|
|
Hi all, thanks for your help! I orginally had a basic connection over NAT that worked. I then moved to basic proxy setup as Daniel posted (thanks!) which confirmed I wasn't too far off track. Then I moved to using port 443 and authorization text file as in Palic's post, except I was missing the persist tun, float and I was using ping 10 instead of 3 (I'll try those next, thanks Palic!) I checked into load balancing and it looks like the org only has one ISA server. I use port 443 because the ISA won't allow ssl over port 80. However, I noticed Palic's client config --remote uses the DNS name of the server. I was using the IP address of my server because the DNS name is not yet registered.... (could this be a problem?) -- In addition I have to use remote https://x.x.x.x with x being the IP address of my router that port forwards to my internal Microsoft XP internal OpenVPN server, (the client being XP as well). It seems I have to use the https:// or the org's proxy server seems to reject the connection attempt. I also differed in using the internal IP address of our proxy server and not the DNS name, it's name does not seem to resolve from the internet either (though it does resolve internally so I could use it). Finally, with all that in place, the client seems to get the OK from the isa server, and the connection attempt continues - but is never "initiated" and immediately get the SIGUSR1 soft reset message and no further messages as to why the signal was received. I did set verb 10 and mute 1 but did not get any more info... (using 2.0 beta 7) So I'm going to re-install to the latest version and start with Palic's config first. But I wonder if not using DNS names, the https:// weirdness, of the fact of using "dev tun" - when the default device installed on windows is labeled tap-win32 adapter. (or should it be dev tun0 on XP too?) I still plan to try the float option anyway... Thanks for all your help! Ray ######################################################## ORIGINAL THREAD MESSAGES: ######################################################## Date: Thu, 05 Aug 2004 09:36:35 +0200 From: "Daniel Rosenberg" Subject: Re: [Openvpn-users] Http-Proxy Example Hi, you could try this: On the server: proto tcp-server dev tun tun-mtu 1500 ifconfig 10.0.0.1 10.0.0.2 secret key.txt port 5000 On the client: proto tcp-client http-proxy [name of the proxyserver] [port of the proxyserver] [textfile with login data, username and password in two lines, if necessary] remote [the server's address] dev tun tun-mtu 1500 ifconfig 10.0.0.2 10.0.0.1 secret key.txt port 5000 Daniel From: "Palic, Darko" Subject: RE: [Openvpn-users] Http-Proxy Example Date: Thu, 5 Aug 2004 09:39:56 +0200 Hello Ray, RTFM ;-) But here is my configuration for a single host, there my proxy only allows ssl-connect to 443! Client: openvpn --remote lansin.dyndns.org --dev tun0 --ifconfig 192.168.2.1 192.168.2.2 --verb 3 --proto tcp-client --port 443 - -http-proxy-retry --http-proxy proxy.dnsentry proxy.port --link-mtu 1500 --secret /etc/openvpn/static.key --ping 3 --ping -restart 120 --float --comp-lzo --route 192.168.1.0 255.255.255.0 192.168.2.2 I have to use a very short ping interval, because our proxy kills connections if idle :-( Additionally i use the float, because the proxy is load balanced and my server is a usual dial-in account with changing IPs. Server: Openvpn --dev tun0 --ifconfig 192.168.2.2 192.168.2.1 --verb 3 --proto tcp-server --port 443 --secret /etc/openvpn/static.key --link-mtu 1500 --ping 3 --ping-restart 120 --float --comp-lzo --route 192.168.2.0 255.255.255.0 192.168.2.1 --persist-tun Thsi configuration only works for a 1:1 connection (1 client 1 server). If you need 1 server and many clients, you must configure a TLS in openvpn using the --mode server! @maintainer: Maybe this is an example for a proxy configuration in the HowTo or man.8? If so I could write a little more for the manpage or howto. Best regards ___________________________________________________________________________________________________________ This email and any attachments thereto may contain private, confidential, and privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by other than the County of Sacramento or the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto. ___________________________________________________________________________________________________________ ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |