OpenVPN connects but I'm still seeing my original IP
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Jul 31, 2015 1:32 am
OpenVPN connects but I'm still seeing my original IP
Hello!
I helped myself with this tutorial (http://www.howtogeek.com/60774/connect- ... nd-tomato/) and set up OpenVPN on my Tomato router. I tried it in VMware Player and it seemed like it's working.
Today I tried it on a friend's remote located PC (on another public IP, different ISP than mine). I have copied these files I pre-made to his computer: client.key, client.crt, ca.crt and client.ovpn.
OpenVPN says it's connected (green + locked) and the remote PC shows up in my router - but the remote PC still shows the original public IP when we go check it with a browser (and yes, I have disabled WebRTC and checked it too - that's not the problem).
When OpenVPN connects it says "Assiged IP: 192.168.1.101", I think there should be my router's WAN (public) IP? But instead it's router's internal LAN IP (from DHCP pool).
Why does OpenVPN say he's connected and his remote machine shows in my router and all but when he goes and checks his IP it's still his original public IP and ISP (and not mine). What are we doing wrong?
Please help, thank you!
I helped myself with this tutorial (http://www.howtogeek.com/60774/connect- ... nd-tomato/) and set up OpenVPN on my Tomato router. I tried it in VMware Player and it seemed like it's working.
Today I tried it on a friend's remote located PC (on another public IP, different ISP than mine). I have copied these files I pre-made to his computer: client.key, client.crt, ca.crt and client.ovpn.
OpenVPN says it's connected (green + locked) and the remote PC shows up in my router - but the remote PC still shows the original public IP when we go check it with a browser (and yes, I have disabled WebRTC and checked it too - that's not the problem).
When OpenVPN connects it says "Assiged IP: 192.168.1.101", I think there should be my router's WAN (public) IP? But instead it's router's internal LAN IP (from DHCP pool).
Why does OpenVPN say he's connected and his remote machine shows in my router and all but when he goes and checks his IP it's still his original public IP and ISP (and not mine). What are we doing wrong?
Please help, thank you!
-
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Jul 31, 2015 1:32 am
Re: OpenVPN connects but I'm still seeing my original IP
I have followed the above mentioned tutorial. Then I read a lot and googled and changed some settings.
Now the client.ovpn file looks like this:
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
redirect-gateway def1
ca ca.crt
cert client.crt
key client.key
dh dh1024.pem
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 4
Is that alright or should I change or add some settings?
My goal is to securely connect and send all the traffic via an encrypted VPN tunnel (with the client being a laptop and the server being a home router with Tomato firmware). Am I doing it right?
Can the OpenVPN connection be tested against the attacks, leaks etc.? I want to make sure it's properly set and entirely encrypted.
Thank you.
Now the client.ovpn file looks like this:
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
redirect-gateway def1
ca ca.crt
cert client.crt
key client.key
dh dh1024.pem
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 4
Is that alright or should I change or add some settings?
My goal is to securely connect and send all the traffic via an encrypted VPN tunnel (with the client being a laptop and the server being a home router with Tomato firmware). Am I doing it right?
Can the OpenVPN connection be tested against the attacks, leaks etc.? I want to make sure it's properly set and entirely encrypted.
Thank you.
- Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Re: OpenVPN connects but I'm still seeing my original IP
It very much depends on your server config ...bellzemos wrote:Is that alright
- Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Re: OpenVPN connects but I'm still seeing my original IP
Also ..
- NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
- You are advised to change your server LAN to a more unique RFC1918 compliant subnet. f.e 192.168.143.0/24
-
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Jul 31, 2015 1:32 am
Re: OpenVPN connects but I'm still seeing my original IP
Yes, that's right, I found about it myself when connecting from 192.168.1.0/24 to the 192.168.1.0/24 and it would't work. I changed my LAN address to 10.10.10.0/24.
Anyway, my goal is to set up a secure, encrypted VPN connection between a client (a Windows laptop connected to an unsecure public WiFi) and a server (my home router) so that I can access the internet securely throught my ISP. I want all the traffic and services to go trhough the VPN tunnel (for maximum security), I don't need access to my home LAN, just to the internet.
What I did so far:
1. I have installed and set the latest Tomato (Shibby) firmware on my router (Linksys E1200).
2. I have also installed the latest OpenVPN release in Windows and set it to always run as administrator.
3. I followed the HowToGeek.com tutorial "Connect to Your Home Network From Anywhere with OpenVPN and Tomato" and set everything up but it didn't work the way I desired and I had to make quite some changes to finally make it work properly.
