Hi Pan2 developers, I use openvpn. The openvpn config file used for connection is somthing as follows:
------------- werner@debian:~/srv_enumeration/2015-03-29-12-06-37_ovpn$ cat vpngate_58.19.210.249_tcp_1722.ovpn ############################################################################### # OpenVPN 2.0 Sample Configuration File # for PacketiX VPN / SoftEther VPN Server # # !!! AUTO-GENERATED BY SOFTETHER VPN SERVER MANAGEMENT TOOL !!! # # !!! YOU HAVE TO REVIEW IT BEFORE USE AND MODIFY IT AS NECESSARY !!! # # This configuration file is auto-generated. You might use this config file # in order to connect to the PacketiX VPN / SoftEther VPN Server. # However, before you try it, you should review the descriptions of the file # to determine the necessity to modify to suitable for your real environment. # If necessary, you have to modify a little adequately on the file. # For example, the IP address or the hostname as a destination VPN Server # should be confirmed. # # Note that to use OpenVPN 2.0, you have to put the certification file of # the destination VPN Server on the OpenVPN Client computer when you use this # config file. Please refer the below descriptions carefully. ############################################################################### # Specify the type of the layer of the VPN connection. # # To connect to the VPN Server as a "Remote-Access VPN Client PC", # specify 'dev tun'. (Layer-3 IP Routing Mode) # # To connect to the VPN Server as a bridging equipment of "Site-to-Site VPN", # specify 'dev tap'. (Layer-2 Ethernet Bridgine Mode) dev tun ############################################################################### # Specify the underlying protocol beyond the Internet. # Note that this setting must be correspond with the listening setting on # the VPN Server. # # Specify either 'proto tcp' or 'proto udp'. proto tcp ############################################################################### # The destination hostname / IP address, and port number of # the target VPN Server. # # You have to specify as 'remote <HOSTNAME> <PORT>'. You can also # specify the IP address instead of the hostname. # # Note that the auto-generated below hostname are a "auto-detected # IP address" of the VPN Server. You have to confirm the correctness # beforehand. # # When you want to connect to the VPN Server by using TCP protocol, # the port number of the destination TCP port should be same as one of # the available TCP listeners on the VPN Server. # # When you use UDP protocol, the port number must same as the configuration # setting of "OpenVPN Server Compatible Function" on the VPN Server. remote 58.19.210.249 1722 ############################################################################### # The HTTP/HTTPS proxy setting. # # Only if you have to use the Internet via a proxy, uncomment the below # two lines and specify the proxy address and the port number. # In the case of using proxy-authentication, refer the OpenVPN manual. ;http-proxy-retry ;http-proxy [proxy server] [proxy port] ############################################################################### # The encryption and authentication algorithm. # # Default setting is good. Modify it as you prefer. # When you specify an unsupported algorithm, the error will occur. # # The supported algorithms are as follows: # cipher: [NULL-CIPHER] NULL AES-128-CBC AES-192-CBC AES-256-CBC BF-CBC # CAST-CBC CAST5-CBC DES-CBC DES-EDE-CBC DES-EDE3-CBC DESX-CBC # RC2-40-CBC RC2-64-CBC RC2-CBC # auth: SHA SHA1 MD5 MD4 RMD160 cipher AES-128-CBC auth SHA1 ############################################################################### # Other