jmnbtslsQE: a TCP connection to port 443 can be established, but then it immediately gets reset.

jmnbtslsQE: stunnel is not running. only openvpn is. but as I said, as soon as the TCP connection to port 443 gets established, it immediately resets.

Oleg: sorry i was AFK

your vpn server prepared to use the openvpn protocol only, so i don't see how stunnel can help. at best, if your ISP is filtering based on DPI, if openvpn uses TLS in the way that stunnel is able to, you might successfully negotiate a TLS session using stunnel. but to the extent that this resembles what you would already get with openvpn, it won't work, since it's already blocked by your ISP.

we don't know if the that reset is coming from expressvpn (who are blocking it in a weird way by allowing a connection then resetting) or if your ISP is interfering and injecting that reset. not sure how broken your ISP is

i would think unless something indicates otherwise that the 443 is reset is coming from that remote host (from your vpn provider)

is this host in China?

jmnbtslsQE: at home, I can successfully connect to Express VPN using the default ovpn file it provides. in its default file, the connection is established on port 1195 over udp. but when I am not home, but at the location where I need to connect to express vpn, I can't use that default file. I guess it means at that location, the ISP's firewall rules prevent me from connecting to express vpn over

that udp port.

OK, that sounds plausible

i think you should contact your VPN provider's support to ask about alternatives to connect based on your specific situation

and/or consult the networking channel on this network

re-reading what you said above, 443 is probably reset because you're running openvpn over it and whatever application is on the other end (such as webserver) does not accept that and immediately closes

hmm actually no that's wrong. if you get a RST then it's different

anyway, ask your vpn provider

jmnbtslsQE: a customer representative just wrote to me: "ExpressVPN servers listen on a range of different ports, and our apps might try connecting to any of these ports. Please set your firewall to allow outgoing connections to the following destination ports:

• tcp443

• udp1195

• udp1198

• udp10088 to udp10098

• udp10188 to udp10198

• tcp10288 to tcp10298"

I don't know anything about this particular VPN but normally I would use a UDP protocol for a VPN if possible. But if your ISP is blocking you then TCP on port 443 is the usual escape since if they block it then people can't use the web and complain.

I assume this means you got past the Linuxator problems of it being a Linux specific binary and now have it running on FreeBSD okay?

rwp: at home, I was always able to use the default ovpn file (whose configuration settings establish a connection to port 1195 over udp) and had no problems connecting to express vpn. but at the location where its ISP has its own firewall rules, I wasn't able to establish a connection to this port. And yes, I stopped thinking about anything linuxulator-related and now want to try to use native

FreeBSD tools to establish a connection to the vpn when I am at the location where that evil ISP rules.

rwp: I am at home now, and having problems connecting to port 443 over tcp

But the web works with https to sites? That's TCP to port 443.

And https is encrypted so the ISP should not be able to deep packet inspect it. (Probably.)

rwp: you are asking me if I can browse web pages at that location controlled by that evil ISP? Yes, I can, though many web pages are still inaccessible because of the firewall rules

This does truly sound like an Evil ISP.

that useless express vpn customer representative I just spoke with doesn't even know what modifications I should make to their ovpn file in order to connect to port 443

I also don't know exactly what you mean when you say TCP connection fails. I give an example of an https connection. One can use "openssl s_client www.freebsd.org:443" to connect to the https port encrypted using openssl's s_client for handling the encryption. Then one can say "GET /" which is HTTP protocol syntax to get the root web page. It will then emit the top level web page.

In between there the program will dump out all of the debug details of the encryption to the https certificate.

As far as how to configure OpenVPN to use TCP instead of UDP that's just a matter of saying "proto tcp" in the OpenVPN configuration file rather than "proto udp".

I gave that manual openssl s_client example just as an example of a manual way of "connecting" to port 443 on a web server system. But ExpressVPN presumably will have an OpenVPN server listening on that port 443 rather than a web server. And then another OpenVPN client can connect there. Presumably.

rwp: the customer representative claimed tcp port 443 is accessible. but after adding "proto tcp-client" to ovpn file and adding "remote usa-newyork-ca-version-2.expressnetw.com 443", I still can't connect to the vpn. and this is at home, where there are no evil firewall rules.

Hmm... Sorry. No idea.

getting called afk bbiab

those fucking assholes confidently claim that a connection can be established to tcp port 443. and yet they can't even tell me how to modify an ovpn file if I want such a connection to happen.

I don't have any stupid firewall rules at the location where I am now (home), and yet I can't establish such a connection

okay, now they told me that openvpn clients only support connections over udp

openvpn.net/community-resources/how-to search down for TCP

i keep reading OpenVPN as OpenVMS and being briefly interested

Honestly I would be briefly terrified.

hi, there my freebsd server is not booting properly in multiuser mode: i get this:

can somebody help

it boots into single user mode though

You are getting a kernel panic at boot in multiuser mode but not in single user mode. That makes me think that one of the kernel drivers being loaded is out of sync with the kernel.

If you are loading drivers with kld_list in /etc/rc.conf I would boot single user mode and then comment out or otherwise remove that line from rc.conf. Same thing for any non-base drivers in /boot/loader.conf file.

Then it should boot into multiuser mode successfully.

Then assuming that's the problem and fix then debug the driver problem. Probably loading a driver from ports. What freebsd-version -kru is installed and running?

Also assuming you have ZFS then Boot Environments can help. At the "Beastie" boot dialog select the previous Boot Environment to return to a file system clone fork of what was previously running and it should boot, running the previous system before the upgrade which broke things.

That's all making some assumptions. And that's all I have. It's very late here and I must sleep. Good night!

