From owner-freebsd-questions@freebsd.org Tue Jul 19 09:00:18 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 83F48B9D347 for ; Tue, 19 Jul 2016 09:00:18 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 60EAA1AD7 for ; Tue, 19 Jul 2016 09:00:18 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id 5CAF8B9D345; Tue, 19 Jul 2016 09:00:18 +0000 (UTC) Delivered-To: questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5C489B9D344 for ; Tue, 19 Jul 2016 09:00:18 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DAC6C1AD5 for ; Tue, 19 Jul 2016 09:00:17 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: by mail-wm0-x233.google.com with SMTP id f65so131752817wmi.0 for ; Tue, 19 Jul 2016 02:00:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dO4XOc8fJ22ODbiBOzsrrTjKB+VQixyPI1NG/GKyAfA=; b=j949VIC3GD47Axx5ExRsBNLauPOWmSn2zbM0hpkb2J5B4Xgl4BsshiIv3i75gpT+r1 wxgY1seTPIFDfnOB6By04J+ju+USrYEAVXl1U4QUYxdXb4f0BaSE+1DTH57CvhQSHJ6A ndHchI75Wzu8i6f4MBV9E5w6ySl2FKhb/cBe5JgPFNqUyJrPe8j/fO9zxEV8Ow4VIYC4 vu4jl6mM+n/+ce7VNr4bEtZwH465wcc64usM8BnvXWsa1YnatD3pLKMupeq4ZRVJBssO jqp5R2BGVlplW5Mto5VZfXYzQAb92ZfyJiql77GjJLRTniOtyKt4GxLTfUXZNPKrgjQO G1wg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dO4XOc8fJ22ODbiBOzsrrTjKB+VQixyPI1NG/GKyAfA=; b=E4+BthPt+E1ZjrbEKXYrusopQOIjTJ3/N2byxpi6wbFqJio7UEWqz+iqmwwqigPvkU raW8uBV3g4aE4I5Hx2lMSvfoYYtABZMjHpAkpeLQmHDhZV5TLUzvijBh4ogS1yAesOmQ Ykky6sRduszXf9ib9U1slxnz13VzAHiA8CwHNm2hIAbYFPAnsgokS/diwkt+poAUtm2p sGRp24seqaudKrIv3OfIe09QwofEVO19X8MnMEo8yx06AgWN2xpJF0x4oX+bftBIu8Bo vAlrOe/RmFqpHxh47TAhGggClw7yWxyvNlhPND+ZmTvLkBEagR0Km1oadl/BtfCEKB6E JPdg== X-Gm-Message-State: ALyK8tIiBHmINJnk9xzJ3fA7BC1OYS1un7KhLLNPJaWtkkBkQMua2GGxp2KUG3nPML0PoFgxu4hutUhXlYYvYQ== X-Received: by 10.28.30.83 with SMTP id e80mr2393566wme.97.1468918816448; Tue, 19 Jul 2016 02:00:16 -0700 (PDT) MIME-Version: 1.0 Received: by 10.194.162.137 with HTTP; Tue, 19 Jul 2016 01:59:36 -0700 (PDT) In-Reply-To: <578D41BA.5070705@gmail.com> References: <578BAB1A.2010109@gmail.com> <578BE812.9000601@gmail.com> <578D41BA.5070705@gmail.com> From: Odhiambo Washington Date: Tue, 19 Jul 2016 11:59:36 +0300 Message-ID: Subject: Re: OpenVPN with xp & win7 clients To: Ernie Luzar Cc: questions Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2016 09:00:18 -0000 Howtos can be outdated. No one is paid to maintain them. About the prompt for the "Enter Private key password", please review how you generated your certificates. Did you assign a passphrase? You don't need to! On 18 July 2016 at 23:53, Ernie Luzar wrote: > Odhiambo Washington wrote: > >> >> >> On 17 July 2016 at 23:18, Ernie Luzar > luzar722@gmail.com>> wrote: >> >> Odhiambo Washington wrote: >> >> >> >> On 17 July 2016 at 18:58, Ernie Luzar > > >> >> wrote: >> >> Hello List; >> >> I travel outside of my home country a lot and can not access >> some >> web site content because internet connection is from foreign >> ip >> address range. >> >> I see many how-tos for installing and configuration VPN on a >> FreeBSD >> host. But all most all of these how-tos assume the client >> will be a >> FreeBSD box also. In my case I have 2 laptops I travel with, >> win xp >> & win7. The official OpenVPN website does offer clients for >> xp & >> win7 but configuration info is not available. >> >> Looking for how-to to setup VPN client on xp & win7. >> >> >> >> For Windows client, use the following: >> >> http://download.securepoint.de/?d=Securepoint%20SSL%20VPN%20Client/v1.0.3 >> >> >> The FreeBSD handbook has section on IPsec/VPN, but again