parameters necessary to connect to the VPN Server. # # It is not recommended to modify it unless you have a particular need. resolv-retry infinite nobind persist-key persist-tun client verb 3 #auth-user-pass ############################################################################### # The certificate file of the destination VPN Server. # # The CA certificate file is embedded in the inline format. # You can replace this CA contents if necessary. # Please note that if the server certificate is not a self-signed, you have to # specify the signer's root certificate (CA) here. <ca> -----BEGIN CERTIFICATE----- MIIDLjCCAhagAwIBAgIFFDGVc4QwDQYJKoZIhvcNAQELBQAwTjEdMBsGA1UEAwwU cW15MHRlejlvMmx4OXk5aS5vcmcxIDAeBgNVBAoMFzN0NGoxdjhkOTE3IHFqcmxk dHVsbDUzMQswCQYDVQQGEwJVUzAeFw0xNTAzMjgxMzI5MjZaFw0xODExMjUxMzI5 MjZaME4xHTAbBgNVBAMMFHFteTB0ZXo5bzJseDl5OWkub3JnMSAwHgYDVQQKDBcz dDRqMXY4ZDkxNyBxanJsZHR1bGw1MzELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQC9IXppZoQQ1F4GPr7lrEsfAAGpxS8OUVNq8Mnl AxvdiRYUVvEsHjfMJ5KEGNVAkD90QQKEanh6QaTg6OatOml/s27mNCeSb7H4Rlpz J/AApI+RrTdSWrWAIRwfIx0uuIBwDER7gMhF27Fo54kLaINA9g5KN+P6IU+yLU3y LQqMFn/eE8fGTXejUX916I4pyrwv3L4DQg5WrgJF1TJNfcEE/QU7yN6XsVAEG4TH Wnna9Y3NpmHz/aFgzFDcE9bFR+l0KsVU4F9sAolWOoOQzSB+zF+u5Tj112gsEYJ3 TBl7IY2z5fxjudsSgQL2uKVemxCsTbkJPxlr/1ETy5+b+3H3AgMBAAGjEzARMA8G A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKx5GwIehB7Zj71H8QIW f+JjWFkZ5l3YSA1pk19vtYVn1Ssk+c1pWrmZC4hGQCWSA/2lW6WXPpraiIXL/nnT S7Il8D0eeETWTZ+Y1Rk8FE0iWZlQuMb9Bu1645PFlbKrqnrM5qSEBcO/yQo1gmA6 LXYcUgBM8/GpQklQr9YybOfRmTz9BjslZI9qsCDSxUkw8jCyq4tIJFMfgdeLWVRO P9Z66pk4yCk6pw1A8/ShiXWVZMlQRoHkI84Y1/tIo3JOAY6XZ/YnqsOEeDA1U0/B JJweIAIE2bg9oFtgOjmPewTqEMqwQHLB7qVTrGA9PE0LZbw7QxTzBAMTyAkiLEdo Qto= -----END CERTIFICATE----- </ca> ############################################################################### # The client certificate file (dummy). # # In some implementations of OpenVPN Client software # (for example: OpenVPN Client for iOS), # a pair of client certificate and private key must be included on the # configuration file due to the limitation of the client. # So this sample configuration file has a dummy pair of client certificate # and private key as follows. <cert> -----BEGIN CERTIFICATE----- MIICxjCCAa4CAQAwDQYJKoZIhvcNAQEFBQAwKTEaMBgGA1UEAxMRVlBOR2F0ZUNs aWVudENlcnQxCzAJBgNVBAYTAkpQMB4XDTEzMDIxMTAzNDk0OVoXDTM3MDExOTAz MTQwN1owKTEaMBgGA1UEAxMRVlBOR2F0ZUNsaWVudENlcnQxCzAJBgNVBAYTAkpQ MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5h2lgQQYUjwoKYJbzVZA 5VcIGd5otPc/qZRMt0KItCFA0s9RwReNVa9fDRFLRBhcITOlv3FBcW3E8h1Us7RD 4W8GmJe8zapJnLsD39OSMRCzZJnczW4OCH1PZRZWKqDtjlNca9AF8a65jTmlDxCQ CjntLIWk5OLLVkFt9/tScc1GDtci55ofhaNAYMPiH7V8+1g66pGHXAoWK6AQVH67 XCKJnGB5nlQ+HsMYPV/O49Ld91ZN/2tHkcaLLyNtywxVPRSsRh480jju0fcCsv6h p/0yXnTB//mWutBGpdUlIbwiITbAmrsbYnjigRvnPqX1RNJUbi9Fp6C2c/HIFJGD ywIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQChO5hgcw/4oWfoEFLu9kBa1B//kxH8 hQkChVNn8BRC7Y0URQitPl3DKEed9URBDdg2KOAz77bb6ENPiliD+a38UJHIRMqe UBHhllOHIzvDhHFbaovALBQceeBzdkQxsKQESKmQmR832950UCovoyRB61UyAV7h +mZhYPGRKXKSJI6s0Egg/Cri+Cwk4bjJfrb5hVse11yh4D9MHhwSfCOH+0z4hPUT Fku7dGavURO5SVxMn/sL6En5D+oSeXkadHpDs+Airym2YHh15h0+jPSOoR6yiVp/ 6zZeZkrN43kuS73KpKDFjfFPh8t4r1gOIjttkNcQqBccusnplQ7HJpsk -----END CERTIFICATE----- </cert> <key> -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA5h2lgQQYUjwoKYJbzVZA5VcIGd5otPc/qZRMt0KItCFA0s9R wReNVa9fDRFLRBhcITOlv3FBcW3E8h1Us7RD4W8GmJe8zapJnLsD39OSMRCzZJnc zW4OCH1PZRZWKqDtjlNca9AF8a65jTmlDxCQCjntLIWk5OLLVkFt9/tScc1GDtci 55ofhaNAYMPiH7V8+1g66pGHXAoWK6AQVH67XCKJnGB5nlQ+HsMYPV/O49Ld91ZN /2tHkcaLLyNtywxVPRSsRh480jju0fcCsv6hp/0yXnTB//mWutBGpdUlIbwiITbA