LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
LinkBack Search this Thread
Old 02-25-2012, 10:13 AM   #1
aminbaik
Member
 
Registered: Feb 2012
Posts: 44

Rep: Reputation: Disabled
openvpn without tls


hello,
is theer anyway to use openvpn without using tls ?
thanks.
 
Old 02-25-2012, 10:49 AM   #2
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 13,837

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
Quote:
Originally Posted by aminbaik View Post
hello,
is theer anyway to use openvpn without using tls ?
thanks.
No, there isn't...and why would you want to make your VPN LESS secure? Read the openVPN docs.
http://openvpn.net/index.php/open-so...ion/howto.html
 
Old 02-25-2012, 11:10 AM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, FreeBSD
Posts: 3,925
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by aminbaik
is theer anyway to use openvpn without using tls ?
As TB0ne mentioned, of course not.

What capability is it that you think OpenVPN provides? Perhaps you're confusing it with another application.
 
1 members found this post helpful.
Old 02-25-2012, 12:21 PM   #4
aminbaik
Member
 
Registered: Feb 2012
Posts: 44

Original Poster
Rep: Reputation: Disabled
hello,
our isp is blocked tls becuse that i want to make openvpn dont use tls.
i see that i can use a static key and it's not use tls
my problem now that it's not puch the getway any suggest?
thanks.
 
Old 02-25-2012, 04:02 PM   #5
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 13,837

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
Quote:
Originally Posted by aminbaik View Post
hello,
our isp is blocked tls becuse that i want to make openvpn dont use tls.
i see that i can use a static key and it's not use tls
my problem now that it's not puch the getway any suggest?
thanks.
Sorry, I can hardly understand any of this.

Your ISP may be blocking VPN traffic, which is easy to detect, but that is not the same thing as blocking TLS. If you don't like what your ISP is doing, then get a new ISP that supports business-class traffic, or ask your current ISP to let your traffic through. And yes, OpenVPN *CAN* support static keys, but again, your ISP is blocking VPN traffic...switching to a less-secure and less scalable authentication method won't solve anything.

Again, did you read the OpenVPN docs????
http://openvpn.net/index.php/open-so...ini-howto.html

A quote from that page:
Quote:
Static Key disadvantages
  • Limited scalability -- one client, one server
  • Lack of perfect forward secrecy -- key compromise results in total disclosure of previous sessions
  • Secret key must exist in plaintext form on each VPN peer
  • Secret key must be exchanged using a pre-existing secure channel
So, if you've only got ONE client, you're all set. Any more, and you're not.

Last edited by TB0ne; 02-25-2012 at 04:03 PM.
 
Old 02-26-2012, 03:36 AM   #6
aminbaik
Member
 
Registered: Feb 2012
Posts: 44

Original Poster
Rep: Reputation: Disabled
hello,
i note that our isp is block port 1149 so the openvpn will not work.
in this case i have to use statickey i test it and its work fine.
my problem now is with multi clients and default getway.
or if there any way to bypass it.
thanks.
 
Old 02-26-2012, 03:18 PM   #7
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 13,837

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
Quote:
Originally Posted by aminbaik View Post
hello,
i note that our isp is block port 1149 so the openvpn will not work.
in this case i have to use statickey i test it and its work fine.
my problem now is with multi clients and default getway.
or if there any way to bypass it.
thanks.
Once again, you need to read and understand the OpenVPN docs. In the OpenVPN documentation (and I even POSTED part of it last time), it clearly says that static keys will ONLY WORK WITH ONE CLIENT. There is no way to bypass that.

And again, if you DID read the OpenVPN docs, you'd see the OpenVPN example server.conf file. Now when you do, try looking for the section that is, again, clearly marked. It starts off with:
Code:
 Which TCP/UDP port should OpenVPN listen on?
http://openvpn.net/index.php/open-so....html#examples

Now, wouldn't that indicate to you that, if you change that port, you would then be able to make it work on port OTHER THAN 1149, which your ISP is blocking???? If they are blocking port 1149, CHANGE IT to use something else. And AGAIN, if your ISP is blocking that port, CALL YOUR ISP...tell them to stop blocking that port, or move to a different ISP. Doesn't get much simpler than that.
 