it >> assumes >> server and client is a FreeBSD host. Looking for how-to on >> setting >> up IPsec/VPN on xp & win7. >> >> >> For setting up the server, use the following: Use this link: >> >> http://linoxide.com/linux-how-to/install-configure-openvpn-freebsd-10-2/ >> >> I have 2 concerns. How much hesitation will VPN inject into >> watching >> tv programs or movies on my laptops in a foreign country? Will >> IPsec/VPN inject longer hesitations? >> >> >> I cannot tell about the latencies (I guess that is what you call >> hesitation :-)) because I haven't tried it. >> >> Can I use the remote VPN client to start the show streaming >> and then >> have the VPN host record the program? Later down loading the >> program >> file to my laptop for viewing? >> >> >> That is beyond the scope of FreeBSD questions I guess :-) >> But maybe someone has done it and will give you their story. >> >> >> >> >> " For setting up the server, use the following: Use this link: >> >> http://linoxide.com/linux-how-to/install-configure-openvpn-freebsd-10-2/" >> >> That link content is out-dated. The openvpn port/pkg does not >> include the easy-rsa scripts build-ca, build-key-server, build-key, >> build-dh that are described in that how-too. The certificates are >> the backbone of security for VPN and without correct documentation >> that how-to is useless. To make things even worse, the easy-rsa port >> is lacking a manual page. >> >> >> That link is very comprehensive, but also if you applied a little common >> sense, you'd realize that you can install easy-rsa either using the pkg or >> ports. That's what I did and things work so well. >> >> root@waridi:/usr/local/etc/fail2ban # locate easy-rsa >> /usr/ports/security/easy-rsa >> /usr/ports/security/easy-rsa/Makefile >> /usr/ports/security/easy-rsa/distinfo >> /usr/ports/security/easy-rsa/files >> /usr/ports/security/easy-rsa/files/easyrsa.in >> /usr/ports/security/easy-rsa/pkg-descr >> /usr/ports/security/easy-rsa/pkg-plist >> /usr/ports/security/easy-rsa2 >> /usr/ports/security/easy-rsa2/Makefile >> /usr/ports/security/easy-rsa2/distinfo >> /usr/ports/security/easy-rsa2/pkg-descr >> /usr/ports/security/easy-rsa2/pkg-plist >> root@waridi:/usr/local/etc/fail2ban # pkg search -x easy-rsa >> easy-rsa-3.0.1_1 Small RSA key management package based on >> openssl >> easy-rsa2-2.2.2 Small RSA key management package based on >> openssl >> root@waridi:/usr/local/etc/fail2ban # >> I used that link and it works wonders. I have users roaming everywhere. >> All I have to do is generate client certs for them, download it to their >> PCs, install the VPN client, configure it (change tun to tap, enable lzo, >> disable prompting for username/password) and voila! >> >> Well, just search around for other HOWTOs. >> >> >> > Thanks for the details. I see the problem now. That how-to is based on > easy-rsa2-2.2.2 which was installed as part of a older version of the > openvpn port. The current version of openvpn port installs easy-rsa-3.0.1_1 > which is way different than easy-rsa2-2.2.2 which makes that openvpn > install how-to out dated. > > Another difference is the version of openvpn installed by the current > openvpn port is different than the openvpn version installed with the > easy-rsa2-2.2.2 version of the port. > > Openvpn-2.3.11 now at start time wants "Enter Private key password". > Need to find a way to stop this prompt so openvpn will start at boot time > without human intervention. > > > > > > > > > > > > -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."