS Error: TLS handshake failed | 14:48 |
| Patrickdk | ya, try talking to openvpn using openvpn :) | 14:54 |
| frojnd | I did :D | 14:54 |
| Patrickdk | normally that means something is is attempting to talk to it | 14:54 |
| frojnd | problem on client side? | 14:55 |
| daChris | iptables? | 14:56 |
| frojnd | I've checked that client is using udp, ip, port, corresponding certificates and everything | 14:56 |
| frojnd | don't use iptables on client side | 14:56 |
| daChris | did you use iptables on server side? | 14:56 |
| frojnd | daChris: I use ufw, I just opened udp and tcp 1194 with ufw firewall | 14:57 |
| daChris | deactivate iptables and test it again | 14:58 |
| frojnd | is there a simple way to deactivate iptables? | 15:03 |
| frojnd | by simple I mean *easy* | 15:03 |
| frojnd | also | 15:03 |
| frojnd | ufw uses iptables, if I disable ufw then iptables won't take effect or am I wrong? | 15:04 |
| frojnd | nevertheless I'ev disabled iptables and ufw, still can't connect with client :o | 15:06 |
| frojnd | deactivated iptables* | 15:06 |
| frojnd | hm | 15:07 |
| frojnd | brb | 15:10 |
| === zz_DenBeiren is now known as DenBeiren | ||
| frojnd | Hm.. any other ideas what I might test? | 15:17 |
| frojnd | ...in order to make OpenVPN work | 15:17 |
| frojnd | Reading this page now: http://openvpn.net/index.php/open-source/faq/79-client/253-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity.html A perimeter firewall on the server's network is filtering out incoming OpenVPN packets (by default OpenVPN uses UDP or TCP port number 1194). <- I'have disabled ufw and deactivated iptables, still the same error | 15:28 |
| frojnd | A software firewall running on the OpenVPN server machine itself is filtering incoming connections on port 1194. Be aware that many OSes will block incoming connections by default, unless configured otherwise. | 15:28 |
| frojnd | ^^ disabled ufw | 15:28 |
| uvirtbot | frojnd: Error: "^" is not a valid command. | 15:28 |
| frojnd | I think I found the cause | 15:33 |
| frojnd | finally | 15:33 |
| frojnd | I'm just ashamed didn't remebered this earlier | 15:33 |
| frojnd | looks like I didn't make "correct" rule with ufw about tcp and udp ports | 15:33 |
| frojnd | Hm.. ufw allow 1194 should enable tcp and udp | 15:42 |
| frojnd | yet, when I do netstat -au don't see any 1194 port there | 15:42 |
| frojnd | also nestat -lnt | grep 1194 won't show it | 15:43 |
| frojnd | odd | 15:43 |
| qman__ | that means openvpn isn't running | 15:44 |
| frojnd | qman__: ah yeah forgot to start it | 15:44 |
| qman__ | even if blocked in the firewall it would still show up there | 15:44 |
| frojnd | hm ok | 15:45 |
| frojnd | so I now removed all 1194 entries in ufw and did: ufw allow 1194/udp | 15:45 |
| frojnd | I've started openvpn, and when I do netstat -lnt | grep 1194 I can see 1194 there, but when I do netstat -au | grep 1194 can't see 1194 there | 15:47 |
| frojnd | ah, gotta check what openvpn uses anyways | 15:47 |
| qman__ | -au doesn't show listening ports | 15:47 |
| qman__ | so it would not show up there | 15:47 |
| frojnd | open udp ports | 15:48 |
| frojnd | or I red help page wrong | 15:48 |
| qman__ | yes, and there aren't any open yet | 15:48 |
| qman__ | there would be once a connection was established | 15:48 |
| frojnd | Ok | 15:49 |
| frojnd | Hm.. looks like for some reason when using udp ports client can't connect | 15:50 |
| frojnd | But if I use tcp ports it can | 15:50 |
| frojnd | Can I configure openvpn server to use both tcp and udp? | 15:51 |
