I also tried to use the ccd with different segment, with config below:

server.conf
client-config-dir /etc/openvpn/ccd
route 10.8.2.0 255.255.255.0

/etc/openvpn/ccd/username1:
Code:
ifconfig-push 10.8.2.9 10.8.2.10

but still getting 10.8.0.x internal IP instead of 10.8.2.x.

Also put in IPtables:
iptables -A FORWARD -s 10.8.2.0/24 -j ACCEPT

@Dashrender said:

Why is a VPN a security risk? because they give you (generally) full access to the network?

Correct. They create unnecessary exposure. Direct access to all hosts (typically) for all protocols and ports. The protections of firewalls and proxies are bypassed. They are generally the least secure form of access because they are the laziest - just expose everything and hope for the best.

Yup, got those email notices yesterday. Thankfully, I should only have a few random desktop shortcuts to correct.

Holy Necroposting Batman!

I found this topic referenced in another forum, and alas, my server that held the old code for this has long since crashed for reasons we're all familiar with.

In that same post, however, another coder has written a Python script to handle this...

https://github.com/LFlare/zerotiernc

We recently had to set up an L2TP tunnel for our apple devices, since the last iOS 10 update took PPTP out of the picture. It was a huge PITA too, because I didn't figure out for a while that the secondary tunnel wouldn't let me reuse existing user accounts in our Watchguard.... that was some fun trial and error. And the WG how-tos never specified anything about needing different user accounts. It sucks to do all the steps right and then get login errors... makes ya feel like an amateur.

@nashbrydges said in Is it possible to get Hola VPN to work on a Chromecast or Amazon Fire TV?:

Are you having issues because of locality (videos only play based on your location)? If you have a server/PC at home running, would ZeroTier be a viable solution for this?

Nevermind. Re-read your original post. I clearly didn't pay attention.

@dafyre said:

What kind of authentication is the daloradius / freeradius back-end using?

Can you test the authentication to the freeradius server from another server at Location B?

Not sure how to answer that, daloradius is just a web based front end of freeradius to manage users. What I think is for some reason the ovpn server is not communicating with dalo server.

@scottalanmiller its ubuntu which is my issue too. I am so comfortable with centos, and ufw firewall is something new to me. Not even sure if this thing is enabled or disabled! 🙂

Found it.
First run the iptables entry
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to xxx.xx.xx.xx

Then run sudo apt-get install iptables-persistent, and follow the prompts. When it asks to save the current rules, hit "Yes" at both prompts. Now, on reboots, your iptables rules will be restored.
All done, working fine! 🙂

@thecreativeone91 said:

Yep, I'm sure it's some of the same people using it. I really never understood using these it's too risky. If you need a VPN get a virtual server you can use or something.

In this case, it's because you want to select the country out of a large list, some of which you cannot easily get a virtual server in. Normal people can't maintain a dozen virtual servers around the world and build their own VPNs just to watch television.

@coliver said:

A bit off topic... are ReadyNAS devices built on a Debian core?

Yes, all of our OSes for ReadyNAS devices use Debian.

Yes, so lots of Ubuntu users will be impacted in the next two days.

@scottalanmiller said in VyOS remote access VPN:

@JaredBusch said in VyOS remote access VPN:

@scottalanmiller said in VyOS remote access VPN:

Yes, ERLs run VyOS.

For the record, EdgeOS is not VyOS. It is its own fork of Vyatta.

For the record, I did learn that since the original post and knew that now 🙂

Just clarifying for Google's sake.

@scottalanmiller said:

It does? Everytime I've looked in the last few years, it had been removed.

I was going to check again to confirm, but it looks like you cannot even see anything without signing up for a logmein account. Screw that.

@scottalanmiller said:

Oh, if on CentOS 5 you are out of luck. Pertino has always been known to not support libraries that far back and because it is so old they have no intention of making it work on a system so old. Sorry, that's just how that works. We have one database server that can't upgrade from CentOS 5 right now and it is left without Pertino 😞

Ah ok. Yeah, they're still using CentOS 5, and I have the latest Unitrends. Dang it...

And the exact problem I am having is that the Dynamics NAV SQL Server and the RDS server when both put on Pertino were routing all traffic over Pertino instead of locally. I took the SQL server out of the network (made its own network) and everything started working again.

What Pertino is waiting on me for is some packet captures that I have not had time to create.

Because I seen odd behavior of LAN devices without Pertino also having problems access SQL. Those devices have the NAV client locally installed.

"Insanity is repeating the same mistakes and expecting different results." -- Narcotics Anonymous

@Dashrender Hell I don't know...swimming in unknown waters here...but glad to have you guys on the shore if I need assistance.

@ambarishrh said:

I am still waiting for the dev to give me more info on the type of request/data transfer happens between the tab and server. If it's just a Web service request then my life is easier, webserver with ssl and am done. Initial info is that it's a Web service.

Coming from Apache, I would assume so.

I've wondered this myself, but more generically than just Ciscos and ASAs.

I did this with Barracudas when I demo'ed them a few years ago. The Barracuda each had their own self signed cert, and you imported their public key portion into the remote side for authentication.

I'm not sure how it would work if both sides are using the same wildcard cert - I would think you would loose a large part of the security.