And also good luck! :-)

Hi, I've got an IPC running FreeBSD with two network interfaces, igb0 and igb1. igb0 is being used for EtherCAT. igb1 is connected to a router. The default router is binding to igb0 and so I have no internet access. If I manually delete the route and readd it I can access the internet by passing `-ifp igb1`, but I can't get this to work from my rc.conf. Anyone know how to get it to bind on the right interface please?

Got to the point where it doesn't work at boot, but if I manually restart networking and routing it then works. =/

I have an embedded device which uses FreeBSD 12.2 as an OS. This device has two serial ports: paste.debian.net/plainh/9bd747ca As seen in the dmesg output, the "uart1" is considered as "console" and "uart0" is not. /etc/ttys has lines "ttyu0 "/usr/libexec/getty 3wire" vt100 onifconsole secure" and "ttyu1 "/usr/libexec/getty 3wire" vt100 onifconsole secure". I can change the

"onifconsole" to "onifexists" for ttyu0 in order to have serial access on both serial ports, but what might be the reason that by default, only one of the serial ports is considered as "console"? Could this be set in the kernel configuration? Somewhere else?

mrtnt: serial port requires 0x10 flag and by default it's set on uart 0

AFAIK only one serial can be configured as console

mzar: oh, ok. I was hoping that perhaps it's possible to configure multiple serial ports as "console". I did try with paste.debian.net/plainh/cb1468fb configuration where I added the 'hw.uart.console="io:0x2f8"' line, but looks like it is simply ignored.

hello everyone, i was recommended freebsd and just wanted to come here to see what the community is like

welcome to the jungle

bool: cool, who recomends FreeBSD to you ?

i'm trying to run a script from devd when my usb audio detaches, but it doesn't appear to run. i'm trying to stop the errors of "pcm: waiting for sound to exit" by changing inputs

i'm running the setup on attach

but, detach is happening out of order?

anyone else noticed a memory leak on 14.1 with zfs ?

no, userland leaks are more my thing

hrm, well if i use a notify action in devd, then it works, jsut spams the disconnect command a few times

Sep 26 10:55:07 shodan sshd[30193]: error: Fssh_kex_exchange_identification: client sent invalid protocol identifier "GET / HTTP/1.1"

So someone's attempting to do HTTP on my SSH daemon?

Who are these morons?

CrtxReavr: Are you on a non-standard SSH port?

Nope.

CrtxReavr, that's bog standard port scanning. I see it often.

just script kiddies bangin on your door

there's an old script which lets you bang back

damn. wish intersystems iris (formerly cache) was supported on freebsd

Install vlc.

for webes

webex

Have you tried the WebEx client?

the linux one?

Yeah.

I've not tried it. . . though they have both a .deb & .rpm package: webex.com/downloads.html

yeah it wants libc.so.6

In the linux environment, you mean?

yeah I've had it in /compat/linux/opt/Webex/bin and it wants a newer glibc

if I chroot as root it seems to try to do the right thing, but exits

oddly chromium works, but won't articulate the audio devices, as it once did. e.g. no selection choices for usb mic, or audio devices. Firefox does however, but it's lacking openh264, which is installed.

do you use some sort of fail2ban for SSH?

I only disabled root login, and disabled password login

I think that should be safe, as long as SSHD is new enough

also i run a non-standard port, just to get fewer tries :P

rwp: it looks like this thing will be a solution to my problem: amazon.com/Aircove-Portable-Protect…-Unlimited-ExpressVPN/dp/B0CM6VL4PS

Uhm... Sure. I know nothing about it. But it seems that a hardware device should do it. It would certainly avoid the Linux only binary executable problem.

If the ISP is blocking ports through, and that seemed to be what was reading in the scrollback buffer, then ISP port blocking will still be a problem.

rwp: this router makes use of the lightway protocol. Express VPN doesn't allow openvpn connections to port 443, but lightway can connect to port 443, which that ISP permits connections to.

I know nothing. But good luck! :-)

yeah

Oleg: is your magic port > 1024?

pretty neat. freebsd affected, it seems. evilsocket.net/2024/09/26/Attacking…-UNIX-systems-via-CUPS-Part-I/?s=09

yourfate: the advice tends to be to use blacklistd, since it's integrated and more efficient. no log parsing by a python process

i feel like it would be easier to change vpn providers

and probably cheaper than $169

but sure

Hi!, I did this many times without issues, but in this 14.1 server I cannot. I simply can't change the default shell of one user to /usr/local/bin/bash. I mean, I can execute: chsh -s /usr/local/bin/bash my_user and it looks like it works, but after re-login I run echo $SHELL and it still shows /bin/sh

martinrame: 1) show output of 'getent passwd my_user' 2) try 'pw usermod my_user -s /usr/local/bin/bash' which is the more normal way to do that

ivy: yes, it shows /usr/local/bin/bash

but I don't understand why the SHELL environment var isn't showing that.

how are you logging in?

ivy: from ssh

anything unusual like LDAP/AD/sssd/...?

ivy: no, just plain old ssh my_user@server

when you log in, is it actually running /bin/sh, or is it just $SHELL that's wrong? `echo $BASH_VERSION` should confirm if it's bash or not

ivy: echo $BASH_VERSION is empty. It's running /bin/sh

that's strange

do you have other users using bash where it works?

if you're running nscd, try `service nscd restart` and see if that fixes it

ivy: wait. I did went to root with: sudo su, then, from ther su my_user, and then echo $SHELL and it shows /usr/local/bin/bash.

ivy: it only has two users, root and my_user.

hmm

can you reboot? just to check it's not being cached somewhere weird

ivy: yes, rebooting did the trick.

that's strange though, reboot should not really affect that

nscd is the only thing i can think of that might cache the user's shell

ivy: yes, and it never should be the way to fix this.

ivy: anyway, it works.