| qman__ | pretty sure it's an either/or setting | 15:51 |
| qman__ | if you turn off the firewall, does udp still not work? | 15:51 |
| frojnd | qman__: yes | 15:52 |
| frojnd | I don't know why | 15:52 |
| qman__ | are both client and server set to udp? | 15:53 |
| frojnd | yes | 15:53 |
| frojnd | currently | 15:53 |
| qman__ | ok, do you have a router or some other device that might be firewalling you? | 15:56 |
| frojnd | on client side I have some embedded modem/router device | 15:57 |
| frojnd | that ISP gave me | 15:57 |
| frojnd | but I'm configuring this for when I'm gonna be abroad | 15:57 |
| frojnd | because I'll use free wifi with my mobile and I need to have safe connection | 15:58 |
| frojnd | brb | 15:58 |
| qman__ | ok, it wouldn't be that | 15:58 |
| qman__ | there's nothing wrong with using tcp, it's just a little bit slower due to the added overhead of the tcp protocol | 15:58 |
| beneter_ | Hello, I'm trying to activate PFS on my apache on ubuntu 12.04 LTS. But the server won't start and complains about: "Unable to configure permitted SSL ciphers" | 16:04 |
| beneter_ | Also I'm not possible to activate TLSv1.2 | 16:04 |
| beneter_ | do I really have to compile apache by myself, or am i missing something? | 16:05 |
| Patrickdk | beneter_, the fact you think this is even an apache issue, tells me you don't even know where to start | 16:17 |
| frojnd | I'm still curious why I can't connect to openvp using udp port | 16:27 |
| beneter_ | Patrickdk: @ #ubuntu-de I know got the information, that - in fact - it is an apache issue. I'm using 2.2.22 which is the up-to-date version in the standard repos of 12.04 LTS AND which doesn't jet support the Ciphers needed. | 16:32 |
| beneter_ | *yet | 16:32 |
| Patrickdk | apache has nothing to do with ssl | 16:32 |
| Patrickdk | and apache on 12.04 does support tls1.3 tls1.4 tls1.5 .... | 16:33 |
| beneter_ | but the default plugins do ;) | 16:33 |
| Patrickdk | if they ever make those standards | 16:33 |
| Patrickdk | the default plugs for apache support tls 1.1 and tls1.2 | 16:33 |
| beneter_ | mod_ssl | 16:33 |
| Patrickdk | do you know what mod_ssl is? | 16:33 |
| Patrickdk | it's a wrapper for openssl | 16:33 |
| Patrickdk | openssl in 12.04 has no tls 1.1/1.2 support | 16:33 |
| beneter_ | it's a wrapper around openssl as far as i know | 16:33 |
| Patrickdk | so how would mod_ssl have it? | 16:33 |
| Patrickdk | so switch to one that DOES have support | 16:33 |
| beneter_ | mod_ssl should support the needed cipher suites, or not? | 16:34 |
| Patrickdk | or replace openssl | 16:34 |
| Patrickdk | mod_ssl doesn't have anything | 16:34 |
| Patrickdk | it's a wrapper | 16:34 |
| beneter_ | so all i need to do is update opensslß | 16:34 |
| beneter_ | *? | 16:34 |
| Patrickdk | you could | 16:34 |
| Patrickdk | or you could just use an apache ssl that doesn't use openssl | 16:35 |
| beneter_ | but GnuTLS insteadß | 16:35 |
| beneter_ | *? | 16:35 |
| Patrickdk | if you want, sure | 16:36 |
| beneter_ | okay, I have to think about this step :) | 16:36 |
| Patrickdk | or I could tell you a secret way to upgrade mod_ssl with a newer openssl, that doesn't ahve to be compiled | 16:36 |
| beneter_ | i'm listening... XD | 16:37 |
| MACscr | why is "sudo wget -q http://deb.theforeman.org/foreman.asc -O- | apt-key add -" responding back with "ERROR: This command can only be used by root."? | 16:37 |
| Patrickdk | MACscr, cause you didn't run apt-key as root | 16:37 |
| Patrickdk | dunno why you would run wget as root | 16:37 |