mrsbYnjigRvnPqX1RNJUbi9Fp6C2c/HIFJGDywIDAQABAoIBAERV7X5AvxA8uRiK k8SIpsD0dX1pJOMIwakUVyvc4EfN0DhKRNb4rYoSiEGTLyzLpyBc/A28Dlkm5eOY fjzXfYkGtYi/Ftxkg3O9vcrMQ4+6i+uGHaIL2rL+s4MrfO8v1xv6+Wky33EEGCou QiwVGRFQXnRoQ62NBCFbUNLhmXwdj1akZzLU4p5R4zA3QhdxwEIatVLt0+7owLQ3 lP8sfXhppPOXjTqMD4QkYwzPAa8/zF7acn4kryrUP7Q6PAfd0zEVqNy9ZCZ9ffho zXedFj486IFoc5gnTp2N6jsnVj4LCGIhlVHlYGozKKFqJcQVGsHCqq1oz2zjW6LS oRYIHgECgYEA8zZrkCwNYSXJuODJ3m/hOLVxcxgJuwXoiErWd0E42vPanjjVMhnt KY5l8qGMJ6FhK9LYx2qCrf/E0XtUAZ2wVq3ORTyGnsMWre9tLYs55X+ZN10Tc75z 4hacbU0hqKN1HiDmsMRY3/2NaZHoy7MKnwJJBaG48l9CCTlVwMHocIECgYEA8jby dGjxTH+6XHWNizb5SRbZxAnyEeJeRwTMh0gGzwGPpH/sZYGzyu0SySXWCnZh3Rgq 5uLlNxtrXrljZlyi2nQdQgsq2YrWUs0+zgU+22uQsZpSAftmhVrtvet6MjVjbByY DADciEVUdJYIXk+qnFUJyeroLIkTj7WYKZ6RjksCgYBoCFIwRDeg42oK89RFmnOr LymNAq4+2oMhsWlVb4ejWIWeAk9nc+GXUfrXszRhS01mUnU5r5ygUvRcarV/T3U7 TnMZ+I7Y4DgWRIDd51znhxIBtYV5j/C/t85HjqOkH+8b6RTkbchaX3mau7fpUfds Fq0nhIq42fhEO8srfYYwgQKBgQCyhi1N/8taRwpk+3/IDEzQwjbfdzUkWWSDk9Xs H/pkuRHWfTMP3flWqEYgW/LW40peW2HDq5imdV8+AgZxe/XMbaji9Lgwf1RY005n KxaZQz7yqHupWlLGF68DPHxkZVVSagDnV/sztWX6SFsCqFVnxIXifXGC4cW5Nm9g va8q4QKBgQCEhLVeUfdwKvkZ94g/GFz731Z2hrdVhgMZaU/u6t0V95+YezPNCQZB wmE9Mmlbq1emDeROivjCfoGhR3kZXW1pTKlLh6ZMUQUOpptdXva8XxfoqQwa3enA M7muBbF0XN7VO80iJPv+PmIZdEIAkpwKfi201YB+BafCIuGxIF50Vg== -----END RSA PRIVATE KEY----- </key> ------------- And the connection log on stdout is as follows: ----------- werner@debian:~/srv_enumeration/2015-03-29-12-06-37_ovpn$ sudo openvpn vpngate_58.19.210.249_tcp_1722.ovpn Sun Mar 29 12:19:19 2015 OpenVPN 2.3_git [git:master/ec2fbf374f018366] x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [SNAPPY] [LZ4] [EPOLL] [MH] [IPv6] built on Mar 24 2015 Sun Mar 29 12:19:19 2015 library versions: OpenSSL 1.0.1e 11 Feb 2013, LZO 2.06 Sun Mar 29 12:19:19 2015 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Sun Mar 29 12:19:19 2015 TCP/UDP: Preserving recently used remote address: [AF_INET]58.19.210.249:1722 Sun Mar 29 12:19:19 2015 Socket Buffers: R=[87380->131072] S=[16384->131072] Sun Mar 29 12:19:19 2015 Attempting to establish TCP connection with [AF_INET]58.19.210.249:1722 [nonblock] Sun Mar 29 12:19:20 2015 TCP connection established with [AF_INET] 58.19.210.249:1722 Sun Mar 29 12:19:20 2015 TCP_CLIENT link local: (not bound) Sun Mar 29 12:19:20 2015 TCP_CLIENT link remote: [AF_INET]58.19.210.249:1722 Sun Mar 29 12:19:20 2015 TLS: Initial packet from [AF_INET] 58.19.210.249:1722, sid=ac2bd730 591add7f Sun Mar 29 12:19:20 2015 VERIFY OK: depth=0, CN=qmy0tez9o2lx9y9i.org, O=3t4j1v8d917 qjrldtull53, C=US Sun Mar 29 12:19:21 2015 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Sun Mar 29 12:19:21 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Mar 29 12:19:21 2015 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Sun Mar 29 12:19:21 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Mar 29 12:19:21 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Sun Mar 29 12:19:21 2015 [qmy0tez9o2lx9y9i.org] Peer Connection Initiated with [AF_INET]58.19.210.249:1722 Sun Mar 29 12:19:23 2015 SENT CONTROL [qmy0tez9o2lx9y9i.org]: 'PUSH_REQUEST' (status=1) Sun Mar 29 12:19:23 2015 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.38.205 10.211.38.206,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.38.206,redirect-gateway def1' Sun Mar 29 12:19:23 2015 OPTIONS IMPORT: timers and/or timeouts modified Sun Mar 29 12:19:23 2015 OPTIONS IMPORT: --ifconfig/up options modified Sun Mar 29 12:19:23 2015 OPTIONS IMPORT: route options modified Sun Mar 29 12:19:23 2015 OPTIONS IMPORT: route-related options modified Sun Mar 29 12:19:23 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Sun Mar 29 12:19:23 