/srv/irclogs.ubuntu.com/2013/08/04/#ubuntu-server.txt

=== smb` is now known as smb
frojndAloha14:34
daChrisseas14:43
frojnddaChris: do you have any experinece with openVPN on ubuntuServer?14:46
frojndor anyone else for that matter14:46
frojndI keep getting TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) and TLS Error: TLS handshake failed14:48
Patrickdkya, try talking to openvpn using openvpn :)14:54
frojndI did :D14:54
Patrickdknormally that means something is is attempting to talk to it14:54
frojndproblem on client side?14:55
daChrisiptables?14:56
frojndI've checked that client is using udp, ip, port, corresponding certificates and everything14:56
frojnddon't use iptables on client side14:56
daChrisdid you use iptables on server side?14:56
frojnddaChris: I use ufw, I just opened udp and tcp 1194 with ufw firewall14:57
daChrisdeactivate iptables and test it again14:58
frojndis there a simple way to deactivate iptables?15:03
frojndby simple I mean *easy*15:03
frojndalso15:03
frojndufw uses iptables, if I disable ufw then iptables won't take effect or am I wrong?15:04
frojndnevertheless I'ev disabled iptables and ufw, still can't connect with client :o15:06
frojnddeactivated iptables*15:06
frojndhm15:07
frojndbrb15:10
=== zz_DenBeiren is now known as DenBeiren
frojndHm.. any other ideas what I might test?15:17
frojnd...in order to make OpenVPN work15:17
frojndReading this page now: http://openvpn.net/index.php/open-source/faq/79-client/253-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity.html A perimeter firewall on the server's network is filtering out incoming OpenVPN packets (by default OpenVPN uses UDP or TCP port number 1194). <- I'have disabled ufw and deactivated iptables, still the same error15:28
frojndA software firewall running on the OpenVPN server machine itself is filtering incoming connections on port 1194. Be aware that many OSes will block incoming connections by default, unless configured otherwise.15:28
frojnd^^ disabled ufw15:28
uvirtbotfrojnd: Error: "^" is not a valid command.15:28
frojndI think I found the cause15:33
frojndfinally15:33
frojndI'm just ashamed didn't remebered this earlier15:33
frojndlooks like I didn't make "correct" rule with ufw about tcp and udp ports15:33
frojndHm.. ufw allow 1194 should enable tcp and udp15:42
frojndyet, when I do netstat -au don't see any 1194 port there15:42
frojndalso nestat -lnt | grep 1194 won't show it15:43
frojndodd15:43
qman__that means openvpn isn't running15:44
frojndqman__: ah yeah forgot to start it15:44
qman__even if blocked in the firewall it would still show up there15:44
frojndhm ok15:45
frojndso I now removed all 1194 entries in ufw and did: ufw allow 1194/udp15:45
frojndI've started openvpn, and when I do netstat -lnt | grep 1194 I can see 1194 there, but when I do netstat -au | grep 1194 can't see 1194 there15:47
frojndah, gotta check what openvpn uses anyways15:47
qman__-au doesn't show listening ports15:47
qman__so it would not show up there15:47
frojndopen udp ports15:48
frojndor I red help page wrong15:48
qman__yes, and there aren't any open yet15:48
qman__there would be once a connection was established15:48
frojndOk15:49
frojndHm.. looks like for some reason when using udp ports client can't connect15:50
frojndBut if I use tcp ports it can15:50
frojndCan I configure openvpn server to use both tcp and udp?15:51
qman__pretty sure it's an either/or setting15:51
qman__if you turn off the firewall, does udp still not work?15:51
frojndqman__: yes15:52
frojndI don't know why15:52
qman__are both client and server set to udp?15:53
frojndyes15:53
frojndcurrently15:53
qman__ok, do you have a router or some other device that might be firewalling you?15:56
frojndon client side I have some embedded modem/router device15:57
frojndthat ISP gave me15:57
frojndbut I'm configuring this for when I'm gonna be abroad15:57
frojndbecause I'll use free wifi with my mobile and I need to have safe connection15:58
frojndbrb15:58
qman__ok, it wouldn't be that15:58
qman__there's nothing wrong with using tcp, it's just a little bit slower due to the added overhead of the tcp protocol15:58
beneter_Hello, I'm trying to activate PFS on my apache on ubuntu 12.04 LTS. But the server won't start and complains about: "Unable to configure permitted SSL ciphers"16:04
beneter_Also I'm not possible to activate TLSv1.216:04
beneter_do I really have to compile apache by myself, or am i missing something?16:05
Patrickdkbeneter_, the fact you think this is even an apache issue, tells me you don't even know where to start16:17
frojndI'm still curious why I can't connect to openvp using udp port16:27
beneter_Patrickdk: @ #ubuntu-de I know got the information, that - in fact - it is an apache issue. I'm using 2.2.22 which is the up-to-date version in the standard repos of 12.04 LTS AND which doesn't jet support the Ciphers needed.16:32