| beneter_ | u shoud write sudo before apt-key | 16:37 |
| MACscr | lol, doh. good call | 16:38 |
| MACscr | i was just coping and pasting. Didnt even think about it | 16:38 |
| andol | MACscr: Common mistake :) | 16:38 |
| Patrickdk | beneter_, check out mod_spdy | 16:38 |
| Patrickdk | after you install it, you can always disable mod_spdy | 16:38 |
| beneter_ | tried it, didn't really liked it ;) | 16:39 |
| Patrickdk | guess you didn't pay close enough attention | 16:39 |
| beneter_ | might be | 16:39 |
| Patrickdk | it comes with mod_ssl with newer openssl | 16:39 |
| beneter_ | I'll give it a second try | 16:42 |
| beneter_ | But I think I had some sort of compatability issue | 16:42 |
| Patrickdk | dunno how you could have a compatability issue | 16:43 |
| beneter_ | CalDav / SVN .... I don't remember... | 16:43 |
| Patrickdk | heh? those have issues with mod_ssl? | 16:45 |
| beneter_ | mod_spdy | 16:45 |
| beneter_ | but I don't remember enough.... might be something different... | 16:46 |
| Patrickdk | did you not listen to me? | 16:46 |
| Patrickdk | I said you can always disable mod_spdy | 16:46 |
| Patrickdk | mod_spdy != mod_ssl | 16:47 |
| beneter_ | yea... What are we talking about? ^^ Weren't you saying, I should install mod_spdy with it's pendant to mod_ssl to be possible to use PFS? | 16:48 |
| beneter_ | sorry, I don't get it | 16:51 |
| beneter_ | now I get it... | 16:54 |
| beneter_ | sorry again | 16:54 |
| beneter_ | I'll install mod_spdy and a2dismod mod_spdy and can use the new mod_ssl... right? | 16:54 |
| Patrickdk | yes | 16:54 |
| Patrickdk | make sure the new mod_ssl is enabled though | 16:54 |
| Patrickdk | it is called something like mod_sslnpn | 16:55 |
| beneter_ | okay | 16:55 |
| beneter_ | I don't have enough time to try it now... gotta go. | 16:55 |
| Patrickdk | I think it edits the mod_ssl.load file to do it | 16:55 |
| beneter_ | thank you very much for your help | 16:55 |
| Matrix3000__ | Anyone aware of how I can use pam_groupdn to enforce group membership requirements from ldap | 17:33 |
| Matrix3000__ | Trying to restrict access to servers using Active Directory authentication without having to make the client a domain joined system. | 17:33 |
| Matrix3000__ | I can get it to use one group. But I need more than one | 17:34 |
| === alamar is now known as jullian | ||
| === jullian is now known as alamar | ||
| === DenBeiren is now known as zz_DenBeiren | ||
| === zz_DenBeiren is now known as DenBeiren | ||
| DenBeiren | it's been ages since my last ubuntu serverinstall,.. seems like i am overseeing something in configuring samba :-) | 19:44 |
| DenBeiren | i see the share in my network, but i can't access it :s | 19:44 |
| qman__ | DenBeiren, smbpasswd -a | 20:38 |
| === DenBeiren is now known as zz_DenBeiren | ||
| MACscr | hmm, why do you guys think im getting this duplicate sources entry for foreman? I dont see any duplicates http://pastie.org/pastes/8206483/text?key=8jf6msfsfgynht3p2cdna | 23:17 |
| frojnd | Hm, I've successfully configured basic openvp. Now I'd like to setup routed VPN configuration, so when client uses openVPN everything wold go through openVPN so external IP would be changed https://help.ubuntu.com/12.04/serverguide/openvpn.html#openvpn-advanced-config I've configured everything except for user and group and password authentication. | 23:24 |
| frojnd | WHen I test with client, I can ping 10.8.0.1 but when using a browser I'm in infenite loop | 23:25 |
| frojnd | And I don't know whyx | 23:25 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!