=== smb` is now known as smb
[14:34] <frojnd> Aloha
[14:43] <daChris> seas
[14:46] <frojnd> daChris: do you have any experinece with openVPN on ubuntuServer?
[14:46] <frojnd> or anyone else for that matter
[14:48] <frojnd> I keep getting TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) and TLS Error: TLS handshake failed
[14:54] <Patrickdk> ya, try talking to openvpn using openvpn :)
[14:54] <frojnd> I did :D
[14:54] <Patrickdk> normally that means something is is attempting to talk to it
[14:55] <frojnd> problem on client side?
[14:56] <daChris> iptables?
[14:56] <frojnd> I've checked that client is using udp, ip, port, corresponding certificates and everything
[14:56] <frojnd> don't use iptables on client side
[14:56] <daChris> did you use iptables on server side?
[14:57] <frojnd> daChris: I use ufw, I just opened udp and tcp 1194 with ufw firewall
[14:58] <daChris> deactivate iptables and test it again
[15:03] <frojnd> is there a simple way to deactivate iptables?
[15:03] <frojnd> by simple I mean *easy*
[15:03] <frojnd> also
[15:04] <frojnd> ufw uses iptables, if I disable ufw then iptables won't take effect or am I wrong?
[15:06] <frojnd> nevertheless I'ev disabled iptables and ufw, still can't connect with client :o
[15:06] <frojnd> deactivated iptables*
[15:07] <frojnd> hm
[15:10] <frojnd> brb
=== zz_DenBeiren is now known as DenBeiren
[15:17] <frojnd> Hm.. any other ideas what I might test?
[15:17] <frojnd> ...in order to make OpenVPN work
[15:28] <frojnd> Reading this page now: http://openvpn.net/index.php/open-source/faq/79-client/253-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity.html A perimeter firewall on the server's network is filtering out incoming OpenVPN packets (by default OpenVPN uses UDP or TCP port number 1194). <- I'have disabled ufw and deactivated iptables, still the same error
[15:28] <frojnd> A software firewall running on the OpenVPN server machine itself is filtering incoming connections on port 1194. Be aware that many OSes will block incoming connections by default, unless configured otherwise.
[15:28] <frojnd> ^^ disabled ufw
[15:28] <uvirtbot> frojnd: Error: "^" is not a valid command.
[15:33] <frojnd> I think I found the cause
[15:33] <frojnd> finally
[15:33] <frojnd> I'm just ashamed didn't remebered this earlier
[15:33] <frojnd> looks like I didn't make "correct" rule with ufw about tcp and udp ports
[15:42] <frojnd> Hm.. ufw allow 1194 should enable tcp and udp
[15:42] <frojnd> yet, when I do netstat -au don't see any 1194 port there
[15:43] <frojnd> also nestat -lnt | grep 1194 won't show it
[15:43] <frojnd> odd
[15:44] <qman__> that means openvpn isn't running
[15:44] <frojnd> qman__: ah yeah forgot to start it
[15:44] <qman__> even if blocked in the firewall it would still show up there
[15:45] <frojnd> hm ok
[15:45] <frojnd> so I now removed all 1194 entries in ufw and did: ufw allow 1194/udp
[15:47] <frojnd> I've started openvpn, and when I do netstat -lnt | grep 1194 I can see 1194 there, but when I do netstat -au | grep 1194 can't see 1194 there
[15:47] <frojnd> ah, gotta check what openvpn uses anyways
[15:47] <qman__> -au doesn't show listening ports
[15:47] <qman__> so it would not show up there
[15:48] <frojnd> open udp ports
[15:48] <frojnd> or I red help page wrong
[15:48] <qman__> yes, and there aren't any open yet
[15:48] <qman__> there would be once a connection was established
[15:49] <frojnd> Ok
[15:50] <frojnd> Hm.. looks like for some reason when using udp ports client can't connect
[15:50] <frojnd> But if I use tcp ports it can
[15:51] <frojnd> Can I configure openvpn server to use both tcp and udp?
[15:51] <qman__> pretty sure it's an either/or setting
[15:51] <qman__> if you turn off the firewall, does udp still not work?
[15:52] <frojnd> qman__: yes
[15:52] <frojnd> I don't know why
[15:53] <qman__> are both client and server set to udp?
[15:53] <frojnd> yes
[15:53] <frojnd> currently
[15:56] <qman__> ok, do you have a router or some other device that might be firewalling you?
[15:57] <frojnd> on client side I have some embedded modem/router device
[15:57] <frojnd> that ISP gave me
[15:57] <frojnd> but I'm configuring this for when I'm gonna be abroad
[15:58] <frojnd> because I'll use free wifi with my mobile and I need to have safe connection
[15:58] <frojnd> brb
[15:58] <qman__> ok, it wouldn't be that
[15:58] <qman__> there's nothing wrong with using tcp, it's just a little bit slower due to the added overhead of the tcp protocol
[16:04] <beneter_> Hello, I'm trying to activate PFS on my apache on ubuntu 12.04 LTS. But the server won't start and complains about: "Unable to configure permitted SSL ciphers"
[16:04] <beneter_> Also I'm not possible to activate TLSv1.2
[16:05] <beneter_> do I really have to compile apache by myself, or am i missing something?
[16:17] <Patrickdk> beneter_, the fact you think this is even an apache issue, tells me you don't even know where to start
[16:27] <frojnd> I'm still curious why I can't connect to openvp using udp port
[16:32] <beneter_> Patrickdk: @ #ubuntu-de I know got the information, that - in fact - it is an apache issue. I'm using 2.2.22 which is the up-to-date version in the standard repos of 12.04 LTS AND which doesn't jet support the Ciphers needed.
