<p dir="ltr">You'll want to disable tls 1 (1.1 is ok) and ssl 3 (all bad). Looks encrypted.</p>
<div class="gmail_quote">On Nov 7, 2015 4:44 PM, "Alex Carver" <<a href="mailto:agcarver%2Bale@acarver.net">agcarver+ale@acarver.net</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 2015-11-07 12:45, Phil Turmel wrote:<br>
> On 11/07/2015 02:58 PM, dev null zero two wrote:<br>
>> did you set up routes and ip forwarding?<br>
><br>
> You'll probably also need nat in the openvpn server for any external<br>
> traffic originating in the vpn.<br>
<br>
Ok, the NAT worked (I didn't have iptables installed at all on this<br>
particular machine). Got that installed, masqueraded the VPN subnet<br>
over to the machine's network card and can now reach the internal traffic.<br>
<br>
Next step, trying to verify that the link is encrypted. I've got<br>
debugging turned up a bit and am watching the logs. When a connection<br>
is established I see the following:<br>
<br>
Sat Nov 7 16:28:28 2015 us=998372 MULTI: multi_create_instance called<br>
Sat Nov 7 16:28:29 2015 us=1250 <a href="http://166.170.49.84:20242" rel="noreferrer" target="_blank">166.170.49.84:20242</a> Re-using SSL/TLS<br>
context<br>
Sat Nov 7 16:28:29 2015 us=3046 <a href="http://166.170.49.84:20242" rel="noreferrer" target="_blank">166.170.49.84:20242</a> LZO compression<br>
initialized<br>
Sat Nov 7 16:28:29 2015 us=12627 <a href="http://166.170.49.84:20242" rel="noreferrer" target="_blank">166.170.49.84:20242</a> Control Channel<br>
MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]<br>
Sat Nov 7 16:28:29 2015 us=15443 <a href="http://166.170.49.84:20242" rel="noreferrer" target="_blank">166.170.49.84:20242</a> Data Channel MTU<br>
parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]<br>
Sat Nov 7 16:28:29 2015 us=17017 <a href="http://166.170.49.84:20242" rel="noreferrer" target="_blank">166.170.49.84:20242</a> Local Options<br>
String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto<br>
UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize<br>
128,tls-auth,key-method 2,tls-server'<br>
Sat Nov 7 16:28:29 2015 us=21830 <a href="http://166.170.49.84:20242" rel="noreferrer" target="_blank">166.170.49.84:20242</a> Expected Remote<br>
Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto<br>
UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize<br>
128,tls-auth,key-method 2,tls-client'<br>
Sat Nov 7 16:28:29 2015 us=24194 <a href="http://166.170.49.84:20242" rel="noreferrer" target="_blank">166.170.49.84:20242</a> Local Options hash<br>
(VER=V4): '14168603'<br>
Sat Nov 7 16:28:29 2015 us=25583 <a href="http://166.170.49.84:20242" rel="noreferrer" target="_blank">166.170.49.84:20242</a> Expected Remote<br>
Options hash (VER=V4): '504e774e'<br>
Sat Nov 7 16:28:29 2015 us=27203 <a href="http://166.170.49.84:20242" rel="noreferrer" target="_blank">166.170.49.84:20242</a> TLS: Initial<br>
packet from [AF_INET]<a href="http://166.170.49.84:20242" rel="noreferrer" target="_blank">166.170.49.84:20242</a>, sid=53399d05 59f52b6e<br>
Sat Nov 7 16:28:37 2015 us=252588 <a href="http://166.170.49.84:20242" rel="noreferrer" target="_blank">166.170.49.84:20242</a><br>
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3<br>
/ time = (1446942506) Sat Nov 7 16:28:26 2015 ] -- see the man page<br>
entry for --no-replay and --replay-window for more info or silence this<br>
warning with --mute-replay-warnings<br>
<br>
<br>
(This last set of TLS messages gets repeated a few times.)<br>
<br>
After those get repeated I get:<br>
<br>
<br>
Sat Nov 7 16:28:47 2015 us=176814 <a href="http://166.170.49.84:20242" rel="noreferrer" target="_blank">166.170.49.84:20242</a> Data Channel<br>
Encrypt: Cipher 'BF-CBC' initialized with 128 bit key<br>
Sat Nov 7 16:28:47 2015 us=178102 <a href="http://166.170.49.84:20242" rel="noreferrer" target="_blank">166.170.49.84:20242</a> Data Channel<br>
Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication<br>
Sat Nov 7 16:28:47 2015 us=179541 <a href="http://166.170.49.84:20242" rel="noreferrer" target="_blank">166.170.49.84:20242</a> Data Channel<br>
Decrypt: Cipher 'BF-CBC' initialized with 128 bit key<br>
Sat Nov 7 16:28:47 2015 us=180685 <a href="http://166.170.49.84:20242" rel="noreferrer" target="_blank">166.170.49.84:20242</a> Data Channel<br>
Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication<br>
Sat Nov 7 16:28:47 2015 us=253723 <a href="http://166.170.49.84:20242" rel="noreferrer" target="_blank">166.170.49.84:20242</a> Control Channel:<br>
TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA<br>
Sat Nov 7 16:28:47 2015 us=255138 <a href="http://166.170.49.84:20242" rel="noreferrer" target="_blank">166.170.49.84:20242</a> [vpntest2] Peer<br>
Connection Initiated with [AF_INET]<a href="http://166.170.49.84:20242" rel="noreferrer" target="_blank">166.170.49.84:20242</a><br>
<br>
Is it encrypted or not?<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div>