Search the Community
Showing results for tags 'TLS'.
Found 8 results
-
Hello, New user here with a similar problem, big fan of the service so far. It would help me if this could be dummied down a little. Similarly to OP, this setup works for regular http: webserver > airvpn? > airdns > user Goal: I would like to be able to accomplish this with https (webserver > airvpn? > airdns > cloudflare hostname > user) where each phase is encrypted. Problem: I am unable to register a certificate using the records in the background section. I think I misunderstood what you meant Background: My webserver (cosmos server) expects a hostname and allows you to use letsecrypt with your hostname (and it's subdomains) to encrypt connections with tls. Their documentation has you open a port on your router, then point your domain to your router with these records: A my.domain.here my.ip.address.numbers CNAME * my.domain.here It was working in this configuration. But in an effort to increase security (not a fan of opening up my router to attacks), I'd like to use port-forwarding instead. From the information in this thread I've ended up with these DNS records: CNAME my.domain.here subdomain.airdns.org CNAME * my.domain.here I am requesting a certificate for my.domain.here and it's subdomains (*.my.domain.here). Error: When I try to register a certificate I get this error: cloudflare: failed to find zone airdns.org.: ListZonesContext command failed: Invalid request headers (6003) Googling this error has not turned up many good results, but the error makes sense, I don't own your domain! Questions: First off, is this setup what you meant? Second, is there a way I can change my records to get past this error? Finally, do I need this at all? I can disable https all together but am not clear of the security ramifications (maybe your tls connection with the user is enough).
-
I have a local Server permanently connected to Airvpn over wireguard. Now I want to access the installed Nextcloud from the internet with SSL Encryption. I use an apache2 webserver. I opened a port and I can access it over http. But I don't know how to configure it over https. https://airdns.org/ has a Let's encrypt certificate, but in my nexcloud.conf I know only how to use a local certificate. So how can I point the webserver to use the certificate from airdns.org?
-
I use Ubuntu 16.04.5 with ipv6.disable=1 in my grub file. I have OpenVPN version 2.4 installed. I generated ovpn config files for all TLS 1.2 primary servers (entry point 3) UDP 443 with the following options: IPv4 only Resolve hostnames Separate keys / certs Then to connect I only ever run openvpn in terminal selecting one of the ovpn files pretty much at random but lately most of them generate the following and fail to connect. It looks as if they're trying to force an ipv6 connection? I don't want to use ipv6 as it's harder to lock down and I make sure to select IPv4 ONLY in the config generator. Wed Dec 4 04:36:47 2019 OpenVPN 2.4.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 31 2019 Wed Dec 4 04:36:47 2019 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08 Wed Dec 4 04:36:47 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Wed Dec 4 04:36:47 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Wed Dec 4 04:36:47 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Wed Dec 4 04:36:47 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Wed Dec 4 04:36:47 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Wed Dec 4 04:36:47 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]184.75.223.213:443 Wed Dec 4 04:36:47 2019 Socket Buffers: R=[212992->212992] S=[212992->212992] Wed Dec 4 04:36:47 2019 UDP link local: (not bound) Wed Dec 4 04:36:47 2019 UDP link remote: [AF_INET]184.75.223.213:443 Wed Dec 4 04:36:47 2019 TLS: Initial packet from [AF_INET]184.75.223.213:443, sid=4dfd5b1f 47dea206 Wed Dec 4 04:36:47 2019 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org Wed Dec 4 04:36:47 2019 VERIFY KU OK Wed Dec 4 04:36:47 2019 Validating certificate extended key usage Wed Dec 4 04:36:47 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Wed Dec 4 04:36:47 2019 VERIFY EKU OK Wed Dec 4 04:36:47 2019 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Agena, emailAddress=info@airvpn.org Wed Dec 4 04:36:48 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA Wed Dec 4 04:36:48 2019 [Agena] Peer Connection Initiated with [AF_INET]184.75.223.213:443 Wed Dec 4 04:36:49 2019 SENT CONTROL [Agena]: 'PUSH_REQUEST' (status=1) Wed Dec 4 04:36:49 2019 PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway ipv6 def1 bypass-dhcp,dhcp-option DNS 10.4.210.1,dhcp-option DNS6 fde6:7a:7d20:d2::1,tun-ipv6,route-gateway 10.4.210.