[Openvpn-users] How to verify a working tunnel on the client side

Hi,

Post by s***@keemail.me
How can I confirm that the data channel is working correctly after "Initialization Sequence Completed" on the client?

"ping the server", like, with "unix ping"?

Send data over the data channel and see if something useful comes back.

gert

--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de

s***@keemail.me

2017-03-30 08:06:31 UTC

Hello!
Yes, I could "unix ping" the tunnel's server IP (e.g. ping -c 1 -W 2 -I tun0 172.16.0.1), but I haven't found a reliable way to automatically identify the server's IP address yet.The environmental variableÂ $route_network_1 appears to be working for that only occasionally.Â
How could I implement "sending data and checking the response"? I'd need to get that working in an automated manner.
Kind regards,SaAtomic

Post by Gert Doering
Hi,

Post by s***@keemail.me
How can I confirm that the data channel is working correctly after "Initialization Sequence Completed" on the client?

"ping the server", like, with "unix ping"?
Send data over the data channel and see if something useful comes back.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/

Jan Just Keijser

2017-03-31 16:20:58 UTC

Hi,

Post by s***@keemail.me
Hello!
Yes, I could "unix ping" the tunnel's server IP (e.g. ping -c 1 -W 2
-I tun0 172.16.0.1), but I haven't found a reliable way to
automatically identify the server's IP address yet.
The environmental variable $route_network_1 appears to be working for
that only occasionally.
How could I implement "sending data and checking the response"? I'd
need to get that working in an automated manner.

in theory the server does not need to have a VPN IP address - or the
server could be configured to block all access to it; if I were running
a VPN setup where paying customers are connecting this is exactly what
I'd do - I wouldn't want a rogue customer to attack my server.

Having said that, in 99.9% of the cases the server IP will always be
<subnet>.1 - which use cases are you trying to address in which this is
not the case?

HTH,

JJK

Post by s***@keemail.me
Hi,
How can I confirm that the data channel is working correctly
after "Initialization Sequence Completed" on the client?
"ping the server", like, with "unix ping"?
Send data over the data channel and see if something useful comes back.

s***@keemail.me

2017-04-03 06:57:18 UTC

Hello!
This is interesting, I've never encountered a VPN, where the server does not have VPN IP address.How does one set that up? How does that even work, in terms of forwarding traffic through the tunnel?
Would someone have a link for me, about that topic?
Kind regards,SaAtomic

Post by s***@keemail.me
Hi,
Hello!

Yes, I could "unix ping" the tunnel's server IP (e.g. ping -c 1 -W 2 -I tun0 172.16.0.1), but I haven't found a reliable way to automatically identify the server's IP address yet.>> >> The environmental variableÂ $route_network_1 appears to be working for that only occasionally.Â >>
How could I implement "sending data and checking the response"? I'd need to get that working in an automated manner.>>

in theory the server does not need to have a VPN IP address - or the server could be configured to block all access to it; if I were running a VPN setup where paying customers are connecting this is exactly what I'd do - I wouldn't want a rogue customer to attack my server.
Having said that, in 99.9% of the cases the server IP will always be <subnet>.1Â - which use cases are you trying to address in which this is not the case?
HTH,
JJK

Post by Gert Doering
Hi,

How can I confirm that the data channel is working correctly after "Initialization Sequence Completed" on the client?

"ping the server", like, with "unix ping"?
Send data over the data channel and see if something useful comes back.

Jan Just Keijser

2017-04-03 08:14:01 UTC

Hi,

Post by s***@keemail.me
Hello!
This is interesting, I've never encountered a VPN, where the server
does not have VPN IP address.
How does one set that up? How does that even work, in terms of
forwarding traffic through the tunnel?
Would someone have a link for me, about that topic?

an example is given in my OpenVPN Cookbook, although that example is for
a point-to-point connection. However, it could also be applied to a
client/server setup. The main idea is that the client only needs to know
which *interface* to send the packets out on, not to which router IP ;
so as long as the clients know that traffic for network X needs to go
out interface tunY then the packets should "flow". There are caveats
here, however: some OSes don't like this, especially if you want to
reroute *all* traffic over the VPN tunnel.
Apart from that, if I were running an OpenVPN server to which potential
rogue users can connect then I'd block all incoming traffic on the VPN
server - you'd be allowed to FORWARD stuff, nothing more. This is
similar to a well-protected LAN where you're not allowed to connect to
the LAN router/gateway: all that thing will do for you is forward (and
filter) traffic.
As a final note: if you're running OpenVPN in tap mode then it's not
even necessary that the VPN "router" IP is the same as that of the VPN
server itself; one could set up a VPN server and a separate router to
handle the VPN traffic. Then again, "tap" setups are quite rare these days.

HTH,

JJK

Post by s***@keemail.me
Hi,
Hello!
Yes, I could "unix ping" the tunnel's server IP (e.g. ping -c
1 -W 2 -I tun0 172.16.0.1), but I haven't found a reliable way
to automatically identify the server's IP address yet.
The environmental variable $route_network_1 appears to be
working for that only occasionally.
How could I implement "sending data and checking the
response"? I'd need to get that working in an automated manner.
in theory the server does not need to have a VPN IP address - or
the server could be configured to block all access to it; if I
were running a VPN setup where paying customers are connecting
this is exactly what I'd do - I wouldn't want a rogue customer to
attack my server.
Having said that, in 99.9% of the cases the server IP will always
be <subnet>.1 - which use cases are you trying to address in
which this is not the case?
HTH,
JJK
Hi,
On Wed, Mar 29, 2017 at 03:27:55PM +0200,
How can I confirm that the data channel is working
correctly after "Initialization Sequence Completed" on
the client?
"ping the server", like, with "unix ping"?
Send data over the data channel and see if something
useful comes back.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users

s***@keemail.me

2017-04-03 08:47:11 UTC

Hello!

Â I didn't realize there's a new release, thanks for the info! I'm really tempted to order a copy now.I see you use OpenVPN 2.4 in the book, do you discuss the new tls-crypt feature in the book?
Kind regards,SaAtomic

Post by s***@keemail.me
Hi,
Hello!
This is interesting, I've never encountered a VPN, where the server does not have VPN IP address. >> How does one set that up? How does that even work, in terms of forwarding traffic through the tunnel?>>

Would someone have a link for me, about that topic?>>

an example is given in my OpenVPN Cookbook, although that example is for a point-to-point connection. However, it could also be applied to a client/server setup. The main idea is that the client only needs to know which *interface* to send the packets out on, not to which router IP ; so as long as the clients know that traffic for network X needs to go out interface tunY then the packets should "flow".Â There are caveats here, however: some OSes don't like this, especially if you want to reroute *all* traffic over the VPN tunnel.
Apart from that, if I were running an OpenVPN server to which potential rogue users can connect then I'd block all incoming traffic on the VPN server - you'd be allowed to FORWARD stuff, nothing more. This is similar to a well-protected LAN where you're not allowed to connect to the LAN router/gateway: all that thing will do for you is forward (and filter) traffic.
As a final note: if you're running OpenVPN in tap mode then it's not even necessary that the VPN "router" IP is the same as that of the VPN server itself; one could set up a VPN server and a separate router to handle the VPN traffic. Then again, "tap" setups are quite rare these days.
HTH,
JJK

Hi,

Hello!

Yes, I could "unix ping" the tunnel's server IP (e.g. ping -c 1 -W 2 -I tun0 172.16.0.1), but I haven't found a reliable way to automatically identify the server's IP address yet.>>>> >>>> The environmental variableÂ $route_network_1 appears to be working for that only occasionally.Â >>>>
How could I implement "sending data and checking the response"? I'd need to get that working in an automated manner.>>>>

in theory the server does not need to have a VPN IP address - or the server could be configured to block all access to it; if I were running a VPN setup where paying customers are connecting this is exactly what I'd do - I wouldn't want a rogue customer to attack my server.
Having said that, in 99.9% of the cases the server IP will always be <subnet>.1Â - which use cases are you trying to address in which this is not the case?
HTH,
JJK