1 members found this post helpful.
Old 03-16-2012, 09:27 AM   #8
aminbaik
Member
 
Registered: Feb 2012
Posts: 44

Original Poster
Rep: Reputation: Disabled
hello,
i tried with tcp and udp port but no way they blocked tls. so i have to use site to site senario with multi tunnel.
thanks.
 
Old 03-16-2012, 10:02 AM   #9
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 13,837

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
Quote:
Originally Posted by aminbaik View Post
hello,
i tried with tcp and udp port but no way they blocked tls. so i have to use site to site senario with multi tunnel.
thanks.
No idea what you're saying, or what you mean by "tried tcp and udp ports"??? AGAIN, you can make OpenVPN connect on a different port, or you can CALL YOUR ISP and explain things. Doesn't get more simple/complicated than that.
 
Old 03-16-2012, 10:52 AM   #10
aminbaik
Member
 
Registered: Feb 2012
Posts: 44

Original Poster
Rep: Reputation: Disabled
hello i mean that i tried for example 3389 and 20 and 21 all get the same problem, i cant talk becuse i want to bypass them !
thanks.
 
Old 03-16-2012, 01:43 PM   #11
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 13,837

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
Quote:
Originally Posted by aminbaik View Post
hello i mean that i tried for example 3389 and 20 and 21 all get the same problem, i cant talk becuse i want to bypass them !
thanks.
Sorry, STILL no idea what you mean. Do you mean you tried to move OpenVPN to those ports? What do you mean by TCP and UDP in that context? "Can't talk"??? WHAT do you want to bypass????

OpenVPN is simple; configure it to use whatever port you want. That's it. You then route your traffic over that TUN device, and allow TCP/IP forwarding (again, ALL THIS is explained in their docs), and whoever is connected will be on that network. Unless you are CLEAR about what you're trying to do and how, and acknowledge what's been suggested to you (and maybe, possibly, TRY some of it?), there's no point in posting.

If you're convinced your ISP is blocking port 1149 (which I seriously doubt...why would an ISP block a port that a good number of businesses use FOR VPN?), all you have to do is (again) CALL YOUR ISP AND TELL THEM YOU NEED THAT PORT, or move to another ISP. You can also solve your problem by moving OpenVPN to a different port, as has been suggested to you before, you've been given the links to do it, and example configs. Not sure what else you need.
 
Old 04-11-2012, 02:20 AM   #12
chowes
LQ Newbie
 
Registered: Apr 2012
Location: Beijing
Distribution: Ubuntu
Posts: 3

Rep: Reputation: Disabled
Exclamation This *IS* a complicated issue, actually....

Quote:
Originally Posted by TB0ne View Post
Sorry, STILL no idea what you mean. Do you mean you tried to move OpenVPN to those ports? What do you mean by TCP and UDP in that context? "Can't talk"??? WHAT do you want to bypass????

OpenVPN is simple; configure it to use whatever port you want. That's it. You then route your traffic over that TUN device, and allow TCP/IP forwarding (again, ALL THIS is explained in their docs), and whoever is connected will be on that network. Unless you are CLEAR about what you're trying to do and how, and acknowledge what's been suggested to you (and maybe, possibly, TRY some of it?), there's no point in posting.