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fde6:7a:7d20:d2::1073/64 fde6:7a:7d20:d2::1,ifconfig 10.4.210.117 255.255.255.0,peer-id 2,cipher AES-256-GCM' Wed Dec 4 04:36:49 2019 OPTIONS IMPORT: timers and/or timeouts modified Wed Dec 4 04:36:49 2019 OPTIONS IMPORT: compression parms modified Wed Dec 4 04:36:49 2019 OPTIONS IMPORT: --ifconfig/up options modified Wed Dec 4 04:36:49 2019 OPTIONS IMPORT: route options modified Wed Dec 4 04:36:49 2019 OPTIONS IMPORT: route-related options modified Wed Dec 4 04:36:49 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Wed Dec 4 04:36:49 2019 OPTIONS IMPORT: peer-id set Wed Dec 4 04:36:49 2019 OPTIONS IMPORT: adjusting link_mtu to 1625 Wed Dec 4 04:36:49 2019 OPTIONS IMPORT: data channel crypto options modified Wed Dec 4 04:36:49 2019 Data Channel: using negotiated cipher 'AES-256-GCM' Wed Dec 4 04:36:49 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Wed Dec 4 04:36:49 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Wed Dec 4 04:36:49 2019 ROUTE_GATEWAY 10.1.1.1/255.255.255.0 IFACE=eno1 HWADDR=2c:27:d7:1e:2f:56 Wed Dec 4 04:36:49 2019 GDG6: remote_host_ipv6=n/a Wed Dec 4 04:36:49 2019 GDG6: NLMSG_ERROR: error Operation not supported Wed Dec 4 04:36:49 2019 ROUTE6: default_gateway=UNDEF Wed Dec 4 04:36:49 2019 TUN/TAP device tun0 opened Wed Dec 4 04:36:49 2019 TUN/TAP TX queue length set to 100 Wed Dec 4 04:36:49 2019 /sbin/ip link set dev tun0 up mtu 1500 Wed Dec 4 04:36:49 2019 /sbin/ip addr add dev tun0 10.4.210.117/24 broadcast 10.4.210.255 Wed Dec 4 04:36:49 2019 /sbin/ip -6 addr add fde6:7a:7d20:d2::1073/64 dev tun0 RTNETLINK answers: Operation not supported Wed Dec 4 04:36:49 2019 Linux ip -6 addr add failed: external program exited with error status: 2 Wed Dec 4 04:36:49 2019 Exiting due to fatal error
-
Cannot connect to AirVPN servers using IPV6:
kleptoid posted a topic in Troubleshooting and Problems
. 2019.01.30 14:37:29 - Eddie version: 2.17.2 / windows_x64, System: Windows, Name: Windows 10 Pro, Version: Microsoft Windows NT 10.0.17763.0, Mono/.Net: v4.0.30319 . 2019.01.30 14:37:29 - Reading options from C:\Users\tharr\AppData\Local\AirVPN\default.xml . 2019.01.30 14:37:29 - Command line arguments (1): path="home" . 2019.01.30 14:37:29 - Profile path: C:\Users\tharr\AppData\Local\AirVPN\default.xml . 2019.01.30 14:37:31 - OpenVPN Driver - TAP-Windows Adapter V9, version 9.21.2 . 2019.01.30 14:37:31 - OpenVPN - Version: 2.4.6 - OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10 (C:\Program Files\AirVPN\openvpn.exe) . 2019.01.30 14:37:31 - SSH - Version: plink 0.67 (C:\Program Files\AirVPN\plink.exe) . 2019.01.30 14:37:31 - SSL - Version: stunnel 5.40 (C:\Program Files\AirVPN\stunnel.exe) . 2019.01.30 14:37:31 - curl - Version: 7.54.1 (C:\Program Files\AirVPN\curl.exe) . 2019.01.30 14:37:31 - Certification Authorities: C:\Program Files\AirVPN\res\cacert.pem I 2019.01.30 14:37:32 - Ready . 2019.01.30 14:37:36 - Cannot retrieve information about AirVPN: Length of the data to decrypt is invalid. - Status: HTTP/1.1 100 Continue - Headers: - Body (127875 bytes): HTTP/1.1 200 OK . 2019.01.30 14:37:36 - Server: nginx . 2019.01.30 14:37:36 - Date: Wed, 30 Jan 2019 20:37:32 GMT . 2019.01.30 14:37:36 - Content-Type: application/octet-stream . 2019.01.30 14:37:36 - Content-Length: 127376 . 2019.01.30 14:37:36 - Connection: keep-alive . 2019.01.30 14:37:36 - Pragma: no-cache . 2019.01.30 14:37:36 - Expires: 0 . 2019.01.30 14:37:36 - Cache-Control: max-age=0, no-cache, no-store, must-revalidate . 2019.01.30 14:37:36 - x-air-bk: 1 . 2019.01.30 14:37:36 - x-air-cache: 0 . 2019.01.30 14:37:36 - X-Frame-Options: SAMEORIGIN . 2019.01.30 14:37:36 - X-XSS-Protection: 1; mode=block . 2019.01.30 14:37:36 - X-Content-Type-Options: nosniff . 2019.01.30 14:37:36 - Referrer-Policy: strict-origin-when-cross-origin . 2019.01.30 14:37:36 - Strict-Transport-Security: max-age=31536000; includeSubdomains; preload . 2019.01.30 14:37:36 - wSX<X7??????~?\5?(???????~UTh9????v??Q???|??4??BpE? -
ANSWERED Custom TLS re-keying intervals in OPVN client
gabariala posted a topic in General & Suggestions
I'd like to refine the re-keying using OpenVPN manual configurations; what are the custom directives necessary to accomplish this? Can frequent re-keying break or interfere with downloads/uploads? -
Hi, I am not sure if this has been discussed before or if this is the right forum to post it. Kindly correct if there's any issue. While connecting to AirVPN through openvpn client using .opvn configs, the control channel always shows TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 as the cipher suite in the logs throughout all the servers/countries. Since openvpn supports both: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384; TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 of these ciphers suites, why aren't they the default encryption suites for the connection? ECDHE and ECDSA provide better security than DHE and RSA , respect ively. ECDSA clear ly has an advantage of providing similar security over much smaller key space than RSA , although ECC verifying takes a bit more time. Is the overhead time a concern to not switch to these cipher suites, or is there any other reason ? Please explain. Thank you.
-
I want to use the linux network manager which I think is a built in open VPN client, I am not sure but I need a .pem, .crt or .key file to login and no matter what I choose on the configuration generator all I get is the basic set up. It also wont let me select "ssl tunnel" even though I am selected 1 single server.
-
Hi, i am having a tls key negotation problem with android, this is the log generated by Openvpn for android: I don't know what could be, pls help.