4. Now my VPN connection works but some things seem off: if I put a check in the box at "Direct Clients to redirect Internet traffic" in the Tomato VPN Server setup my client can connect but can not access the internet. This is how it's set now:
Is that normal? I think I did something wrong.
5. The Tomato VPN server only has 4 entries for the keys so I can't use the server.opvn (server.conf) to fine-tune the server part of the VPN connection (and so I can't enter the push "redirect-gateway def1" to the server). I only have the "redirect-gateway def1" line in the client config file but it seems to make all the traffic go through the tunnel, as wanted. As said, Tomato only features 4 fields (CA, Server Cert., S. Key and DH):
(The pic is showing the Server 2 so that my entries aren't visible to public.)
6. There's anoter problem with Diffie Hellman feature. If I include the line "dh dh1024.pem" in the client configuration file OpenVPN won't connect. I have to delete the DH line in order to be able to connect (even though I have pasted the DH file into it's field on the Tomato VPN server). I don't know why that is so and would like to make it work properly?
7. This is how the basic part of my Tomato VPN server setup looks like, should I change something to make it more secure or is it allright for my intended use (described as my goal)? Also if I change the protocol from UDP to TCP it won't connect, is that usual?
8. I would like everything to go through the VPN tunnel, DNS as well. This is how I have it set, is that how it should be?
This is my current client config file that seems to work:
===============================================================
client
dev tun
proto udp
remote x.x.x.x 1194 # x.x.x.x represents the public IP on the server part.
resolv-retry infinite
nobind
persist-key
persist-tun
redirect-gateway def1 # Without this it won't direct everything through the tunnel.
ns-cert-type server
ca ca.crt
cert client1.crt
key client1.key
cipher AES-128-CBC
comp-lzo
verb 3
# dh dh1024.pem - As said, if I remove the hash OpenVPN won't connect.
================================================================
To reach my goal, what should I change? I will go back to point 3. and do it all over so that I learn to set it up properly, clean and efficient. What should I change in the Tomato VPN server setup? What in the client config file? And what when making the keys and certificates and other things?
Thank you!
Anyway, my goal is to set up a secure, encrypted VPN connection between a client (a Windows laptop connected to an unsecure public WiFi) and a server (my home router) so that I can access the internet securely throught my ISP. I want all the traffic and services to go trhough the VPN tunnel (for maximum security), I don't need access to my home LAN, just to the internet.
What I did so far:
1. I have installed and set the latest Tomato (Shibby) firmware on my router (Linksys E1200).
2. I have also installed the latest OpenVPN release in Windows and set it to always run as administrator.
3. I followed the HowToGeek.com tutorial "Connect to Your Home Network From Anywhere with OpenVPN and Tomato" and set everything up but it didn't work the way I desired and I had to make quite some changes to finally make it work properly.
4. Now my VPN connection works but some things seem off: if I put a check in the box at "Direct Clients to redirect Internet traffic" in the Tomato VPN Server setup my client can connect but can not access the internet. This is how it's set now:
Is that normal? I think I did something wrong.
5. The Tomato VPN server only has 4 entries for the keys so I can't use the server.opvn (server.conf) to fine-tune the server part of the VPN connection (and so I can't enter the push "redirect-gateway def1" to the server). I only have the "redirect-gateway def1" line in the client config file but it seems to make all the traffic go through the tunnel, as wanted. As said, Tomato only features 4 fields (CA, Server Cert., S. Key and DH):
(The pic is showing the Server 2 so that my entries aren't visible to public.)
6. There's anoter problem with Diffie Hellman feature. If I include the line "dh dh1024.pem" in the client configuration file OpenVPN won't connect. I have to delete the DH line in order to be able to connect (even though I have pasted the DH file into it's field on the Tomato VPN server). I don't know why that is so and would like to make it work properly?
7. This is how the basic part of my Tomato VPN server setup looks like, should I change something to make it more secure or is it allright for my intended use (described as my goal)? Also if I change the protocol from UDP to TCP it won't connect, is that usual?
8. I would like everything to go through the VPN tunnel, DNS as well. This is how I have it set, is that how it should be?