beneter_*yet16:32
Patrickdkapache has nothing to do with ssl16:32
Patrickdkand apache on 12.04 does support tls1.3 tls1.4 tls1.5 ....16:33
beneter_but the default plugins do ;)16:33
Patrickdkif they ever make those standards16:33
Patrickdkthe default plugs for apache support tls 1.1 and tls1.216:33
beneter_mod_ssl16:33
Patrickdkdo you know what mod_ssl is?16:33
Patrickdkit's a wrapper for openssl16:33
Patrickdkopenssl in 12.04 has no tls 1.1/1.2 support16:33
beneter_it's a wrapper around openssl as far as i know16:33
Patrickdkso how would mod_ssl have it?16:33
Patrickdkso switch to one that DOES have support16:33
beneter_mod_ssl should support the needed cipher suites, or not?16:34
Patrickdkor replace openssl16:34
Patrickdkmod_ssl doesn't have anything16:34
Patrickdkit's a wrapper16:34
beneter_so all i need to do is update openssl├č16:34
beneter_*?16:34
Patrickdkyou could16:34
Patrickdkor you could just use an apache ssl that doesn't use openssl16:35
beneter_but GnuTLS instead├č16:35
beneter_*?16:35
Patrickdkif you want, sure16:36
beneter_okay, I have to think about this step :)16:36
Patrickdkor I could tell you a secret way to upgrade mod_ssl with a newer openssl, that doesn't ahve to be compiled16:36
beneter_i'm listening... XD16:37
MACscrwhy is "sudo wget -q http://deb.theforeman.org/foreman.asc -O- | apt-key add -" responding back with "ERROR: This command can only be used by root."?16:37
PatrickdkMACscr, cause you didn't run apt-key as root16:37
Patrickdkdunno why you would run wget as root16:37
beneter_u shoud write sudo before apt-key16:37
MACscrlol, doh. good call16:38
MACscri was just coping and pasting. Didnt even think about it16:38
andolMACscr: Common mistake :)16:38
Patrickdkbeneter_, check out mod_spdy16:38
Patrickdkafter you install it, you can always disable mod_spdy16:38
beneter_tried it, didn't really liked it ;)16:39
Patrickdkguess you didn't pay close enough attention16:39
beneter_might be16:39
Patrickdkit comes with mod_ssl with newer openssl16:39
beneter_I'll give it a second try16:42
beneter_But I think I had some sort of compatability issue16:42
Patrickdkdunno how you could have a compatability issue16:43
beneter_CalDav / SVN .... I don't remember...16:43
Patrickdkheh? those have issues with mod_ssl?16:45
beneter_mod_spdy16:45
beneter_but I don't remember enough.... might be something different...16:46
Patrickdkdid you not listen to me?16:46
PatrickdkI said you can always disable mod_spdy16:46
Patrickdkmod_spdy != mod_ssl16:47
beneter_yea... What are we talking about? ^^ Weren't you saying, I should install mod_spdy with it's pendant to mod_ssl to be possible to use PFS?16:48
beneter_sorry, I don't get it16:51
beneter_now I get it...16:54
beneter_sorry again16:54
beneter_I'll install mod_spdy and a2dismod mod_spdy and can use the new mod_ssl... right?16:54
Patrickdkyes16:54
Patrickdkmake sure the new mod_ssl is enabled though16:54
Patrickdkit is called something like mod_sslnpn16:55
beneter_okay16:55
beneter_I don't have enough time to try it now... gotta go.16:55
PatrickdkI think it edits the mod_ssl.load file to do it16:55
beneter_thank you very much for your help16:55
Matrix3000__Anyone aware of how I can use pam_groupdn to enforce group membership requirements from ldap17:33
Matrix3000__Trying to restrict access to servers using Active Directory authentication without having to make the client a domain joined system.17:33
Matrix3000__I can get it to use one group. But I need more than one17:34
=== alamar is now known as jullian
=== jullian is now known as alamar
=== DenBeiren is now known as zz_DenBeiren
=== zz_DenBeiren is now known as DenBeiren
DenBeirenit's been ages since my last ubuntu serverinstall,.. seems like i am overseeing something in configuring samba :-)19:44
DenBeireni see the share in my network, but i can't access it :s19:44
qman__DenBeiren, smbpasswd -a20:38
=== DenBeiren is now known as zz_DenBeiren
MACscrhmm, why do you guys think im getting this duplicate sources entry for foreman? I dont see any duplicates http://pastie.org/pastes/8206483/text?key=8jf6msfsfgynht3p2cdna23:17
frojndHm, I've successfully configured basic openvp. Now I'd like to setup routed VPN configuration, so when client uses openVPN everything wold go through openVPN so external IP would be changed https://help.ubuntu.com/12.04/serverguide/openvpn.html#openvpn-advanced-config I've configured everything except for user and group and password authentication.23:24
frojndWHen I test with client, I can ping 10.8.0.1 but when using a browser I'm in infenite loop23:25
frojndAnd I don't know whyx23:25

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!