Search found 126 matches

by fkienker
May 27th, 2019, 10:44 pm
Forum: IPFire in General
Topic: Configuring firewall rules for Cloudflare DNS
Replies: 4
Views: 1071

Re: Configuring firewall rules for Cloudflare DNS

I can confirm intermittent DNS failures using cloudflare (1.1.1.1 / 1.0.0.1) DNS servers. it is happening on more than one of our IPFire systems and more than one ISP's. - Switching to Google (P-8.8.8.8 / S-8.8.4.4) always fixes it. - For a while we were using P-1.1.1.1 and S-8.8.8.8 as a work-aroun...
by fkienker
May 24th, 2019, 3:04 pm
Forum: Development
Topic: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?
Replies: 18
Views: 5706

Re: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?

I polled the three firewalls I am using for testing. FW1: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 2048 bit RSA FW2: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 2048 bit RSA FW3: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SH...
by fkienker
May 24th, 2019, 1:37 pm
Forum: IPFire in General
Topic: Fixed IP assignment under DHCP
Replies: 40
Views: 6346

Re: Fixed IP assignment under DHCP

My hat is off to you for getting it to work at all! This should probably should be filed under "All's Well That Ends Well".

Thanks for all you hard work. I have a pretty good idea hard this was to fix.

Best regards,
Fred
by fkienker
May 24th, 2019, 1:10 pm
Forum: IPFire in General
Topic: Fixed IP assignment under DHCP
Replies: 40
Views: 6346

Re: Fixed IP assignment under DHCP

I can report that your fix at least fixes the issue with converting a dynamic lease to a fixed lease and no longer deletes anything in the fixed lease table. It does leave it in update mode, which apparently is the new normal. FYI - once upon a time it was NOT this way. The entry was simply added to...
by fkienker
May 24th, 2019, 12:38 pm
Forum: Development
Topic: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?
Replies: 18
Views: 5706

Re: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?

The N2N connections continue to work fine with the removal of the ecdh-curve line. One comment - with the removal of ecdh-curve connections have gone from nearly instantaneous to 4 to 5 seconds at start up. I suspect without specifying the ecdh-curve to be used, it has to be negotiated which takes s...
by fkienker
May 23rd, 2019, 9:41 pm
Forum: Development
Topic: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?
Replies: 18
Views: 5706

Re: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?

I have tried removing:
ecdh-curve secp384r1

Initial testing indicates it works as expected with N2N connections. If this holds, I will move on to testing road warrior connections with this latest change.

Best regards,
Fred
by fkienker
May 22nd, 2019, 3:04 pm
Forum: Development
Topic: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?
Replies: 18
Views: 5706

Re: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?

Update - testing with non-smartphone road warriors is done. After some clean up with very old setups, everything now works well. On to smartphones now. If the last road warrior checks were hard this could be worse. I've been warned that iPhones, in particular, do lots of non-standard things. With An...
by fkienker
May 17th, 2019, 4:59 pm
Forum: IPFire in General
Topic: OpenVPN n2n / site 2 site feature broken
Replies: 15
Views: 2074

Re: OpenVPN n2n / site 2 site feature broken

After being bitten by the "You can't reuse the Net2Net name" issue once again, I FINALLY remembered what causes it. In the /var/ipfire/ovpn/n2nconf directory there are one or more directories, with the SAME name as each N2N name, which contains the config file. When a N2N configuration is deleted fr...
by fkienker
May 8th, 2019, 1:54 pm
Forum: Development
Topic: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?
Replies: 18
Views: 5706

Re: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?

The same cipher is in use on both systems for n2n connections:

May 8 09:40:21 xx-xxx xxxxn2n[2826]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 2048 bit RSA

I have get a testing window for the "road warriors" and will let you know.

Best regards,
Fred
by fkienker
May 8th, 2019, 1:20 am
Forum: Development
Topic: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?
Replies: 18
Views: 5706

Re: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?

Have been testing first with a test Net-to-Net connection, and now with two "live" Net-to-Net connections. All the tests have gone well, and the reconnect times seem to have dropped slightly. Next is to test with "road warrior" connections to laptops and desktops. That goes well, next will be testin...
by fkienker
May 3rd, 2019, 2:06 pm
Forum: Development
Topic: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?
Replies: 18
Views: 5706

Re: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?

You have a point about smartphones. I am going to check with those users and see how this would affect them.

Given how simple this change is, I will test it on some of our live VPN connections during off-hours and see how well it works.

Best regards,
Fred
by fkienker
May 2nd, 2019, 5:02 pm
Forum: Development
Topic: Core 131 testing - upgraded Core 130
Replies: 2
Views: 693

Re: Core 131 testing - upgraded Core 130

Saw the reinstalling idea on the forum earlier and had already tried that to fix this issue. It doesn't help. The reinstalling does fix earlier issues which were fixed after the initial release of the test version of C131. I suspect it has something to do with my hardware. I doubt very few people ru...
by fkienker
May 2nd, 2019, 2:59 pm
Forum: Development
Topic: Core 131 testing - upgraded Core 130
Replies: 2
Views: 693

Core 131 testing - upgraded Core 130

Upgraded an existing core 130 which did have the Intrusion Detection set up and working to the testing version of core 131. The upgraded system will not start the Intrusion Prevention. No error messages appear at any point. Modified the init.d Suricata script /usr/bin/suricata -c /etc/suricata/suric...
by fkienker
May 2nd, 2019, 1:42 pm
Forum: Development
Topic: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?
Replies: 18
Views: 5706

Re: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?

This has a lot of potential. I'm okay with ecdh-curve. I can't speak to mbed TLS - we don't employ hardware where this is used. ARM architectures, in particular, seem to need this, however. Any modern system will have OpenSSL >= 1.0.1. OpenVPN 2.4+ is not an issue unless the client is VERY old. It s...
by fkienker
April 24th, 2019, 2:24 pm
Forum: IPFire in General
Topic: OpenVPN n2n / site 2 site feature broken
Replies: 15
Views: 2074

Re: OpenVPN n2n / site 2 site feature broken

ummeegge - there was a discussion about this issue at Core 72 with IPsec in 2013. See https://forum.ipfire.org/viewtopic.php?f=27&t=8924&start=15 For us, we saw the same issue with OpenVPN - you can't reuse the same name for the connection without issues. AFAIK it has never been fixed. We have a VPN...