This is my current client config file that seems to work:
===============================================================
client
dev tun
proto udp
remote x.x.x.x 1194 # x.x.x.x represents the public IP on the server part.
resolv-retry infinite
nobind
persist-key
persist-tun
redirect-gateway def1 # Without this it won't direct everything through the tunnel.
ns-cert-type server
ca ca.crt
cert client1.crt
key client1.key
cipher AES-128-CBC
comp-lzo
verb 3
# dh dh1024.pem - As said, if I remove the hash OpenVPN won't connect.
================================================================
To reach my goal, what should I change? I will go back to point 3. and do it all over so that I learn to set it up properly, clean and efficient. What should I change in the Tomato VPN server setup? What in the client config file? And what when making the keys and certificates and other things?
Thank you!
- Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Re: OpenVPN connects but I'm still seeing my original IP
good enough ..bellzemos wrote:I changed my LAN address to 10.10.10.0/24
Then something is wrong ..bellzemos wrote:if I put a check in the box at "Direct Clients to redirect Internet traffic" in the Tomato VPN Server setup my client can connect but can not access the internet.
Comments on image #1 (advanced):bellzemos wrote:This is how it's set now:
Image
- Direct clients to redirect internet traffic: Should be enabled
- Custom configuration: You can probably put a complete standard openvpn config file in there .. but that is advanced stuff so maybe do that when you have more experience.
Those are the correct fields and you say you have filled them with appropriate data and you can connect to the VPN .. ok.bellzemos wrote:Tomato only features 4 fields (CA, Server Cert., S. Key and DH):
Image
Comments on image #3:bellzemos wrote:Also if I change the protocol from UDP to TCP it won't connect, is that usual?
Image
- Extra HMAC authorisation (tls-auth) is strongly recommended !
If you cannot get it to work straight away keep trying.
You will have to re-export your client config file and you will see the line- tls-auth ta.key 1
- If you change the protocol from UDP to TCP you will have to change it in the client config as well .. probably by re-exporting the client config file.
Diffie-Hellman file is only configured in the server not the client.bellzemos wrote:This is my current client config file that seems to work:
===============================================================
<..>
# dh dh1024.pem - As said, if I remove the hash OpenVPN won't connect.
================================================================
-
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Jul 31, 2015 1:32 am
Re: OpenVPN connects but I'm still seeing my original IP
That's the main reason of me doing it all anew, because of the "Direct Clients to redirect Internet traffic" not being checked in order for the internet connection to work. That's not how it's supposed to be. But the "redirect-gateway def1" line in the client config file still ensures that everything goes through the tunnel (even with the "Direct Clients to redirect Internet traffic" unticked), so I'm confused.
Are the other checked and unchecked settings fine (under the Advanced - pic 1) for the all-goes-through-the-tunnel mode? Encryption, compression, DNS, Push LAN and all that (I don't know what those functions do, if you'd care to explain a bit I'd appreciate it very much)?
Oh, so the Custom configuration is where I could paste the server config file? I haven't tought of that. But yes, it's probably better left alone for now as I'm new to OpenVPN.
About the Diffie-Hellman, I have pasted the contents of the dh1024.pem file into the appropriate field on the server and tought that I should include the line "dh dh1024.pem" in the client config file (I was told to do that at another forum) but if I included that line OpenVPN wouldn't connect at all. So, it should NOT be mentioned in the client config file but simply pasted in the DH field on the server and that's it?
I haven't tried setting the extra HMAC authorisation yet but I will. Could that setting impact the performance (DL and UL speeds of the client connected to the VPN server)?
If I change the UDP protocol to TCP (in the client config too) it won't connect. Only UDP works. Should I change the port number to something else, would that make it any more secure? What about VPN subnet and mask, are the default OK? Any other thing I sould change (FW mode, auth. mode)? I'm not too familiar with those settings either (and would be grateful for a short explanation too).
And everything else - is it as it should be (for my goal descirbed in the previous post)?
Thank you!
Are the other checked and unchecked settings fine (under the Advanced - pic 1) for the all-goes-through-the-tunnel mode? Encryption, compression, DNS, Push LAN and all that (I don't know what those functions do, if you'd care to explain a bit I'd appreciate it very much)?
Oh, so the Custom configuration is where I could paste the server config file? I haven't tought of that. But yes, it's probably better left alone for now as I'm new to OpenVPN.
About the Diffie-Hellman, I have pasted the contents of the dh1024.pem file into the appropriate field on the server and tought that I should include the line "dh dh1024.pem" in the client config file (I was told to do that at another forum) but if I included that line OpenVPN wouldn't connect at all. So, it should NOT be mentioned in the client config file but simply pasted in the DH field on the server and that's it?
