New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I had a script I've been using for years -- manually modifying each item per server... Thought I'd give this one a spin, wow, this is really nicely put together! Thanks!
Really just personal and the 128 CBC can be decrypted over time.
I'd also like to suggest high speed mode possibly for those who use your script for basic masq, where you send the encoding to lowest possible and auth to save cpu/transport on both ends also disable compression with this option.
Meh
I may as well just fork you on github
That's... thetorically possible, but very optimistic.
If a change on the cipher has to be made, it should be to AES 128 CBC, but then users would complain too and request AES 256 CBC, which is even slower.
Fact is, performance is a bigger problem at this time than users fighting very capable nation states or something like that. That's why OpenVPN is still using Blowfish by default and I think it's a sensible decision to respect it for the time being. You already struggle to max a 100 mbps port with the actual defaults on many VPSes, I don't want to make it worse.
I suppose you are talking about disabling encryption completely, which is possible, but this script was created as a road warrior installer so that functionality will not be added, feel free to fork if you want. Anyway, performance of the TUN adapter is going to hurt. OpenVPN is not the best option for very high speed links.
I'm getting the following ( I have a PPTP vpn also in the same vps)
Tue Feb 24 17:45:29 2015 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Feb 24 17:45:31 2015 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Feb 24 17:45:36 2015 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Feb 24 17:45:43 2015 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Feb 24 17:46:00 2015 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
@inthecloudblog do you have a firewall or are on a very restrictive network?
That log is showing a connectivity problem, nothing to do with the script.
Best script ever
I have fail2ban in the server. Might that have to do? thanks for the prompt reply!
Not likely, must be other thing. You could try switching to TCP on both the client and the server configurations, but that's not a good fix
I've rented a bandwagon box and with the same setup works flawlessly.
Thanks
Hi Nyr !!
Great script!!! congrats!! But i´m having a problem I have a VPS debian7 32bits and installed your wounderful script, configured router Asus RTN18U as client and connection sucess, can ping 10.8.0.1, and connect vps via ssh an sftp, noticed that some programs on my PC such as utorrent can connect to peers over internet, skype, and teamviewer get connetion to the internet (logged on), but I intended do use openvpn to do secure web browsing and can´t browse any webpage. Read a lot of tutorials made over five reinstallations with a lot of experiences and tests with no sucess... I have to admit that I´m a noob on openvpn and linux. Can you give me some advices to resolve that issue???
My best regards
Xichas
@xichas sorry, this seems like a client side problem. Check that you don't have a proxy configured in your web browser.
ok my friend
I will try to check that, or test the client configuration directly in my pc. Thanks for your rapid response.
Regards
I tried this script on a Hudson Valley Host VPS (OpenVZ) running Debian 7. Seems to install ok and OpenVPN servers boots up without issues. But when I try to connect, I'm getting only this in the client's log:
Tue Mar 10 10:00:24 2015 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 2 2014
Tue Mar 10 10:00:24 2015 library versions: OpenSSL 1.0.1g 7 Apr 2014, LZO 2.05
Tue Mar 10 10:00:24 2015 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Mar 10 10:00:24 2015 UDPv4 link local: [undef]
Tue Mar 10 10:00:24 2015 UDPv4 link remote: [AF_INET] xxx.xxx.xxx.130:443
Firewall issue? I'm used to doing things in CentOS not Debian. Is there something that I'm missing that Debian 7 needs extra for the firewall beyond the script?
@geodirk looks like the connection doesn't even start. Check that you aren't on a restrictive network. And that your server is listening on port 443 UDP if that's what you are using.
@Nyr So I blew away the VPS and reinstalled Debian 7 and reran the script. After installation, I'm getting this in my firewall:
Doing a '#service openvpn status' returns:
[ ok ] VPN 'server' is running.
And my openvpn config is simply this:
Running #netstat --tcp --udp --listening --program
I don't believe that I'm on a restrictive network with Hudson Valley Host. But I'm getting the same client error message on the client as before...
Looking at the netstat dump...shouldn't the openvpn be set to "LISTEN" like all the others? Maybe that is the problem?
@geodirk check the 443 UDP port on the server from your client, most likely is not connectable.
No, since it is UDP.
Again, the problem is either a firewall or any other kind of connectivity problem between both networks.
thanks for sharing...
For some reason I can connect to vpn, but I can't navigate... (centos - with selinux disabled and udp port is open in server and client)
Any suggestion?
@Nyr
Can you make a IPsec/L2TP automated installer for OpenVZ?
I found this for KVM and XEN.
https://gist.github.com/hwdsl2/9030462
Nah, plenty of problems plus many (most?) providers don't support it. Also it would only work on the node's architecture if I remember correctly, so no 32 bit support.
I would rather write something for SoftEther instead, which AFAIK emulates it but don't really have the motivation right now. Maybe in the future.
Sure, please do Softether NAT IPv4 using Local Bridge?
If you can make a automated installer for it, you will save me 30 minutes every time I Rebuild my VPS.
Yeah, well, to do it properly like with the OpenVPN script takes a lot of time, it's not just some quick commands to install and then hardcode a configuration and hope for the best like other people do.
Between writing, improving, reading documentation, testing and giving support to the users, I probably invested more than 50 hours on my OpenVPN script easily. I am happy because it has been useful to many people at the end, but as said, I don't currently have the motivation to do the same for SoftEther (since I don't use it).
I have a script that does just that. It's not perfect and really just something i use for my personal use.
https://github.com/eunas/essentials
Since the NSA (and GHCQ) can crack 1028-bit RSA encryption on public levels in 30 to 40 minutes, some VPN providers at least have beefed up their key encryption to 2048-bits, or even up to 4096-bits and beyond.
Guess the tin foil hat never gets old just amplifys the scanner
Great script, thank you Nyr.
first try, working fine thanks
Just a quick bump to let you guys know I pushed a big upgrade and half of the script has been rewritten.
It includes support for the new easy-rsa 3, unified and proper configuration files across distributions, some security upgrades like remote-cert-tls, support for firewalls, proper subnets and some other good stuff.
All the changes had been extensively tested and I hope they are working everywhere as they should, but please report any bug you can find
Thanks Nyr will see this tested on a vm if it works. I've become interested in vpns lately and this looks good for non-tech bitches.
@Nyr is it possible to upgrade from a previous installation of your script?