Koozali.org: home of the SME Server

openvpn on 6.01

Offline hanscees

  • *
  • 267
  • +0/-0
    • nl.linkedin.com/in/hanscees/
openvpn on 6.01
« Reply #15 on: November 27, 2004, 12:25:20 AM »
Quote from: "cydonia"

Another question though, what is the difference/advantage/disadvantage between OpenVPN & Freeswan?

On my previous SME box i used Freeswan and it seemed to work fine, using the built in WinXP VPN configuration settings.

I am trying this to try something different, but curious to know how they differ.


What did you do with the winxp VPN configuration then?
Windows cannot do ipsec with tunneling mode, except with l2tp, which is inmature on linux so they say.
So with ipsec you annot route entire networks. With openvpn you can.

Also you can traverse nat.

Hans-Cees
nl.linkedin.com/in/hanscees/

cydonia

openvpn on 6.01
« Reply #16 on: November 27, 2004, 10:37:45 AM »
Quote from: "hanscees"


What did you do with the winxp VPN configuration then?
Windows cannot do ipsec with tunneling mode, except with l2tp, which is inmature on linux so they say.
So with ipsec you annot route entire networks. With openvpn you can.

Also you can traverse nat.

Hans-Cees


I'm not sure its that long ago, perhaps a registry mod... Nothing that isn't available on here.

It was only PPTP though, not ipsec.

I hope OpenVPN can do PPTP also...

Offline hanscees

  • *
  • 267
  • +0/-0
    • nl.linkedin.com/in/hanscees/
openvpn on 6.01
« Reply #17 on: November 27, 2004, 08:13:27 PM »
Quote from: "cydonia"


It was only PPTP though, not ipsec.

I hope OpenVPN can do PPTP also...


The question is weird. Pptp is a way to make a tunnel. OpenVpn is also. They both use similar "virtual" devices. They both use something like dhcp to give out ip addresses and so on.

Differences are huge though in other respects. Pptp is not as safe crytographically speaking: only when you use very long passwords. OpenVPN is much safer.
Pptp is mainly a windows thing, where other OS-es implemented it because windows has it. Pptp has a lot of packet overhead as well, more than openvpn I think.
Pptp is not adjustable whereas you can timker a lot with openvpn.

hc
nl.linkedin.com/in/hanscees/

cydonia

openvpn on 6.01
« Reply #18 on: November 29, 2004, 02:42:17 PM »
I am getting the following error after entering username/password in the OpenVPN gui:


Tue Nov 30 00:40:58 2004 us=93392 Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Tue Nov 30 00:40:58 2004 us=93461 Exiting



I don't know if this is the problem, but my client.crt is 0kb in size, it has nothing in it at all.


I have followed the how to, and actually did it all again to make sure i didn't miss anything.  

Any ideas why this file is empty?

Offline Appesteijn

  • **
  • 62
  • +0/-0
openvpn on 6.01
« Reply #19 on: November 29, 2004, 03:17:19 PM »
Does the client.crt has anything in it when you've made it on your server? Maybe you could try to remove all certificates on your server and then rebuild them.
............

cydonia

openvpn on 6.01
« Reply #20 on: November 29, 2004, 04:33:06 PM »
Oops... what a noob..:P

I used "Server" as the common name to generate Client.key instead of "Client".

All working now.


One question though, what is the difference between port forwarding and port opening?  And why do we use port opening for this?

Thanks for the how to.

Offline Appesteijn

  • **
  • 62
  • +0/-0
openvpn on 6.01
« Reply #21 on: November 29, 2004, 05:43:17 PM »
With the portforwarding you can 'redirect' ports from your server to a client. In this way the outside-world can contact your client-pc. The port-opening module only opens a port in your firewall so that traffic can come past your firewall and thus reach your server.(e.g. the openvpn-daemon)
............

cydonia

openvpn on 6.01
« Reply #22 on: November 29, 2004, 06:56:01 PM »
Quote from: "Appesteijn"
With the portforwarding you can 'redirect' ports from your server to a client. In this way the outside-world can contact your client-pc. The port-opening module only opens a port in your firewall so that traffic can come past your firewall and thus reach your server.(e.g. the openvpn-daemon)


Oh, ok.  In the past i used redirection (to the local address of the server) to open ports on the server.  But in fact, i always had problems when trying to use VoIP remotely.