[16:32] <beneter_> *yet
[16:32] <Patrickdk> apache has nothing to do with ssl
[16:33] <Patrickdk> and apache on 12.04 does support tls1.3 tls1.4 tls1.5 ....
[16:33] <beneter_> but the default plugins do ;)
[16:33] <Patrickdk> if they ever make those standards
[16:33] <Patrickdk> the default plugs for apache support tls 1.1 and tls1.2
[16:33] <beneter_> mod_ssl
[16:33] <Patrickdk> do you know what mod_ssl is?
[16:33] <Patrickdk> it's a wrapper for openssl
[16:33] <Patrickdk> openssl in 12.04 has no tls 1.1/1.2 support
[16:33] <beneter_> it's a wrapper around openssl as far as i know
[16:33] <Patrickdk> so how would mod_ssl have it?
[16:33] <Patrickdk> so switch to one that DOES have support
[16:34] <beneter_> mod_ssl should support the needed cipher suites, or not?
[16:34] <Patrickdk> or replace openssl
[16:34] <Patrickdk> mod_ssl doesn't have anything
[16:34] <Patrickdk> it's a wrapper
[16:34] <beneter_> so all i need to do is update opensslß
[16:34] <beneter_> *?
[16:34] <Patrickdk> you could
[16:35] <Patrickdk> or you could just use an apache ssl that doesn't use openssl
[16:35] <beneter_> but GnuTLS insteadß
[16:35] <beneter_> *?
[16:36] <Patrickdk> if you want, sure
[16:36] <beneter_> okay, I have to think about this step :)
[16:36] <Patrickdk> or I could tell you a secret way to upgrade mod_ssl with a newer openssl, that doesn't ahve to be compiled
[16:37] <beneter_> i'm listening... XD
[16:37] <MACscr> why is "sudo wget -q http://deb.theforeman.org/foreman.asc -O- | apt-key add -" responding back with "ERROR: This command can only be used by root."?
[16:37] <Patrickdk> MACscr, cause you didn't run apt-key as root
[16:37] <Patrickdk> dunno why you would run wget as root
[16:37] <beneter_> u shoud write sudo before apt-key
[16:38] <MACscr> lol, doh. good call
[16:38] <MACscr> i was just coping and pasting. Didnt even think about it
[16:38] <andol> MACscr: Common mistake :)
[16:38] <Patrickdk> beneter_, check out mod_spdy
[16:38] <Patrickdk> after you install it, you can always disable mod_spdy
[16:39] <beneter_> tried it, didn't really liked it ;)
[16:39] <Patrickdk> guess you didn't pay close enough attention
[16:39] <beneter_> might be
[16:39] <Patrickdk> it comes with mod_ssl with newer openssl
[16:42] <beneter_> I'll give it a second try
[16:42] <beneter_> But I think I had some sort of compatability issue
[16:43] <Patrickdk> dunno how you could have a compatability issue
[16:43] <beneter_> CalDav / SVN .... I don't remember...
[16:45] <Patrickdk> heh? those have issues with mod_ssl?
[16:45] <beneter_> mod_spdy
[16:46] <beneter_> but I don't remember enough.... might be something different...
[16:46] <Patrickdk> did you not listen to me?
[16:46] <Patrickdk> I said you can always disable mod_spdy
[16:47] <Patrickdk> mod_spdy != mod_ssl
[16:48] <beneter_> yea... What are we talking about? ^^ Weren't you saying, I should install mod_spdy with it's pendant to mod_ssl to be possible to use PFS?
[16:51] <beneter_> sorry, I don't get it
[16:54] <beneter_> now I get it...
[16:54] <beneter_> sorry again
[16:54] <beneter_> I'll install mod_spdy and a2dismod mod_spdy and can use the new mod_ssl... right?
[16:54] <Patrickdk> yes
[16:54] <Patrickdk> make sure the new mod_ssl is enabled though
[16:55] <Patrickdk> it is called something like mod_sslnpn
[16:55] <beneter_> okay
[16:55] <beneter_> I don't have enough time to try it now... gotta go.
[16:55] <Patrickdk> I think it edits the mod_ssl.load file to do it
[16:55] <beneter_> thank you very much for your help
[17:33] <Matrix3000__> Anyone aware of how I can use pam_groupdn to enforce group membership requirements from ldap
[17:33] <Matrix3000__> Trying to restrict access to servers using Active Directory authentication without having to make the client a domain joined system.
[17:34] <Matrix3000__> I can get it to use one group. But I need more than one
=== alamar is now known as jullian
=== jullian is now known as alamar
=== DenBeiren is now known as zz_DenBeiren
=== zz_DenBeiren is now known as DenBeiren
[19:44] <DenBeiren> it's been ages since my last ubuntu serverinstall,.. seems like i am overseeing something in configuring samba :-)
[19:44] <DenBeiren> i see the share in my network, but i can't access it :s
[20:38] <qman__> DenBeiren, smbpasswd -a
=== DenBeiren is now known as zz_DenBeiren
[23:17] <MACscr> hmm, why do you guys think im getting this duplicate sources entry for foreman? I dont see any duplicates http://pastie.org/pastes/8206483/text?key=8jf6msfsfgynht3p2cdna
[23:24] <frojnd> Hm, I've successfully configured basic openvp. Now I'd like to setup routed VPN configuration, so when client uses openVPN everything wold go through openVPN so external IP would be changed https://help.ubuntu.com/12.04/serverguide/openvpn.html#openvpn-advanced-config I've configured everything except for user and group and password authentication.
[23:25] <frojnd> WHen I test with client, I can ping 10.8.0.1 but when using a browser I'm in infenite loop
[23:25] <frojnd> And I don't know whyx