2015 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=eth0 HWADDR=c8:60:00:df:24:23 Sun Mar 29 12:19:23 2015 TUN/TAP device tun0 opened Sun Mar 29 12:19:23 2015 TUN/TAP TX queue length set to 100 Sun Mar 29 12:19:23 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Sun Mar 29 12:19:23 2015 /sbin/ifconfig tun0 10.211.38.205 pointopoint 10.211.38.206 mtu 1500 Sun Mar 29 12:19:23 2015 /sbin/route add -net 58.19.210.249 netmask 255.255.255.255 gw 192.168.0.1 SIOCADDRT: File exists Sun Mar 29 12:19:23 2015 ERROR: Linux route add command failed: external program exited with error status: 7 Sun Mar 29 12:19:23 2015 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.211.38.206 Sun Mar 29 12:19:23 2015 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.211.38.206 Sun Mar 29 12:19:23 2015 Initialization Sequence Completed ----------- The route table in my box is as follows when the openvpn successed for connection: ---------- werner@debian:~$ ip route 0.0.0.0/1 via 10.211.38.206 dev tun0 default via 192.168.0.1 dev eth0 proto static 10.211.38.206 dev tun0 proto kernel scope link src 10.211.38.205 58.19.210.249 via 192.168.0.1 dev eth0 128.0.0.0/1 via 10.211.38.206 dev tun0 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.3 ------------- And the ifconfig info are as follows: ---------------- werner@debian:~$ sudo ifconfig eth0 Link encap:Ethernet HWaddr c8:60:00:df:24:23 inet addr:192.168.0.3 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::ca60:ff:fedf:2423/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:57686 errors:0 dropped:0 overruns:0 frame:0 TX packets:91560 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:23860896 (22.7 MiB) TX bytes:14247297 (13.5 MiB) Interrupt:20 Memory:f7300000-f7320000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:13230 errors:0 dropped:0 overruns:0 frame:0 TX packets:13230 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1247508 (1.1 MiB) TX bytes:1247508 (1.1 MiB) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.211.38.205 P-t-P:10.211.38.206 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:3177 errors:0 dropped:0 overruns:0 frame:0 TX packets:2661 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:2536146 (2.4 MiB) TX bytes:523958 (511.6 KiB) ------------------ Regards 2015-03-28 11:15 GMT+08:00 Jim Henderson <hende...@gmail.com>: > On Sat, 28 Mar 2015 10:25:12 +0800, Hongyi Zhao wrote: > > > > I use pan2 (Pan 0.140, GIT 048fecd ). I found a strange issue: > > > > When I using a vpn method to access the internet, the pan2 will failed > > to access to > > news servers. > > Almost certainly a VPN issue, as pan has no network routing logic built > into it - it depends on your network routing configuration. > > In order to diagnose this, we'll need to know a little about what the VPN > software you're using is and how it's configured. My guess is that it's > not configured for a split tunnel, and sends all traffic back to your > corporate network, where it's subjected to firewall rules in the > corporate firewall - and your corporate firewall probably blocks port 119 > (used for NNTP traffic). > > Jim > > -- > Jim Henderson > Please keep on-topic replies on the list so everyone benefits > > > _______________________________________________ > Pan-users mailing list > Pan-users@nongnu.org > https://lists.nongnu.org/mailman/listinfo/pan-users > -- Hongyi Zhao <hongyi.z...@gmail.com> Xinjiang Technical Institute of Physics and Chemistry Chinese Academy of Sciences GnuPG DSA: 0xD108493
_______________________________________________ Pan-users mailing list Pan-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/pan-users