I haven't tried setting the extra HMAC authorisation yet but I will. Could that setting impact the performance (DL and UL speeds of the client connected to the VPN server)?
If I change the UDP protocol to TCP (in the client config too) it won't connect. Only UDP works. Should I change the port number to something else, would that make it any more secure? What about VPN subnet and mask, are the default OK? Any other thing I sould change (FW mode, auth. mode)? I'm not too familiar with those settings either (and would be grateful for a short explanation too).
And everything else - is it as it should be (for my goal descirbed in the previous post)?
Thank you!
- Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Re: OpenVPN connects but I'm still seeing my original IP
I am not that familiar with Tomato so you will have to learn that your self.
However, please
However, please
- client: comment out (remove) the "redirect-gateway def1" in your config file
- client: use verb 4
- router: enable the "Direct clients to redirect internet traffic" option
-
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Jul 31, 2015 1:32 am
Re: OpenVPN connects but I'm still seeing my original IP
- If I remove the "redirect-gateway def1" from my client config file then the clients connects directly to the internet instead through the VPN server.
- "verb 4" simply means that I get more information from the OpenVPN client GUI than having it set to "verb 3", right?
- Enabling the "Direct clients to redirect internet traffic" option on the server side blocks my client from accessing the internet but I will try it all again and we'll see.
I'll get to it when I have some spare time and report back. Thank you for the help.
- "verb 4" simply means that I get more information from the OpenVPN client GUI than having it set to "verb 3", right?
- Enabling the "Direct clients to redirect internet traffic" option on the server side blocks my client from accessing the internet but I will try it all again and we'll see.
I'll get to it when I have some spare time and report back. Thank you for the help.
-
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Jul 31, 2015 1:32 am
Re: OpenVPN connects but I'm still seeing my original IP
So why should I remove the "redirect-gateway def1" from my client config file if that makes all the traffic go through the tunnel (as desired in my case)?
- Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Re: OpenVPN connects but I'm still seeing my original IP
The server should --push this to your client .. if it does not then something is wrong .. the best way to test is to remove --redirect-gateway from your client and try again .. look in your logs for PUSHed options.
-
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Jul 31, 2015 1:32 am
Re: OpenVPN connects but I'm still seeing my original IP
OK, I have another question about the vars.bat file - I can make up the the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL values, right? The Email can be a non-existing one?
-
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Jul 31, 2015 1:32 am
Re: OpenVPN connects but I'm still seeing my original IP
I think I can answer it myself - yes, you can make it all up. Right?
Anyway, thank you for all the help, very much! I have carefully read all you wrote and lots of other stuff on the OpenVPN site and some other forums too and I finally succeeded in (hopefully) setting it properly and securely this time. It seems to work properly now and I have tested it with two clients connected.
I have changed the default VPN subnet on the router/server from 10.8.0.0/24 to 10.10.69.0/24. When I run the ipconfig command on a client PC it reports machine's IP as 10.10.69.10 and the Gateway as 10.10.69.9 with a subnet mask 255.255.255.252. Why 252 instead of 0? Is it creating a virtual network for each client separately, so that they can't see each other?
---
Should I change the UDP port from 1194 to something else, would I gain any security by doing that? Is it OK that the Firewall is set to Automatic?
I was able to set the "tls-auth" too, the ta.key is inserted on the server side and the Incoming (0) is set in the settings plus a "tls-auth ta.key 1" line is in the client config. That is how it should be, for the additional security, right?
---
Should I change any of the advanced settings in the router interface? What exactly does the Push LAN to clients do? Should I leave the checks at Respond and advertise DNS, what do they do exactly?
I have also changed enc. cipher from AES-128-CBC to AES-256-CBC to increase the security. Is it OK to have Compression set at Adaptive (i have a line "comp-lzo" in the client config file)? Allow User/Pass Auth is to bypas the stronger TLS encryption and should be disabled, right?
---
I have the following files in the config folder of the client PCs: ca.crt, client.crt, client.key, client.ovpn and ta.key. Is that how it should be? Is the "ns-cert-type server" line required and set properly in the client config file?
Should I change/remove/add anything in the client config file?
---
I'm concerned with Diffie-Hellman as the dh1024.pem file was created in a second (literally) and it seems kind of short too - is it secure just the same (as if it took longer to create) or should I re-create it?
You have been a great help! Thank you!!!
Anyway, thank you for all the help, very much! I have carefully read all you wrote and lots of other stuff on the OpenVPN site and some other forums too and I finally succeeded in (hopefully) setting it properly and securely this time. It seems to work properly now and I have tested it with two clients connected.
I have changed the default VPN subnet on the router/server from 10.8.0.0/24 to 10.10.69.0/24. When I run the ipconfig command on a client PC it reports machine's IP as 10.10.69.10 and the Gateway as 10.10.69.9 with a subnet mask 255.255.255.252. Why 252 instead of 0? Is it creating a virtual network for each client separately, so that they can't see each other?
---
Should I change the UDP port from 1194 to something else, would I gain any security by doing that? Is it OK that the Firewall is set to Automatic?
I was able to set the "tls-auth" too, the ta.key is inserted on the server side and the Incoming (0) is set in the settings plus a "tls-auth ta.key 1" line is in the client config. That is how it should be, for the additional security, right?
---
Should I change any of the advanced settings in the router interface? What exactly does the Push LAN to clients do? Should I leave the checks at Respond and advertise DNS, what do they do exactly?
I have also changed enc. cipher from AES-128-CBC to AES-256-CBC to increase the security. Is it OK to have Compression set at Adaptive (i have a line "comp-lzo" in the client config file)? Allow User/Pass Auth is to bypas the stronger TLS encryption and should be disabled, right?
---
I have the following files in the config folder of the client PCs: ca.crt, client.crt, client.key, client.ovpn and ta.key. Is that how it should be? Is the "ns-cert-type server" line required and set properly in the client config file?
Should I change/remove/add anything in the client config file?
---
I'm concerned with Diffie-Hellman as the dh1024.pem file was created in a second (literally) and it seems kind of short too - is it secure just the same (as if it took longer to create) or should I re-create it?
You have been a great help! Thank you!!!
- Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Re: OpenVPN connects but I'm still seeing my original IP
Indeed .. it is your private PKI .. one of mine is based on The Simpsonsbellzemos wrote:you can make it all up. Right?
No .. See --topology net30 in The Manual v23xbellzemos wrote:Why 252 instead of 0? Is it creating a virtual network for each client separately, so that they can't see each other?
FWIW I do not use standard ports (I use 1194 for special reasons) .. See https://en.wikipedia.org/wiki/Security_ ... _obscuritybellzemos wrote:Should I change the UDP port from 1194 to something else, would I gain any security by doing that?
You need to see your router manual for that.bellzemos wrote:Is it OK that the Firewall is set to Automatic?
Good .. --tls-auth is highly recommended and negates many common attack vectors.bellzemos wrote:I was able to set the "tls-auth" too
Allows your client to see your server LAN (May require additional settings full details found here: HOWTO: Expanding the scope of the VPN to include additional machines )bellzemos wrote:What exactly does the Push LAN to clients do?
To avoid DNS leaks (Covered mainly by this: HOWTO: Routing all client traffic (including web-traffic) through the VPN )bellzemos wrote:Should I leave the checks at Respond and advertise DNS,
Sure .. stronger apparentlybellzemos wrote:cipher from AES-128-CBC to AES-256-CBC to increase the security.
So long as it is the same on both ends you should be ok.bellzemos wrote:Is it OK to have Compression set at Adaptive (i have a line "comp-lzo" in the client config file)?
You can use TLS and user/pass authentication for "dual factor authentication" .. It depends how much you trust your clients .. If it is only you using the VPN and you are confident your client cert/key are safe then there is not much use in user/pass .. I rarely use it.bellzemos wrote:Allow User/Pass Auth is to bypas the stronger TLS encryption and should be disabled, right?
*Note: The preferred method for protecting the client end is to encrypt the client cert.keys with a password .. this will stop anybody else being able to use them at all (although a static file, if stolen, is vulnerable to brute force attacks .. so watch your server logs for intruder type activity)
Looks right.bellzemos wrote:client.ovpn and ta.key. Is that how it should be?
ns-cert-type is a deprecated standard which is being replaced .. See --remote-cert-tls in The Manual v23xbellzemos wrote:Is the "ns-cert-type server" line required and set properly
*Note: As I understand it, upgrading to --remote-cert-tls will require you build a new PKI using easyrsa3
You should use a minimum 2048bit DH key not 1024 ... I use 4096bit generally.bellzemos wrote:m concerned with Diffie-Hellman as the dh1024.pem file
*Note: Upgrading to 2048/4096bit will require you build a new PKI using easyrsa3
No problem .. you have clearly done a lot of the work yourselfbellzemos wrote:You have been a great help! Thank you!!!
-
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Jul 31, 2015 1:32 am
Re: OpenVPN connects but I'm still seeing my original IP
So even the Country and everything else is irrelevant? OK, good to know.Traffic wrote:Indeed .. it is your private PKI .. one of mine is based on The Simpsons
OK, I've read about it and didn't really understand it but I guess it's allright for me, the way it is working now?Traffic wrote:No .. See --topology net30 in The Manual v23x
So if I would change from 1194 UDP to something else, would it be better to change to something that is known and used (like 53 UDP) or to something obscure (like 50357 UDP)?Traffic wrote:FWIW I do not use standard ports (I use 1194 for special reasons) .. See https://en.wikipedia.org/wiki/Security_ ... _obscurity
There is no router manual for Tomato really, nothihg regarding that feature. I'll leave it like this I guess.Traffic wrote:You need to see your router manual for that.
I though tha TAP was needed to be able to access the LAN anyway, so is it possible via TUN too? All I want the client to access through the router/OpenVPN server is the internet, not my LAN. So should I disable this?Traffic wrote:Allows your client to see your server LAN (May require additional settings full details found here: HOWTO: Expanding the scope of the VPN to include additional machines )
So by leaving the checks at those 2 feature I make sure that the clients use the DNS of the router/OpenVPN server? If so, I'll leave them checked as this is what I want - to have everything go through the tunnel.Traffic wrote:To avoid DNS leaks (Covered mainly by this: HOWTO: Routing all client traffic (including web-traffic) through the VPN )
On the router/server it's "Adaptive" and in the client conifg file it's "comp-lzo", so is that as it should be?Traffic wrote:So long as it is the same on both ends you should be ok.
But using is the "old way" as I am is still OK, having that line simply included in the client config is all that it takes to make it work?Traffic wrote:ns-cert-type is a deprecated standard which is being replaced .. See --remote-cert-tls in The Manual v23x
*Note: As I understand it, upgrading to --remote-cert-tls will require you build a new PKI using easyrsa3
So if I want to make a 2048 bit DH key I have to go through the whole procedure again? Can't I simply run the Create DH again? And how do I make it change from 1024 to 2048 bits?Traffic wrote:You should use a minimum 2048bit DH key not 1024 ... I use 4096bit generally.
*Note: Upgrading to 2048/4096bit will require you build a new PKI using easyrsa3
I sure did, but you helped a lot - and it's much appreciated!Traffic wrote:No problem .. you have clearly done a lot of the work yourself
-
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Jul 31, 2015 1:32 am
Re: OpenVPN connects but I'm still seeing my original IP
Would you please answer my last post? I'd really appreciate it!
And I have two additional questions:
1. How secure I am using the default 1024bit DH key, does it suffice for my purposes?
2. Can you (in short) describe how a OpenVPN connection establishes? Is it first the DH and then the TLS (AES cipher), what happens first, second, third, it would be interesting to know the procedure. If it's written somewhere, please point me there.
Thank you!
And I have two additional questions:
1. How secure I am using the default 1024bit DH key, does it suffice for my purposes?
2. Can you (in short) describe how a OpenVPN connection establishes? Is it first the DH and then the TLS (AES cipher), what happens first, second, third, it would be interesting to know the procedure. If it's written somewhere, please point me there.
Thank you!
-
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Jul 31, 2015 1:32 am
Re: OpenVPN connects but I'm still seeing my original IP
Please reply, thank you!
-
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Jul 31, 2015 1:32 am
Re: OpenVPN connects but I'm still seeing my original IP
Pretty please?
- Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Re: OpenVPN connects but I'm still seeing my original IP
According to many sources, 1024bit is no longer sufficient .. so recreate your PKI with a minimum 2048bitbellzemos wrote:How secure I am using the default 1024bit
openvpn documentation security-overviewbellzemos wrote:Can you (in short) describe how a OpenVPN connection establishes? Is it first the DH and then the TLS (AES cipher), what happens first, second, third, it would be interesting to know the procedure. If it's written somewhere, please point me there.
Also, you are using Tomato firmware, which I have not used ..
-
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Jul 31, 2015 1:32 am
Re: OpenVPN connects but I'm still seeing my original IP
OK, I generated a 2048bit DH key. Thank you.