Koozali.org: home of the SME Server

[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« on: July 27, 2006, 03:02:17 PM »
I've just made a little pack wich install openVPN in bridge mode on SME 7.0

The hardest work have been done by swerts knudsen so all the thanks are for him, i've just made a little panel in the server manager to change some configuration, this panel can also generate the client configuration according to the server configuration. You can also download the different certificate and key needed by the client. As bridging can be dangerous for the connexion (if something goes wrong during the start of the service, you may loose all the connexion, even the local one so be sure you have an physical access to your server) I think you should only install it on test server for now. When it would be tested enough I think it will be very usefull.

For now, the panel just work for the bridge mode, maybe I'll try to integrate other functions latter.

If you have some suggest or comment, email me: daniel@firewall-services.com

you can find the last release here:

http://sme.firewall-services.com/downloads/smeserver-openvpn/rpms/smeserver-openvpn-bridge-fws-1.1-2.noarch.rpm


and its how-to:

http://sme.firewall-services.com/spip.php?article43
C'est la fin du monde !!! :lol:

Offline jester

  • *
  • 496
  • +1/-0
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #1 on: July 27, 2006, 03:37:45 PM »
Daniel,

This is GREAT!   :-D

I'll start testing this weekend, is there a section in the bug tracker for this contrib?!

Kind regards,
jester.

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #2 on: July 27, 2006, 03:57:37 PM »
I've just open the bug no 1780.
C'est la fin du monde !!! :lol:

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #3 on: August 02, 2006, 11:38:03 AM »
I've just see a big bug that I corrected, a script were absent from the archive :/
If you have downloaded and that it doesn't work, it's "normal". You should re-download and replace the file /etc/e-smith/web/functions/openvpn by the one in the archive (panel/openvpn)
C'est la fin du monde !!! :lol:

Offline Franco

  • *
  • 1,171
  • +0/-0
    • http://contribs.org
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #4 on: August 14, 2006, 12:05:23 AM »
I just tried this contrib in two different setups, one using server-gateway and another using server-only.
The server-gateway works fine, the server-only mode looses it's IP Route table after the install.
I removed the contrib and things went back to normal, I use the same OpenVPN setup when in server-only mode so I can reach the system itself. This has worked fine using Swert's directions. In this setup I forward the right ports from the firewall to the server-only mode system.

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #5 on: August 14, 2006, 12:55:43 AM »
ok. That's true that most of my tests were on a server and gateway mode and I didn't take many time for server-only. Anyway, I'm still working on it especially for the support of others functions such as routed and client mode (and maybe a certificat manager). I'll try to solve this problem. Thanks for your repport and have a good weekend :p
C'est la fin du monde !!! :lol:

Offline jvels

  • ***
  • 130
  • +0/-0
    • http://vels.dk
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #6 on: August 20, 2006, 07:40:19 PM »
hello

does someone have this working, in server only mode with this setup like


[router]
dhcp server
IP 192.168.0.1

[SME7 Server]
IP 192.168.0.5

Floyd

[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #7 on: August 21, 2006, 03:48:02 AM »
what steps did you use to uninstall this contrib?  There did not seem to be an uninstall script, or did I miss it?

OR did you ust do a RPM -e on the three installed RPMS and got your routing table back?  I have experienced the same problem after installing in server only mode.

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #8 on: August 21, 2006, 09:49:28 AM »
there's an uninstall script in the archive. If you don't have it copy and past these lines in a text file and execute it:

Code: [Select]

#!/bin/bash

config='/sbin/e-smith/db configuration'
rm='/bin/rm'

echo 'stoping the service'

/etc/init.d/openvpn stop
$config setprop InternalInterface $($config getprop openvpn localInf)

echo 'ok'

echo 'removing openvpn entries from the configuration db'

$config delete openvpn

echo 'ok'

echo 'removing rpms'

rpm -e smeserver-openvpn-0.0.1-2
rpm -e openvpn-2.0.2-1.2.el4.rf
rpm -e lzo-1.08-4.2.el4.rf

echo 'ok'

echo 'removing scripts'

$rm -f /etc/openvpn/logoff.sh
$rm -f /etc/openvpn/logoff_user.pl
$rm -f /etc/openvpn/openvpn-shutdown
$rm -f /etc/openvpn/openvpn-startup
$rm -f /etc/openvpn/validate.sh
$rm -f /etc/openvpn/validate_user.pl
$rm -f /etc/openvpn/server.conf

echo 'ok'

echo 'removing tempaltes'

$rm -Rf /etc/e-smith/templates/etc/openvpn/server.conf

echo 'ok'

echo 'removing log file'

$rm -f /var/log/openvpn/openvpn.log

echo 'ok'

echo 'removing the panel'

