Koozali.org: home of the SME Server

[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #30 on: November 03, 2006, 07:41:37 PM »
Yes, sorry, I forgot to edit the previous URL. Now you can access it at
http://sme.firewall-services.com/downloads/smeserver-openvpn

and the how-to and others contrib at

http://sme.firewall-services.com

The next release is about to be ready(next week I think). It will integrate the certificate manager I want to add since I've started this contrib, you will be able to generate as many certificates as you want and revoke it when you want. Usefull if you want to give someone temporary access to your server via VPN.
C'est la fin du monde !!! :lol:

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #31 on: November 07, 2006, 06:04:49 PM »
Hi. I announce the 4th and probably the latest beta release of the contrib. There some big changes, mainly the famous certificate manager. I've tested it much than others release and I think everything is OK. I wait just a little and if nobody repport a bug, I'll package it as an rpm and stop the developpment for a moment. Please try it.

http://sme.firewall-services.com/spip.php?article2
C'est la fin du monde !!! :lol:

Offline jvels

  • ***
  • 130
  • +0/-0
    • http://vels.dk
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #32 on: November 07, 2006, 10:06:48 PM »
Great work!!!!  :D

A idea... what about "client" in the server admin panel?

So it is possibel to type in the connection information if the SME server should bridge to another SME server, and then press connect, so it conenct and if the server have to reboot, it auto reconnect after reboot.... just a idea... I do not know if there someone there need it...  or it is smart...

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #33 on: November 07, 2006, 10:36:36 PM »
Well, i'm writting a how-to for the configuration of a SME as a client of another SME with this contrib. It's not so hard (a least for a simple connection, for the sharing of the same subnet over the two sites, it's a bit harder, I'm also working on it). I think I wont integrate it in the panel but will post when the how-to is online.
C'est la fin du monde !!! :lol:

Offline crazybob

  • ****
  • 894
  • +0/-0
    • Stalzer R&D
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #34 on: November 12, 2006, 12:49:12 AM »
I am now using openvpn in routed mode, but I am thinking about changing to bridge mode. Can you see any problems with just installing it over an existing installation, or should I try to remove the old one first?
If you think you know whats going on, you obviously have no idea whats going on!

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #35 on: November 13, 2006, 09:27:05 AM »
You should uninstall all the previous rpms first and even remove all the /etc/openvpn directory. My package install the needed one and if they are already installed (but not in the same version), it can causes problems
C'est la fin du monde !!! :lol:

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #36 on: November 19, 2006, 04:21:02 AM »
I'm pleased to announce beta5 of this contrib. The main goal of this release is to improve the security. Here's the change log:

- login verification script has been replaced with openvpn-auth-pam.so, which add this advatages (from openvpn's site):
   * The shared object openvpn-auth-pam plugin uses a split-privilege execution model for better security. This means that the OpenVPN server can run with reduced privileges by using the directives user nobody, group nobody, and chroot, and will still be able to authenticate against the root-readable-only shadow password file.
   * OpenVPN can pass the username/password to a plugin via virtual memory, rather than via a file or the environment, which is better for local security on the server machine.
   * C-compiled plugin modules generally run faster than scripts.
- dameon runs under user nobody, group nobody
- daemon chrooted in /etc/openvpn
- added tls-auth with a shared static key (secret). The tls-auth protect against
   * DoS attacks or port flooding on the OpenVPN UDP port.
   * Port scanning to determine which server UDP ports are in a listening state.
   * Buffer overflow vulnerabilities in the SSL/TLS implementation.
   * SSL/TLS handshake initiations from unauthorized machines (while such handshakes would ultimately fail to authenticate, tls-auth can cut them off at a much earlier point).
- certificates are marked as client or server. At the connexion time, the client verify that the server present a server certificate. This prevent from spoofing attacks.
- The common name of the server is verified each time a client connect.
- during the first certificate generation, you can choose the key size (1024, 2048 or 4096)
- Only 4 authentication methods are available now, the old second one has been removed
- the generation of the certificates, keys and paramaters has changed so that there no more a time out error on the web page
- the contrib is ready to co-exist with the soon comming contrib for site to site connexion
- you can generate another certificate than the default one for the serve-side
- you can see the last 100 lines of the log through the interface for easyer debugging.
- The interface tells you if the daemon is running (and gives you its PID)
- the certificate manager has been modified (available certificates and revokated ones are display in two differents tables).

https://sme.firewall-services.com/spip.php?rubrique3
C'est la fin du monde !!! :lol:

katray

[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #37 on: November 19, 2006, 08:11:40 AM »
OpenVPN needs a master certificat (ca.crt)
OpenVPN needs several files:
- A master CA certificate which will sign all others
- Un X.509 certificate for the server side
- A Diffie-Helman parameter for the key negociation
- A shared secret key for the tls-authentication during the hand-shake


Click here to generate these files

After clicking I get this:

Software error:
Can't call method "prop" on an undefined value at /etc/e-smith/web/panels/manager/cgi-bin/openvpn line 981.

For help, please send mail to the webmaster (admin), giving this error message and the time and date of the error.

