up_the_irons: really you want a phone book type icon i c i chose "database_table" up_the_irons: ha, that was going to be a suggestion haha hmmm lets see how fast I can ruin my systems networking :P on the other hand, it worked... hmmmm palaCios8 since it's dns related, magic eightball would be perfect (icon) lol re: last night and inetd.conf, that's kinda funny. I'm sure ftp-proxy gets used far more than echo/daytime do. i thought that how is ftp-proxy handled now? isn't it magically in pf now or something up_the_irons: page_white_edit incompetant management are prob the only thing in my life that make me wana jump off a bridge vcs_: bad software? :-) no they forgot to include 2 months of work in a bid till the deadline and then realized they needed it then supprise, i have to do it in 2 weeks lol fuck my life that sucks yep welcome to programming i would not recomend it as a career path to anyone despite how fun the actual work is code monkey think maybe managre want to write goddamn login page himself i dont expect my manager to do anything but plan/execute the project correctly and providing me with proper documentation about what i am working on (before the project is due) also, when i have a deadline that is really close its a song ok they always love to take me off of it and put me on something else then place the blame on me for missing it lol the worst kinds of managers expect the coders to effectively manage the project to do their management work for them oh I also don't recommend programming as a career path because then you would be competing with me for jobs. haha do you enjoy working 16 hour days 7 days a week? then the programming profession is for you! mike-burns, the definition of modesty :P actually, in re-reading that.. I probably took it a different way than it was meant :P Heh, and I definitely meant the opposite. mike-burns: if i quit, you still have to face the biggest competition of all offshoring :P until they quit, i think you are out of luck Also my job seems to be very different from yours, vcs_ . I work 40-hour weeks and don't have outsourcing as competition. i do embedded development, linux drivers/apps, board bringup, stuff like that lately ive been doing video muxing/demuxing sounds interesting it is awesome the hours are not at least i am doing something i like though that's true, that's always important and at least i have a job lol yeah :) hm.. got a few questions I'd like to ask you guys.. 1) is the anti-spam adequate on gmail/google apps free? 2) have you tried filing your taxes online and what do you think about it? heh 1. most spam is filtered, its pretty adequate 2. my mom is a cpa :P I'm trying to get a business going, selling stuff on ebay, so I'm trying to get by on very little money at the moment vcs_: cool, and darn :) kinda funny. I filled out the state sales and use tax return with all zeros laziness got the better of me, so I haven't gotten things together to sell the first thing but on the other hand, I didn't understand most of that stuff, and I don't really have the money to pay someone that does :P haha i know the feeling even right now I feel like I need to drink a gallon of coffee or something, but maybe that's a different feeling heh of course I've been sleeping crazy weird hours lately same here, im supposed to get to work at 9 but usually i walk in at 12 today's my first 'regular day' in probably a week but they can't fire me at 12? sheesh :P and my sleep schedule gets off working their crazy hours so i dont feel guilty my subconscious does not allow me to wake up really without 6 hours of sleep that's good enough for me i dont even hear my alarm there are limits of the human body I totally get that i dont feel guilty about it either and they cannot fire me because they can't replace me it's like that one day I was at work for nearly 12 hours and had nothing to eat yeah, i eat one meal a day my schedule is so off but I guess I had to learn the hard way I need to be more vocal boss should have known, but there you go problem is i am the only one in the company who can do alot of administration stuff, as well as anything linux/unix related on one hand, I wish I had your job, and on the other, I see it as a repeat of the same crap I went through lol eventually i will have a good idea and work from home :P not that I know how to program linux drivers and what not :) one fine day but until then that's sort of my goal too if i had a huge reserve of money i would just work on OSS projects all day same here btw, if you ever want to consider partnering up or anything, I'm good at general system administration, networking, PHP/MySQL.. I've setup DNS, mail, web, and asterisk servers. wireless access points, routers, switches, QoS, and I dabble in C from time to time or if anyone is looking to fill a position, I'm 100% available mattx86: I use gapps free, and think the spam filtering is great. as for taxes, a decent accountant is worth their weight in gold. seriously, if you're a small time operation (which, most are at first) you can likely have your taxes done for a very reasonable cost. as you get bigger, their services can grow with you. mattx86: where are you located? the company I work for is looking for linux savvy people. mattx86: you have .0387994 seconds to respond! lol jpalmer: well, I'm thinking/hoping that atleast my state sales and use tax return is good the way I filled it out, but I'll definitely being filing with H&R block or similar next year. I was wondering about filing my personal pre-sole-proprietor federal tax return online soon jpalmer: lol sorry :) jpalmer: I'm in north-west TN, Union City to be exact mattx86: where do you live? oops stupid i have to read farther mattx86: I'm not sure if remote is OK or not. I could find out, but if you're interested, shoot me a /msg. we use DNS, web, mail, freeswitch (rather than asterisk), and deal with wifi, and general networking extensively. currently, I'm packaging open source software for Alpine Linux, writing documentation for them, and attempting to start a business selling computer products on ebay ix33: Union City, TN, USA (We're in florida, about 100 miles south of tampa) mattx86: live near a big airport? (memphis i assume?) jpalmer: you know what, I have a cousin and other family in florida.. I could perhaps move mattx86: shoot me a /msg, seriously. jpalmer: awesome, will do ix33: kinda.. memphis is a 2-hour drive from here ix33: brother uses it when it comes in from japan and what not he's ok btw glad to hear it yikes, brother in japan? hope you've contacted him in the last couple days. hope he lives in s/w japan... thats good to hear. you answered before I said it ;) yeah, he lives in Nagoya, where he said it was a 4.0 there.. office shook pretty good, but didn't come down on them or anything said nothing in his appartment seems to have moved even an inch, but still feels the aftershocks there mattx86: hope you find a spot. i can never find good people when we have a position open. ix33: me too hmm. I have a directory that contains enough entries that it's 2.5GB long mistake on my part... just want to delete it recursively now I wonder what the easiest way is find BAD -ls -delete # seems like one way :) jpalmer: do you do any data center work down in florida? up_the_irons: not much these days, but I was joking :P I was going to steal the server and use it in my home lab. heh jpalmer: LOL up_the_irons: I used to do a fair amount, a couple years ago gotcha at one point, I was going to try and start a business similar to ARP, but using vmware ESX/ESXi, and allowing people to have as many VM's as they wanted within their assigned resource pool. ah cool up_the_irons - my task for two weekends from now is to bring up v6 for all of neil's machines I remember there's two ways to get the routes to work... the easy way, and the way I'm doing it. :) heh would it be useful for me to use rtadvd? and would that let me route to a /48 on my laptop? or maybe a /64 from my allocation? or will I always need a static default route for my v6, like with v4? RandalSchwartz: cool RandalSchwartz: we don't run rtadvd so i'm not sure if it would be useful to you You don't need RA's to route v6, it just provides automated configuration of them. if you want to control your own routing, then what you want is for us to route your /48 over a link-local address, then you can further route from there I think that's what I'm doing on red. but it was the ugly fe80::[mac addr] not a nice fe80::1 yeah - /^rootbeer@red.stonehenge.com$/ DUNNO oops yeah - ipv6_defaultrouter=fe80::5054:ff:fe27:9007%em0 bad paste sorry so do I just put in a support@ to enable fe80::2 routing on all three of those boxes? and then I point my default route at fe80::1 and another thing... it looks like squeak.org will be moving, probably to an ARP box I was touting the advantages in the board call today oh sweet :) RandalSchwartz: are all three boxes under the same account? (and thus, same VLAN) yeah, all under insightcruises.com but they're on different kvm's dunno if that matters. doesn't matter they all have nearby ipv4 addresses but separate v6 assignments, I thought could be wrong :) RandalSchwartz: so this is how it works -- the /48 can be routed to only one next-hop (naturally), so you have to pick a VM that will act as a router for the other two. obviously, if this VM goes down, then the other two lose connectivity. Generally speaking, this is another reason why routing over link-local is not the default option, and only for those comfortable with this fact :) RandalSchwartz: if they are under the same account, they'll share the /48 i've never given more than one /48 to a VLAN (was never justified) sure it's already 65536 x the size of the current v4 space :) no wait... even bigger the numbers just keep staggering me :) At some point you just end up sounding like Carl Sagan. a single /48 is big enough for 65536 segments, all using autoconfig wait - does that mean link locals for all my boxes see each other? RandalSchwartz: Only if you don't want to do routing, which I think you'll pretty much have to do in this case. if I carve off a separate /64 for each of the boxes, can I route through the virtual router? as in, can I treat them as all being on individual segments within my "organization"? RandalSchwartz: yes, link-local's should all see each other. they are on the same /64 then your router would just need to add all three routes. Hmm. this must be a solved problem. RandalSchwartz: but a route can only have one next-hop, unless you're doing some round-robin failover (and the other side needs to support it) I don't like the idea of having a specific box brb phone maybe that means ARP should be running rtadvd and pick up the routes automatically I'm told that "just works" most of the time That might get kind of messy with VPSes, sicne you'd have to do different RA's for each VPS. rtadvd tends to work with /64 best pilgrimd: messy? its dead simple. one rtadvd, no conf necessary, using the /64 on the vlan for the allocation and the vps's link local address for the 64bit euid if one wishes one's vps to have a specific link local address, then one only needs to do something akin to 'inet6 fe80::dead:beef' in e.g. openbsd's hostname.em0 file at the top toddf: Oh ok, I'm not familiar with how your hosts do up the networking. RandalSchwartz: that "just works" with one route (usually a /64), but if you want to further subnet a route (say a /48), then _something_ has to be the next-hop router, and _that_ box does the further subnetting. think about it like in IPv4 and /30's. A /30 between two routers, then the upstream routes all block(s) to the downstream over the /30. the downstream /30 is still _one_ machine. if you require failover, that is usually when bgp or ospf come in the picture pilgrimd: this is not how my hosts do networking this is how rtadvd/rtsol interact. period. up_the_irons: but there is only one 'router' per address family on a given vlan, right? brb toddf: yes, only one router per address family hey all anyone know if there's any upstream network issue which would prevent running openvpn as a server to have client connect in and get a private IP ? unix_usr: poenvpn works on my vps I get connection, but no ping :S jpalmer - what's your server config like ? basic openvpn server, nothing fancy. I basically want client _X_ to dial into openvpn running as server on my VPS, get an 10.X ip address, and have my VPS be able to connect back to that client using that 10.X ip ... sounds pretty straightforward. in answer to your question, no there is nothing on the ARPnetworks side that will prevent that from occuring :S .... something in my vps perhaps .... possibly. the guys in #openvpn are pretty good, maybe they can help? I have a dedicated static IP here at home - run a small server from using FreeBSD 8.1 - copied config file and it just works ... put same config/certs on VPS box - no go.... connects fine and all, just no ping using non standard port? how are you mapping from your public IP to your openvpn range? or are you just tryhing to get to it from 10.x ? randal - I'm basically trying to get access to the client, from the vps so client 'dials' in - gets 10.10.8.6 - VPS routes from 10.10.8.1 can you ping the IP from the VPS? I want a CGI script on the VPS then, to pull data from 10.10.8.6 the client is behind NAT - unix_usr: the network that the client is on, does it happen to also use the 10.10.x.x subnet? yeah, maybe you have route conflicts no - client is on a 172.24.x network that's why I use 10.77/16, unlikely to conflict :) if I copy the openvpn.conf file + certs from VPS -> my server here at home, then tell the client to connect to my home as remote site - works 100% unix_usr: I'd suggest starting client and server in debug mode, and see what (if any) errors show nothing that makes sense to me :$ whole bunch of RwrW ... are you pushign a route to your client? once conenction establishes, I get RwRw when I ping (server spits out r's and w's) as in, is it sending all traffic up to the openvpn? yes - pushing two routes to client no - not all.... one sec... entire client config: client dev tun proto tcp remote my-server-2 1194 resolv-retry infinite nobind user nobody group nobody persist-key persist-tun ca ca.crt cert dakkota.crt key dakkota.key cipher BF-CBC where my-server == my actual server hostname yeah - where's the route push? if the client virtual address is 10.10.8.6, how does he know how to get to 10.10.8.1 ? netstat -rn: or anything else on that box since the processes are likely to use the "primary" box address very likely a public addr so they connect from 123.45.6.7 has route for 10.10.8.0/24 how will 10.10.8.6 know how to route back? you need to push a route for all local nets at least that route exists on the client? symmetric? 10.10.8.0/24 via gateway 10.10.8.5 on the client and... how to get to 123.45.6.7 ? uses it's default route .... or whatever your "major" address is for the box and you permit that in through the outer firewall? as in, you have a loosey goosey firewall? right now firewall == open this is new VPS ... not 'production' yeah, this is too much to diagnose remotely sorry too many variables thanks though :$ I'm guessing you have a routing problem can you ping your client from your VPS? nope that's the first thing to solve it's either a route problem at the VPS (check there) or a openvpn issue I bet the server's 10.10.8.1 isn't /24 I can run the EXACT server config, from a different machine (not VPS @ arpnetworks, but FreeBSD 8.1 at home with public static IP) - no change to config except listen address ... works fine stop telling me "it works somewhere else" that's irrlevant server doesn't have local config - openvpn is adding that you need to look at THIS box and how THIS is set up yes - is openvpn adding the right route? I am not manually configuring 10.10.8.x anywhere ifconfig the openvpn interface make sure it's /24 one sec... will bring back up client / server and take a look at routing tables.... if not, it won't hear the 10.10.8.5 traffic wait... there should be a route netstat -rn better have a route to 10.10.8/24 via the interface for openvpn (tun0 for me) bah, having trouble getting powerdns to axfr to the authoritative servers (BIND/named). i guess that is what i get for using BIND tun0: flags=8051 metric 0 mtu 1500 options=80000 inet 10.10.8.6 --> 10.10.8.5 netmask 0xffffffff Opened by PID 56630 and netstat -rn: 10.10.8.0/24 gateway 10.10.8.5 can't ping 10.10.8.5 nor 10.10.8.1 from client from server, cannot ping 10.10.8.5 / 10.10.8.6 if you can't ping 10.10.8.6, openvpn is broken server showing: 10.10.8.0/24 10.10.8.2 you should check its error log oh - that's weirder it thinks it needs to go to 10.10.8.2 not .5 server shows: tun0: flags=8051 metric 0 mtu 1500 options=80000 inet6 fe80::6025:ea39:563a:251a%tun0 prefixlen 64 scopeid 0x4 inet 10.10.8.1 --> 10.10.8.2 netmask 0xffffffff nd6 options=3 Opened by PID 65677 server can't ping 10.10.8.2, but can ping 10.10.8.1 so on both server and client, they can ping their half of the tunnel, but not the remote only thing that sticks out in the logfile: Need IPv6 code in mroute_extract_addr_from_packet their half but not the remote - could be either routes or openvpn not up client side route look ok? yes server side route? just changed subnet - try a different one "in case" ... now have server 10.77.8.1 --> 10.77.8.2, route 10.77.8.0/24 10.77.8.2 client: 10.77.8.6 --> 10.77.8.5, route 10.77.8.0/24 via 10.77.8.5 that doesn't make sense they shouldn't have different IPs they should be symmetric server 8.1 -> 8.2 client 8.2 -> 8.1 that'll certainly break things openvpn puts them into /30 - 4 IP apart not sure how to change that :$ I'm going off of the how-to on openvpn.net .... lol - I'm a programmer damnit, not a network tech! :( well - if the two ends of your tunnel have different address ideas, that'll certainly not work. :) oh - hmm. maybe that is the right thing right... because server needs to push all 10.77.8 traffic into openvpn like I said - something network-sided... pretty sure it's not a config issue :S only real diff I have between home and VPS is the firewall... VPS has pf, home is using ipfw but both have 'allow everything via everything' rules right now... pass in all flags S/SA keep state pass out all flags S/SA keep state going to revert back to IPFW instead of PF - see if maybe something wacky going on there... you *do* have ip-forwarding on VPS, right? ... gateway_enable=YES ... http://www.isgsp.net/freebsd/freebsd-openvpn.html ... sysctl -a |grep net.inet.ip.f sysctl net.inet.ip.forwarding = 1 on both ends unix_usr: to get rid of the /30, use topology subnet ? the /30 default, is to work around some windows networking issues. 02:38:37 openvpn puts them into /30 - 4 IP apart 02:38:49 not sure how to change that :$ yes I know - found that reading somewhere ... but couldn't figure out how to undo it :S to change it: topology subnet link is up ifconfig server = 10.10.8.1 / client = 10.10.8.2 both have route via their local if to 10.10.8.0/24 both can ping their local IP - neither can ping the remote :( can even connect a second client ... which gets 10.10.8.3 but still not able to ping :S if I make client2 == server, then client1 and server (now == client2) - all conenct fine unix_usr - did you add "topology subnet"? actually - I don't have that I do have "server 10.77.77.0 255.255.255.0" though tried topology subnet ... still no-go I have clientA + clientB + VPS I swapped configs, making clientB = server, connecting to it from clientA + VPS works fine in that direction :S so VPS can connect as a client to another machine using same config, but cannot act as a server :S really weird ... all I can say at this point is "works for me" you're using client certs right ping / connect / etc fine when VPS = client, home=server ... but no-go if I swap their configs and VPS=server, home=client are you looking at the logs from when your client tries to connect? yeah - says connected... get some annoying IPv6 warnings... but otherwise looks the same as I would expect :| where's your server config? in: /usr/local/etc/openvpn/ yes, but where I can see it. :) so is the clients you pasted client config oh ... :S - not have it anywhere ... one sec... how about server. wait - why proto tcp? that would... SUCK tcp over tcp. very bad openvpn *wants* to be over UDP in fact, that's one of its big wins is that it works nicely on UDP so you never get into tcp-over-tcp UDP not play nice with client being behind NAT :( uh, say what? local 206.xxx.xxx.xxx proto tcp dev tun topology subnet works JUST FINE ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh1024.pem server 10.10.8.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 206.xxx.xxx.xxx 255.255.255.248" client-to-client ;duplicate-cn keepalive 10 90 cipher BF-CBC # Blowfish (default) ;comp-lzo max-clients 10 user nobody I'm behind NAT all the time and UDP works JUST FINE all modern NAT are relatively stateful, even for UDP as long as the first packets are from the inside and you have keep-alive where's your cert lines? ... ca /usr/local/etc/openvpn/keys/ca.crt stuff like that oh, they're there maybe the paths need to be absolute did you look in the openvpn server log? certs are ok they are in /usr/local/etc/openvpn/ whoa... is your "push" line literal? you didn't show it's a comment the rc.d script locals to that dir first mine reads # push "route 192.168.0.0 255.255.255.0" commented out push line was masked... not really 'xxx.xxx' try taking it out though as was listen ip if you're only routing to 10.x I did - no change where's "daemon" mine has daemon in it oops... gotta go. daemon is passed on command line from rc.d ok - I have mine in my file Randal - took your sample... changed my subnet to 10.77.77.0 - works. go figure. must be some use of the same subnet somewhere in arpnetworks.com :S hey all - anyone from support here? or anyone know how long a "reset to defaults" should take ? does it mean a complete re-stage ? and that's why I use a weird number. :) have you also switched to UDP? UDP a no-go... 10.77.77.0 also a no go I have two VPS w/ arpnetworks.... works fine on A, not on B both in same subnet, running same configuration .... thinking I messed with this one too much :$ but cdrom is no longer 'insertted' / attached either :( wait - I'm now confused Randal - took your sample... changed my subnet to 10.77.77.0 - - works. so why are you now saying "no go" yeah - I was on wrong machine :| lol - VPS A / VPS B both configured to have same hostname/etc ... mixed up my terminal windows :S VPS B is new - staging it to replace VPS A