I will open the VoIP port rather than forward it and see what happens...

Offline psc

  • *
  • 151
  • +0/-0
openvpn on 6.01
« Reply #23 on: November 30, 2004, 08:20:48 AM »
Hi i installed OpenVPN with this HowTo:
http://sme.swerts-knudsen.com/howtos/howto_30.htm

Now i got a "auth-failure", i also tried out to logon as admin, same error.
---------------------
Tue Nov 30 08:17:29 2004 us=265854 [Server] Peer Connection Initiated with xxx.x.xxx.xx:1194
Tue Nov 30 08:17:30 2004 us=308847 SENT CONTROL [Server]: 'PUSH_REQUEST' (status=1)
Tue Nov 30 08:17:30 2004 us=351133 AUTH: Received AUTH_FAILED control message
Tue Nov 30 08:17:30 2004 us=352683 TCP/UDP: Closing socket
Tue Nov 30 08:17:30 2004 us=354120 SIGTERM[soft,auth-failure] received, process exiting
Tue Nov 30 08:17:31 2004 us=746251 Current Parameter Settings:
Tue Nov 30 08:17:31 2004 us=746339   config = 'VPN.ovpn'
---------------

Any suggestions ??
First, solve the problem. Then, write the code.

Offline Appesteijn

  • **
  • 62
  • +0/-0
openvpn on 6.01
« Reply #24 on: November 30, 2004, 09:19:45 AM »
What SME version do you run? The only way I could get it to run was to comment the line 'use Data::Manip;' in the 'validate_user.pl' file. For some reason 5.6 didn't have that function onboard. As far as I understand it this only removes some logging information.
But maybe the maker of this HowTo could confirm this.
............

Offline psc

  • *
  • 151
  • +0/-0
openvpn on 6.01
« Reply #25 on: November 30, 2004, 10:00:50 AM »
Thats it, after comment out the 'use Data::Manip;', the logon works.

I use SME 6.01 with all updates.

Thanks
First, solve the problem. Then, write the code.

cydonia

openvpn on 6.01
« Reply #26 on: December 10, 2004, 07:39:50 AM »
I'm having a a problem with OpenVPN and just wanted to confirm a basic setup question.


I get the following message after i log in.  I'm not sure that i actually log in though, since i can use any combo of user/pass and it still says it.

Fri Dec 10 17:37:22 2004 us=775475 TLS Error: Unroutable control packet received from 220.245.132.171:1194 (si=3 op=P_CONTROL_V1)
Fri Dec 10 17:37:22 2004 us=783189 TLS Error: Unroutable control packet received from 220.245.132.171:1194 (si=3 op=P_CONTROL_V1)



The network i am trying to access my server from is on:
192.100.10.xxx

Now, where do i have to add this in my config files?

Also, do i have to allow this network in the server-manager.


Thanks
Tristan

Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
openvpn on 6.01
« Reply #27 on: December 10, 2004, 09:18:34 AM »
Try read through the Howto and see whether you have done everything as specified.

http://sme.swerts-knudsen.com/howtos/howto_30.htm

Offline kmccarn

  • ***
  • 112
  • +0/-0
OpenVPN
« Reply #28 on: December 10, 2004, 01:32:15 PM »
Thanks again Jesper...

I have set this up on 4 of my boxes - it works great.

I now need to bridge to the local network behind the SME - I guess I'll try the bridge rpm mentioned here.

Kevin
Kevin in WV 8-)......

Offline Appesteijn

  • **
  • 62
  • +0/-0
A remark before you try to bridge
« Reply #29 on: December 10, 2004, 06:45:06 PM »
I have the bridging working, that wasn't the hard part. But now my dhcp-server can't find the eth0 because it is bridged with tap0 to br0. I must find where I could alter the network interface at which the dhcpd is listening. I found /usr/sysconfig/dhcpd and editted that file, DHCPDARGS=br0 but that doesn't deem to work. Service dhcpd start still fails:


Starting dhcpd: SIOCADDRT: File exists
Internet Software Consortium DHCP Server 2.0pl5
Copyright 1995, 1996, 1997, 1998, 1999 The Internet Software Consortium.
All rights reserved.

Multiple interfaces match the same subnet: br0 tap0
Multiple interfaces match the same shared network: br0 tap0
eth0: not found
exiting.

Any suggestions?
............