Few random questions
Posted: Mon Feb 07, 2011 5:50 am
I am day 20 or so on a live OpenVPN installation. A few questions remain, even after reading the PAKT books. Sorry if these have been asked before.
I am running a routed server on 10.8.0.1 with clients on dedicated private IPs at 10.8.0.0/24
1. I tried checking REMOTE_ADDR on a remote website of mine and am still getting my "real" IP address. Is there any way I could be having "IP Leak?" Some users have suggested the same thing, that somehow their destination sites "know" their IP address.
I tried running a proxy server, but haven't been able to successfully add those lines to my server.conf.
2. I suspect users are using my server as an HTTP proxy and I would like to stop this. My iftop bandwidth is way higher than my netstat | grep "openvpn" bandwidth, and while some of this may be "post-VPN" traffic, I suspect some users are coming in without the VPN. I tried blocking ports, but my VPN users started to complain that their precious ports were shut off! I tried only allowing traffic through tun0 with iptables, but that killed all traffic for a while.
Which is more accurate? Even an OpenVPN port user on iftop is using less than half that bandwidth as measured by bwm-ng. I understand the programs use different data sources on the server, but which one is correct?
3. It would be nice to shape traffic by Common Name. I wish this was a feature built into the server, but I guess it takes a lot of memory and CPU to check bandwidth on every connection every few seconds.
4. I had bad luck running on UDP--the connection always seemed to drop. I get the sense you prefer UDP here--would that solve the IP leak problem above?
5. I don't understand the push route statements. This 192 subnet is not one I'm using. What is the purpose of having them in there? I keep them in for good luck.
I am working on scripts to list bandwidth by Common Name, which seems to be a common request of admins, and eventually I would like to add a "kill" switch per user in case anyone gets out of hand. The kill switch will be a bit of a kludge--you have to delete the certificates, revoke them, then kill the user with a custom "expect telnet" script. I think I can do it in Perl/CGI--it was a bear to get Perl to run a shell script, but I have done that.
Looking forward to learning more.
BTW here's my server.conf Try not to laugh...
<redacted>
I am running a routed server on 10.8.0.1 with clients on dedicated private IPs at 10.8.0.0/24
1. I tried checking REMOTE_ADDR on a remote website of mine and am still getting my "real" IP address. Is there any way I could be having "IP Leak?" Some users have suggested the same thing, that somehow their destination sites "know" their IP address.
I tried running a proxy server, but haven't been able to successfully add those lines to my server.conf.
2. I suspect users are using my server as an HTTP proxy and I would like to stop this. My iftop bandwidth is way higher than my netstat | grep "openvpn" bandwidth, and while some of this may be "post-VPN" traffic, I suspect some users are coming in without the VPN. I tried blocking ports, but my VPN users started to complain that their precious ports were shut off! I tried only allowing traffic through tun0 with iptables, but that killed all traffic for a while.
Which is more accurate? Even an OpenVPN port user on iftop is using less than half that bandwidth as measured by bwm-ng. I understand the programs use different data sources on the server, but which one is correct?
3. It would be nice to shape traffic by Common Name. I wish this was a feature built into the server, but I guess it takes a lot of memory and CPU to check bandwidth on every connection every few seconds.
4. I had bad luck running on UDP--the connection always seemed to drop. I get the sense you prefer UDP here--would that solve the IP leak problem above?
5. I don't understand the push route statements. This 192 subnet is not one I'm using. What is the purpose of having them in there? I keep them in for good luck.
I am working on scripts to list bandwidth by Common Name, which seems to be a common request of admins, and eventually I would like to add a "kill" switch per user in case anyone gets out of hand. The kill switch will be a bit of a kludge--you have to delete the certificates, revoke them, then kill the user with a custom "expect telnet" script. I think I can do it in Perl/CGI--it was a bear to get Perl to run a shell script, but I have done that.
Looking forward to learning more.
BTW here's my server.conf Try not to laugh...
<redacted>