SME Server 7.0 with all updates no other addons
Fresh Install of smeserver-openvpn-bridge_beta5.tar.gz

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #38 on: November 19, 2006, 04:23:26 PM »
oups, my fault. I finished it yesterday (about 4:00 am) and I worked more on the upgrade script, I forgot to change the name of a key in the install script. I've just uploaded again the archive with the correction. To fix it, type the following:

db openvpn-bridge set default_config config
db openvpn-bridge setprop default_config countryCode 'FR'
db openvpn-bridge setprop default_config countryName 'France'
db openvpn-bridge setprop default_config localityName 'Bordeaux'
db openvpn-bridge setprop default_config organizationName 'Firewall-Services'
db openvpn-bridge setprop default_config sectionName 'VPN'
db openvpn-bridge setprop default_config commonName 'server-bridge'
db openvpn-bridge setprop default_config mailAddress 'admin'
db openvpn-bridge setprop default_config serial '00'
db openvpn-bridge setprop default_config certType 'server'
db openvpn-bridge setprop default_config keySize '1024'
db openvpn-bridge delete bridge_config

And reload the page, you'll be prompt for some informations and then, the certificates will be generated.

Sorry for this mistake.
C'est la fin du monde !!! :lol:

Offline crazybob

  • ****
  • 894
  • +0/-0
    • Stalzer R&D
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #39 on: November 19, 2006, 06:49:00 PM »
Hello VIP-ire,

  I am currently using your beta-3, which is working great. Should I unstall it befroe upgrading o beta-5?

Thanks

Bob
If you think you know whats going on, you obviously have no idea whats going on!

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #40 on: November 19, 2006, 10:49:06 PM »
Quote from: "crazybob"
Hello VIP-ire,

  I am currently using your beta-3, which is working great. Should I unstall it befroe upgrading o beta-5?

Thanks

Bob


Yes you should. I provide an upgrade script but only from beta4. You should uninstall beta3 and remove the entire directory /etc/openvpn. You'll have to reconfigure every clients with the new certificates and the new configuration file.
C'est la fin du monde !!! :lol:

go_jesse

[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #41 on: November 20, 2006, 12:24:57 AM »

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #42 on: November 20, 2006, 11:33:01 AM »
I've noticed another little problem in beta5 wich prevent fixed IP to be reserved for authentication method 2 and 4. The archive has been updated but for those who have already install beta 5, just do this to correct the problem:

rm -f /etc/e-smith/templates-custom//etc/openvpn/ccd-bridge/.config
vim /etc/e-smith/templates-custom//etc/openvpn/ccd-bridge/.config

and copy/past these lines:

Code: [Select]
{
my $OUT = '';
use esmith::ConfigDB;
my $db_cert = esmith::ConfigDB->open_ro('openvpn-bridge');
my @certs = $db_cert->get_all_by_prop(type => 'cert');
my $db_users = esmith::ConfigDB->open_ro('accounts');
my @users = $db_users->get_all_by_prop(type => 'user');
my $netmask = ${'LocalNetmask'};
my $userAuth = ${'openvpn-bridge'}{userAuth};
my $fic = '';

system('/bin/rm -f /etc/openvpn/ccd-bridge/*');

if (($userAuth eq '1') || ($userAuth eq '3')){
foreach (@users){
my $user = $_->key;
my $rec_user = $db_users->get("$user");
my $VPNAccess = $rec_user->prop('VPNClientAccess');
my $cert = $db_cert->get("$user");
if ($VPNAccess eq 'yes'){
$fic = "# user $user has VPN access. This file is only used to control the acces with the ccd-exclusive directive"
}
else{
$fic = "--disable";
}
if ($fic ne ''){
system("/bin/echo '$fic' > /etc/openvpn/ccd-bridge/$user");
}
}
}

else{
foreach (@certs){
my $cert = $_->key;
my $rec_cert = $db_cert->get("$cert");
my $ip = $rec_cert->prop('ip');
my $user = $cert;
my $status = $rec_cert->prop('status');
my $type = $rec_cert->prop('cert-type');
if ($type eq 'client'){
if (($ip ne 'undef') && ($status eq 'available')){
$fic = "--ifconfig-push $ip $netmask";
}
elsif (($status eq 'available') && ($ip eq 'undef')){
$fic = "# User $user doesnt have a fixed IP";
}
elsif ($status eq 'revoked'){
$fic = "--disable";
}
}
if ($fic ne ''){
system("/bin/echo '$fic' > /etc/openvpn/ccd-bridge/$user");
}
}
}

$OUT = 'This file is only used to generate the per client config file.';
}


Now save it and expand-it:

Code: [Select]
expand-template /etc/openvpn/ccd-bridge/.config

That's all
C'est la fin du monde !!! :lol:

Offline revans

  • 1
  • +0/-0
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #43 on: November 20, 2006, 04:02:02 PM »
It appears that it does not matter what is entered in the "State" box when creating the server certificate - the resulting ST entry always says "France"  :)

I have observed this behaviour in both beta4 and beta5.

Many thanks for this useful  contrib.

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #44 on: November 20, 2006, 05:00:29 PM »
Thanks for the report. I didn't see this error because I used "France" for all my test. You can get the patch I've just uploaded on my server, then remove all your certificates and restart the generation, you should be able to enter the correct country name

Code: [Select]
wget http://sme.firewall-services.com/downloads/smeserver-openvpn/patch/panel_patch_1
cp ./panel_patch_1 /etc/e-smith/web/functions/openvpn
wget http://sme.firewall-services.com/downloads/smeserver-openvpn/patch/locale_fr_patch_1.mo
cp ./locale_fr_patch_1.mo /usr/share/locale/fr/LC_MESSAGES/openvpn.mo
C'est la fin du monde !!! :lol: