New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I'm using Viscosity too.
Run
netstat -nrwhile connected to check if the routes are there.If so, the issue is most likely server-side. Can you ping the server from the client?
I can ping the gateway (10.8.0.1) & main server IP without any issues, just nothing else.
dear all ,
thank a lor for your help i got to use openvpn over shadowsocks.
Now i have internet working but i have a some error mesage before connected and after.
During the connection i have this error
tls_error bio read tls_read_plaintext error:error 1408f10b:SSL routines:SSL3_get_record:wrong version number.
then after a while connected to the VPN over shadowsocks i have the message
Authenticate/Decrypt packet error:packet HMAC authentication failed
then after when i go to a website i have the hundred of message like this
Authenticate/Decrypt packet error: bad packet ID (may be a replay):[#226]-see the man page entry for no-replay and replay-window.
Fo your information without the shadowsock input in the client file i don't get any message error like above.
Any suggestion?
I was also using viscosity and have same problem. Still don't know why.
Using Tunnelblick now and it just works
That's weird. Maybe worth posting in the Viscosity forums so the author can take a look.
Checl the dates on,your vos and pc.
Check the certs if their are the same
@Nyr So I fixed it by enabling NAT for the 10.8.0.0/24 via IPTables. Everything was connecting properly, routes were fine, just not getting out to the net once it hit the VPS.
Weird, the rules should had been enabled during setup.
Select one client [1-2]: 2
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
Revoking Certificate 04.
Data Base Updated
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
mv: cannot stat ‘/etc/openvpn/easy-rsa/pki/crl.pem.b5XC75CUWJ’: No such file or directory
An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
1936
Certificate for client kupi revoked
In user remove "mv: cannot stat ‘/etc/openvpn/easy-rsa/pki/crl.pem.b5XC75CUWJ’: No such file or directory"
@miklos easy-rsa issue, nothing to do with my script. It still works anyway.
oh Thanks!
** never mind, solved **
*** windows changed its mind and started to work ***
Got an issue on a fresh windows 2008 r2 and kidechire debian 8 install.
Windows gets tls errors.
Log: http://pastebin.com/raw.php?i=g4XJYKTj
I'll see if I find something useful on google with:
windows server 2008 openvpn SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Will a server with 128MB ram suffice to run OpenVPN?
Yes (if you don't have too many clients connecting at the same time of course!) but make sure that you can use tun/tap and nat (if KVM/XEN no problem but if openvz, must be enabled on the node)
@Nyr Can you make one for ShadowSocks too?
Even 32 MB are enough for a single user and OpenVZ
There are ShadowSocks servers so easy to install that I don't think it's really needed...
2 minutes max simple installation of openvpn AS: http://my.cheapdomainnamesdot.com/knowledgebase.php?action=displayarticle&id=59
wget https://raw.githubusercontent.com/teddysun/shadowsocks_install/master/shadowsocks.sh --no-check-certificate && chmod +x shadowsocks.sh && ./shadowsocks.sh
Okay, so? Nothing to do with my script and a commercial product.
Curious why you didn't choose to have the openvpn process go to nobody/nogroup once started? Wouldn't that be more secure?
Yes, but it does have certain important limitations (which honestly I don't completely remember out of memory).
I think it's problematic if you use fixed ip for your clients (to be able to forward port to them) but in your default config it should work out of the box (and people needing other features might still be able to comment those two lignes in their config file as they'll have to tweek their config anyway).
Anyway, thanks for that great script & your nice contributions
@2bb3
In Centos its 'group nobody'
In Debian its 'group nogroup'
the problem is, if you get this mixed up, if you specify a non-existing user or group then the server won't start, and you get no clue why. I've been there.
I love it. I use this script on all my servers.
You're right, but the script has to know what you use as it will need to know if it does an apt-get or use yum.. could do the same for the config, isn't it?
Yeah, that's not a problem.
@Nyr i just not see before btw i upgrade to CentOs 7.2 and when im in vpn i cant connect to imap pop3 and smtp its normal btw? with webmail works only with thunderbird not
Nothing to do with the script.
Noob question Nyr, but if I were to connect all my servers to a central openvpn server then in theory they could transfer files over 10.0.0.0/8 on the encypted tunnel openvpn creates?
i mean as long as they stay on the same /24.. I dont have 300 servers.