Search found 105 matches

by fkienker
Yesterday, 3:04 pm
Forum: Development
Topic: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?
Replies: 9
Views: 441

Re: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?

Update - testing with non-smartphone road warriors is done. After some clean up with very old setups, everything now works well. On to smartphones now. If the last road warrior checks were hard this could be worse. I've been warned that iPhones, in particular, do lots of non-standard things. With An...
by fkienker
May 17th, 2019, 4:59 pm
Forum: IPFire in General
Topic: OpenVPN n2n / site 2 site feature broken
Replies: 15
Views: 563

Re: OpenVPN n2n / site 2 site feature broken

After being bitten by the "You can't reuse the Net2Net name" issue once again, I FINALLY remembered what causes it. In the /var/ipfire/ovpn/n2nconf directory there are one or more directories, with the SAME name as each N2N name, which contains the config file. When a N2N configuration is deleted fr...
by fkienker
May 8th, 2019, 1:54 pm
Forum: Development
Topic: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?
Replies: 9
Views: 441

Re: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?

The same cipher is in use on both systems for n2n connections:

May 8 09:40:21 xx-xxx xxxxn2n[2826]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 2048 bit RSA

I have get a testing window for the "road warriors" and will let you know.

Best regards,
Fred
by fkienker
May 8th, 2019, 1:20 am
Forum: Development
Topic: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?
Replies: 9
Views: 441

Re: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?

Have been testing first with a test Net-to-Net connection, and now with two "live" Net-to-Net connections. All the tests have gone well, and the reconnect times seem to have dropped slightly. Next is to test with "road warrior" connections to laptops and desktops. That goes well, next will be testin...
by fkienker
May 3rd, 2019, 2:06 pm
Forum: Development
Topic: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?
Replies: 9
Views: 441

Re: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?

You have a point about smartphones. I am going to check with those users and see how this would affect them.

Given how simple this change is, I will test it on some of our live VPN connections during off-hours and see how well it works.

Best regards,
Fred
by fkienker
May 2nd, 2019, 5:02 pm
Forum: Development
Topic: Core 131 testing - upgraded Core 130
Replies: 2
Views: 261

Re: Core 131 testing - upgraded Core 130

Saw the reinstalling idea on the forum earlier and had already tried that to fix this issue. It doesn't help. The reinstalling does fix earlier issues which were fixed after the initial release of the test version of C131. I suspect it has something to do with my hardware. I doubt very few people ru...
by fkienker
May 2nd, 2019, 2:59 pm
Forum: Development
Topic: Core 131 testing - upgraded Core 130
Replies: 2
Views: 261

Core 131 testing - upgraded Core 130

Upgraded an existing core 130 which did have the Intrusion Detection set up and working to the testing version of core 131. The upgraded system will not start the Intrusion Prevention. No error messages appear at any point. Modified the init.d Suricata script /usr/bin/suricata -c /etc/suricata/suric...
by fkienker
May 2nd, 2019, 1:42 pm
Forum: Development
Topic: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?
Replies: 9
Views: 441

Re: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?

This has a lot of potential. I'm okay with ecdh-curve. I can't speak to mbed TLS - we don't employ hardware where this is used. ARM architectures, in particular, seem to need this, however. Any modern system will have OpenSSL >= 1.0.1. OpenVPN 2.4+ is not an issue unless the client is VERY old. It s...
by fkienker
April 24th, 2019, 2:24 pm
Forum: IPFire in General
Topic: OpenVPN n2n / site 2 site feature broken
Replies: 15
Views: 563

Re: OpenVPN n2n / site 2 site feature broken

ummeegge - there was a discussion about this issue at Core 72 with IPsec in 2013. See https://forum.ipfire.org/viewtopic.php?f=27&t=8924&start=15 For us, we saw the same issue with OpenVPN - you can't reuse the same name for the connection without issues. AFAIK it has never been fixed. We have a VPN...
by fkienker
April 24th, 2019, 2:10 pm
Forum: IPFire in General
Topic: OpenVPN n2n / site 2 site feature broken
Replies: 15
Views: 563

Re: OpenVPN n2n / site 2 site feature broken

Under no circumstances do we wish to appear to be criticizing the IPFire developers who work very hard for our benefit. It's important for the developers to hear the experiences of the people who are actually using IPFire. This plays a large part in the future development of it. We do regularly part...
by fkienker
April 22nd, 2019, 3:10 pm
Forum: IPFire in General
Topic: OpenVPN n2n / site 2 site feature broken
Replies: 15
Views: 563

Re: OpenVPN n2n / site 2 site feature broken

schories - we ran into this issue when we experienced the same problem you were having. The solution was to NOT reuse the same name for the openVPN net to net connection. This happened to us a long time ago but, if memory serves, we traced it down to a file not being deleted when the net-2-net conne...
by fkienker
March 27th, 2019, 2:35 pm
Forum: Development
Topic: PostgreSQL for IPFire
Replies: 2
Views: 256

Re: PostgreSQL for IPFire

This would be a great addition to IPFire in my opinion. I can see a number of uses for it.

Now if I could just convince the developers that dropping OpenVPN is an enormous mistake, I would be quite happy. There isn't a chance that IPSEC can pass a PCI audit.

Fred
by fkienker
September 12th, 2018, 6:33 pm
Forum: IPFire in General
Topic: Cryptographic warning & error in Core 123
Replies: 18
Views: 2344

Re: Cryptographic warning & error in Core 123

ummeegge - Odd! All of our updated systems still had the old file. Not sure if we did something wrong or if this is a known issue. I will go back and check our Core 123 test system to see what is installed there.

Best regards,
Fred
by fkienker
September 12th, 2018, 3:55 pm
Forum: IPFire in General
Topic: Cryptographic warning & error in Core 123
Replies: 18
Views: 2344

Re: Cryptographic warning & error in Core 123

ummeegge, will the updated ovpn.cnf file be included in the Core 124 update?

TIA,
Fred
by fkienker
September 5th, 2018, 2:19 am
Forum: IPFire in General
Topic: DHCP page - Hostname
Replies: 4
Views: 708

Re: DHCP page - Hostname

You will find, eventually, issues with this. In particular, IoT devices have a tendency to "behave badly'. But over time, it will happen to all of the DHCP hosts. it's used to be tolerable with dnsmasq, but just simply doesn't work well at all with the change to unbound. Entering the hostnames in th...