I am day 20 or so on a live OpenVPN installation. A few questions remain, even after reading the PAKT books. Sorry if these have been asked before.
I am running a routed server on 10.8.0.1 with clients on dedicated private IPs at 10.8.0.0/24
1. I tried checking REMOTE_ADDR on a remote website of mine and am still getting my "real" IP address. Is there any way I could be having "IP Leak?" Some users have suggested the same thing, that somehow their destination sites "know" their IP address.
I tried running a proxy server, but haven't been able to successfully add those lines to my server.conf.
2. I suspect users are using my server as an HTTP proxy and I would like to stop this. My iftop bandwidth is way higher than my netstat | grep "openvpn" bandwidth, and while some of this may be "post-VPN" traffic, I suspect some users are coming in without the VPN. I tried blocking ports, but my VPN users started to complain that their precious ports were shut off! I tried only allowing traffic through tun0 with iptables, but that killed all traffic for a while.
Which is more accurate? Even an OpenVPN port user on iftop is using less than half that bandwidth as measured by bwm-ng. I understand the programs use different data sources on the server, but which one is correct?
3. It would be nice to shape traffic by Common Name. I wish this was a feature built into the server, but I guess it takes a lot of memory and CPU to check bandwidth on every connection every few seconds.
4. I had bad luck running on UDP--the connection always seemed to drop. I get the sense you prefer UDP here--would that solve the IP leak problem above?
5. I don't understand the push route statements. This 192 subnet is not one I'm using. What is the purpose of having them in there? I keep them in for good luck.
I am working on scripts to list bandwidth by Common Name, which seems to be a common request of admins, and eventually I would like to add a "kill" switch per user in case anyone gets out of hand. The kill switch will be a bit of a kludge--you have to delete the certificates, revoke them, then kill the user with a custom "expect telnet" script. I think I can do it in Perl/CGI--it was a bear to get Perl to run a shell script, but I have done that.
Looking forward to learning more.
BTW here's my server.conf Try not to laugh...
<redacted>
Few random questions
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
hostizzle
- OpenVpn Newbie
- Posts: 12
- Joined: Mon Feb 07, 2011 5:15 am
Few random questions
Last edited by hostizzle on Sun Feb 27, 2011 3:55 am, edited 1 time in total.
-
gladiatr72
- Forum Team
- Posts: 194
- Joined: Mon Dec 13, 2010 3:51 pm
- Location: Lawrence, KS
Re: Few random questions
OpenVPN doesn't seep; however, browser cookies do (like week-old road kill--mm hmm). If you've got some client-side browser junk running (.NET, java, etc.) your unmasked IP might also be getting picked up that way. Someone popped into #openvpn a few weeks ago with a similar problem with phpBB. His pre-VPN address was showing up in the admin interface. Twas a cookie.1. I tried checking REMOTE_ADDR on a remote website of mine and am still getting my "real" IP address. Is there any way I could be having "IP Leak?" Some users have suggested the same thing, that somehow their destination sites "know" their IP address.
Your server configuration (which looks very standard and non-laugh-worthy) shows you using the redirect-gateway. Most examples show that directive with the "def1" extension. If your tunnel is online and working, any trace(route|rt|path) type program will show your packets transiting the tunnel before hitting the internet.
Someone else will have to address the proxy issue. I believe in them (theologically), but I have not had need of them so I know little about them.
good luck!
Regards,
Stephen
[..]I used to think it was awful that life was so unfair. [...]Wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? -Marcus Cole
-
hostizzle
- OpenVpn Newbie
- Posts: 12
- Joined: Mon Feb 07, 2011 5:15 am
Re: Few random questions
Thanks for the thoughtful reply.
I tried the experiment, still showed up a SERVER_ADDR "naked" IP address.
Try it for yourself: http://76.10.222.65:81/cgi-bin/certone.cgi
It "knows" my IP address, OpenVPN or no OpenVPN.
PPTP does mask the address here.
Interesting.
I tried the experiment, still showed up a SERVER_ADDR "naked" IP address.
Try it for yourself: http://76.10.222.65:81/cgi-bin/certone.cgi
It "knows" my IP address, OpenVPN or no OpenVPN.
PPTP does mask the address here.
Interesting.
-
gladiatr72
- Forum Team
- Posts: 194
- Joined: Mon Dec 13, 2010 3:51 pm
- Location: Lawrence, KS
Re: Few random questions
Dunno. I just set up a host route for that IP address through my work VPN. The web site reflects the external IP address of the vpn server's internet facing interface not the external address of my local internet gateway.
-S
-S
[..]I used to think it was awful that life was so unfair. [...]Wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? -Marcus Cole
-
Douglas
- Forum Team
- Posts: 285
- Joined: Wed Aug 27, 2008 2:41 am
Re: Few random questions
Tried from a different PC or different browser?hostizzle wrote:Thanks for the thoughtful reply.
I tried the experiment, still showed up a SERVER_ADDR "naked" IP address.
Try it for yourself: http://76.10.222.65:81/cgi-bin/certone.cgi
It "knows" my IP address, OpenVPN or no OpenVPN.
PPTP does mask the address here.
Interesting.
If the redirection is done *right*, there isn't a way short of a local app relaying other data that would give out your real IP.