$rm -f /etc/e-smith/web/functions/openvpn
$rm -f /etc/e-smith/web/panels/manager/cgi-bin/openvpn
/etc/e-smith/events/actions/navigation-conf >/dev/null 2>&1

echo 'ok'
C'est la fin du monde !!! :lol:

Offline jvels

  • ***
  • 130
  • +0/-0
    • http://vels.dk
Re: [ANNOUNCE] openVPN in bridge mode with a panel (beta)
« Reply #9 on: September 26, 2006, 09:50:47 PM »
Quote from: "VIP-ire"
I've just made a little pack wich install openVPN in bridge mode on SME 7.0

The hardest work have been done by swerts knudsen so all the thanks are for him, i've just made a little panel in the server manager to change some configuration, this panel can also generate the client configuration according to the server configuration. You can also download the different certificate and key needed by the client. As bridging can be dangerous for the connexion (if something goes wrong during the start of the service, you may loose all the connexion, even the local one so be sure you have an physical access to your server) I think you should only install it on test server for now. When it would be tested enough I think it will be very usefull.

For now, the panel just work for the bridge mode, maybe I'll try to integrate other functions latter.

If you have some suggest or comment, email me: daniel@firewall-services.com

you can download the archive at

http://sme.firewall-services.com/files/openvpn/smeserver-openvpn-bridge_beta1.tar.gz

and its how-to:

http://sme.firewall-services.com/files/openvpn/smeserver-openvpn-bridge_beta1.pdf


Hi

Is this still beta or can I install it on a live production server?

Best regrads
Jesper vels

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #10 on: September 26, 2006, 10:31:27 PM »
Yes, it's still beta. I've started the new release but it's more work than I thought. I'm also working on a small contrib for motion (video supervision), and I've just finish corecting my first contrib backuppc, so the development of openvpn's one has been slow down. But I use this beta on 3 prod servers and I haven't any problem for more than two months. If you use the server&gateway mode, I think you can use this.
There's one thing you must take care (but this were present in the base of the contrib): you must not restart dhcpd service while openvpn is running. If you do, dhcpd wont start corectly, and it will fill the messages log very quickly (more than 700 Mo per day) and this can slow down the server. I'll try to correct this.

dani
C'est la fin du monde !!! :lol:

Offline robwellesley

  • *
  • 92
  • +0/-0
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #11 on: October 03, 2006, 11:48:12 AM »
Hi Daniel

I posted a note in the bug tracker.  Not sure if you get it CC'd or not so I thought I'd drop a line here.

Nice work by the way.  When I get it off the VMWare and into the real world I'll give a bit more feedback on any other bugs or problems i encounter.


Rob

Offline jester

  • *
  • 496
  • +1/-0
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #12 on: October 24, 2006, 02:48:02 PM »
Daniel,

Does your contrib need any additional configuration other than described in the PDF and the obvious enabling the service in the panel ?!
Like: port opening, adding a range to the local networks, adjusting the number of PPTP clients, granting VPN access rights to users....


Regards,
jester.

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #13 on: October 24, 2006, 03:04:26 PM »
No, normaly it shouldn't, the port opening should be done automatically during the install process, the number of clients is set in the panel and is different from the number of PPTP client.

Just tree more things:
- it works only for server and gateway
- you need to set a correct range of IP address in the panel, in the same subnet that your standard local network but out of the standard DHCP range. By default, this range is from 192.168.200.25 to 192.168.200.50 but need to be change.
- verify in the file /etc/e-smith/templates/etc/openvpn/server.conf/80clients that line 9 is:
Code: [Select]

$OUT .= "max-clients $maxClient\n";

and not
Code: [Select]
$OUT .= "max-clients $maxClient";


You can verify if the service is running with the command
ps aux | grep openvpn

it should return something like
/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --config server.conf --cd /etc/openvpn
C'est la fin du monde !!! :lol:

Offline robwellesley

  • *
  • 92
  • +0/-0
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #14 on: October 25, 2006, 06:19:32 AM »
Also, in 40scripts

line -  $OUT .= "client-disconnect ./logoff.sh";

should be -  $OUT .= "client-disconnect ./logoff.sh\n";

If you add client-cert-not-required to the server.conf you only need the ca.crt on the client.

Also,
you can rpm -Uvh the latest openvpn rpm (2.7) from http://dag.wieers.com/packages/openvpn/

Also,
I'm working on an adea to add a line to the validate_user.pl that checks to see if the user has VPNAccess set to yes in the configuration database.

Something logically like if `db accounts getprop $user VPNClientAccess` = no then die?

This would give simple control over who has access

I'll cut and paste this to the bug tracker