If you're convinced your ISP is blocking port 1149 (which I seriously doubt...why would an ISP block a port that a good number of businesses use FOR VPN?), all you have to do is (again) CALL YOUR ISP AND TELL THEM YOU NEED THAT PORT, or move to another ISP. You can also solve your problem by moving OpenVPN to a different port, as has been suggested to you before, you've been given the links to do it, and example configs. Not sure what else you need.
I think I see what his problem is (as I have the same one).. The issue here is that this individual probably lives in an information restricted country. I live in China and my VPN gets blocked constantly. The method of choice for the firewalls here is to do a soft-reset on the connection in the middle of the TLS key exchange. For some (admittedly stupid) reason, when TLS isn't used, the SSL connection that would normally ride inside of the transport encrypted channel will work. I have tested this many times and there are times that SSH tunnels will work, others when SSL will and still others when everything fails. The firewalls have intelligence built in that detects when tunnels are being created and screws with them to make it harder to leave the walled garden. This individual isn't asking for a way to make his setup less secure. He is asking for a way to make it work (period, EOM).

If this is the issue, then he can't just "call his ISP" and request the port be opened. This issue has nothing to with ports. He can't "move to another ISP" because the problem will be the same. The Internet censors in these places don't give a flying rip whether "business ports" are blocked. They don't care about anyone's convenience. This is why most of us that live in these places have to do a lot of things that would be technically sub-optimal, but whatever we can to just make them work. This is quite complicated, actually.

For the 8 years I lived in Birmingham (Cahaba Heights and Leeds), much like you, I didn't have these problems. As evil as AT&T, Charter and Windstream can be at times, they don't pull garbage like what we have deal with on a daily basis. So, I would say that your responses, while technically correct, were quite condecending and uneducated. If you don't understand someone's question, ask some of your own. Insulting someone's English language abilities doesn't help anyone. If you have a way that you think will help those of us who have this particular issue, please share. Most of us have RTFM before we come to these forums, so one reminder is sufficient. If you don't, then say so and let this lie.

Thanks.
 
Old 04-11-2012, 09:59 AM   #13
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 13,837

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
Quote:
Originally Posted by chowes View Post
I think I see what his problem is (as I have the same one).. The issue here is that this individual probably lives in an information restricted country. I live in China and my VPN gets blocked constantly. The method of choice for the firewalls here is to do a soft-reset on the connection in the middle of the TLS key exchange. For some (admittedly stupid) reason, when TLS isn't used, the SSL connection that would normally ride inside of the transport encrypted channel will work. I have tested this many times and there are times that SSH tunnels will work, others when SSL will and still others when everything fails. The firewalls have intelligence built in that detects when tunnels are being created and screws with them to make it harder to leave the walled garden. This individual isn't asking for a way to make his setup less secure. He is asking for a way to make it work (period, EOM).
No, the question was very clear: how to make openvpn work WITHOUT TLS (period, EOM). The OP was directed to the docs, given possible solutions, and didn't follow up. According to the OpenVPN docs, you CAN use static keys, but only for one client, and he was told that; those are the capabilities of the software. What, exactly, do you think should be done?
Quote:
If this is the issue, then he can't just "call his ISP" and request the port be opened. This issue has nothing to with ports. He can't "move to another ISP" because the problem will be the same. The Internet censors in these places don't give a flying rip whether "business ports" are blocked. They don't care about anyone's convenience. This is why most of us that live in these places have to do a lot of things that would be technically sub-optimal, but whatever we can to just make them work. This is quite complicated, actually.
Then post your insight/experiences/advice. The fact is, the OP did NOT contact their ISP for ANY sort of advice, and YOU don't know their situation any more than anyone else here does, do you??? They could have 10 different ISP choices, and their ISP may have been more than happy to accommodate them. You are only assuming it can't be done, rather than basing what you're saying on the facts posted.
Quote:
For the 8 years I lived in Birmingham (Cahaba Heights and Leeds), much like you, I didn't have these problems. As evil as AT&T, Charter and Windstream can be at times, they don't pull garbage like what we have deal with on a daily basis. So, I would say that your responses, while technically correct, were quite condecending and uneducated. If you don't understand someone's question, ask some of your own. Insulting someone's English language abilities doesn't help anyone. If you have a way that you think will help those of us who have this particular issue, please share. Most of us have RTFM before we come to these forums, so one reminder is sufficient. If you don't, then say so and let this lie.
Before spouting off about how condescending and uneducated someone is, try knowing what you're talking about; perhaps learn how to spell the word "condescending", before calling someone else uneducated. All you've done is complain about the answers given, without giving any of your own. Did you read the OP's replies? Look at his posting history? We DID ask the OP questions, here and in other threads of his. The answers were vague, at best.
 
Old 04-11-2012, 07:11 PM   #14
chowes
LQ Newbie
 
Registered: Apr 2012
Location: Beijing
Distribution: Ubuntu
Posts: 3

Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
No, the question was very clear: how to make openvpn work WITHOUT TLS (period, EOM). The OP was directed to the docs, given possible solutions, and didn't follow up. According to the OpenVPN docs, you CAN use static keys, but only for one client, and he was told that; those are the capabilities of the software. What, exactly, do you think should be done?

Then post your insight/experiences/advice. The fact is, the OP did NOT contact their ISP for ANY sort of advice, and YOU don't know their situation any more than anyone else here does, do you??? They could have 10 different ISP choices, and their ISP may have been more than happy to accommodate them. You are only assuming it can't be done, rather than basing what you're saying on the facts posted.

Before spouting off about how condescending and uneducated someone is, try knowing what you're talking about; perhaps learn how to spell the word "condescending", before calling someone else uneducated. All you've done is complain about the answers given, without giving any of your own. Did you read the OP's replies? Look at his posting history? We DID ask the OP questions, here and in other threads of his. The answers were vague, at best.
I'm not here to start a flame war with you, I was just pointing out another scenario. I read the entire thread as I was hoping it would answer a similar question to mine. The question was simply "can OpenVPN be used without TLS?" I had the same question. If the answer is no, then it is no. Maybe the better question would be "Can OpenVPN be used without tls-auth?" That answer is more nuanced, but likely more in line with what they were looking for as that is the easiest to block from the perspective of a firewall.

This person's struggle is familiar to me, so I offered another view to see if someone else in these forums might have a clue. Respondents from Alabama and Texas might not see these scenarios and maybe this was the wrong forum to post the question. You are correct. The answers were vague at best -- from all of us. I don't have a good answer, either. I use static keys -- one for each of the 6 endpoints I have -- but it still gets blocked regularly. OpenVPN is a well engineered piece of code, but there can be significant limitations in a truly hostile environment (like China, Iran, N. Korea, Egypt, Comcast, etc). The docs are not helpful in dealing with some of the more difficult problems. The only place I've found useful information is where people who have figured it out for themselves post some possible solutions.

Quite honestly, TB0ne, I can see you are quite knowledgeable and your contributions to these boards is quite extensive. I'm not here to slander your reputation. If it came off that way, that was not my intent. That is unhelpful to everyone. However, I can see that this person was having a hard time asking/answering the questions and the extra yelling and snide remarks create an environment that feels hostile to new people. That is not the purpose of these boards. People that aren't necessarily network engineers might not know how to phrase the questions in exactly the right words, especially if they are ESL. I'm just asking you to cut people some slack. When I read the LQ Rules where it said that this was "*not* your average Linux forum" and that they "remain extremely friendly to both the newbie and the expert." I took them at their word. If you want to point out my random spelling mistakes and other totally irrelevant minutiae, then go right ahead. I've been a network engineer for 18 years, so I have thick skin and don't care. I'm just asking you to think a little before doing it to obvious newbies.
 
Old 04-12-2012, 09:52 AM   #15
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 13,837

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
Quote:
Originally Posted by chowes View Post
I'm not here to start a flame war with you, I was just pointing out another scenario. I read the entire thread as I was hoping it would answer a similar question to mine. The question was simply "can OpenVPN be used without TLS?" I had the same question. If the answer is no, then it is no. Maybe the better question would be "Can OpenVPN be used without tls-auth?" That answer is more nuanced, but likely more in line with what they were looking for as that is the easiest to block from the perspective of a firewall.

This person's struggle is familiar to me, so I offered another view to see if someone else in these forums might have a clue. Respondents from Alabama and Texas might not see these scenarios and maybe this was the wrong forum to post the question. You are correct. The answers were vague at best -- from all of us. I don't have a good answer, either. I use static keys -- one for each of the 6 endpoints I have -- but it still gets blocked regularly. OpenVPN is a well engineered piece of code, but there can be significant limitations in a truly hostile environment (like China, Iran, N. Korea, Egypt, Comcast, etc). The docs are not helpful in dealing with some of the more difficult problems. The only place I've found useful information is where people who have figured it out for themselves post some possible solutions.
...which is why static-keys were suggested, but unless that's done for EACH end point (which the OP said they didn't want in their OTHER threads about this same issue), it can't be done. Which is why they were told NO to start with. No, the docs aren't helpful in getting around a hostile Internet environment, but then again, they were never MEANT to be used in such an environment. Further, asking for advice in 'getting around' these issues in the countries you mention is against LQ rules. Hacking/cracking/region restriction limits aren't something that's dealt with here for a variety of issues, no matter how much we'd like to in some circumstances.
Quote:
Quite honestly, TB0ne, I can see you are quite knowledgeable and your contributions to these boards is quite extensive. I'm not here to slander your reputation. If it came off that way, that was not my intent.
Yes, calling someone condescending and uneducated can only be taken in a good, positive manner.
Quote:
That is unhelpful to everyone. However, I can see that this person was having a hard time asking/answering the questions and the extra yelling and snide remarks create an environment that feels hostile to new people. That is not the purpose of these boards. People that aren't necessarily network engineers might not know how to phrase the questions in exactly the right words, especially if they are ESL. I'm just asking you to cut people some slack. When I read the LQ Rules where it said that this was "*not* your average Linux forum" and that they "remain extremely friendly to both the newbie and the expert." I took them at their word. If you want to point out my random spelling mistakes and other totally irrelevant minutiae, then go right ahead. I've been a network engineer for 18 years, so I have thick skin and don't care. I'm just asking you to think a little before doing it to obvious newbies.
You omit the facts of the situation. Questions were asked of the OP, and not only in this thread. They were not answered, and the answers we DID get were vague/incomplete, if we got them at all. Newbie is one thing; not providing follow-ups is another, nor is even trying to read the docs, or follow what they say. Look in any one of THOUSANDS of other threads on this site, and newbies are quite often helped along very well, but it's a two-way street. If they participate, answer questions, follow advice, etc., then help can be rendered. Otherwise, aside from someone getting on a plane or logging in to do their work FOR THEM, there's little ANYONE here can do.

In your first reply, you said "If you don't understand someone's question, ask some of your own. Insulting someone's English language abilities doesn't help anyone." We DID ask follow ups, which are evident, and they weren't answered, or not answered well. Advice was given, and it wasn't acknowledged, and if it was taken, no follow-ups were posted by the OP. And where, exactly, did ANYONE here insult anyones English abilities?? Saying you don't understand isn't an insult; it's a statement, which is why clarity was asked for.

Last edited by TB0ne; 04-12-2012 at 09:56 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
openvpn error: TLS Error: TLS key negotiation failed to occur within 60 seconds pendrive Linux - Networking 1 11-02-2011 08:39 AM
openvpn and TLS error dime111 Linux - Networking 2 01-27-2011 02:28 AM
[SOLVED] OpenVPN Site-to-Site TLS problem unestablish tquang Linux - Server 1 11-15-2010 01:25 AM
Can we run openvpn without TLS, is that secured? frenchn00b Linux - Server 1 09-11-2009 08:38 AM
OpenVPN Setup: TLS Handshake Error njozwiak Linux - Networking 4 07-10-2009 11:50 PM


All times are GMT -5. The time now is 06:57 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration