Koozali.org: home of the SME Server

[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #15 on: October 25, 2006, 09:35:10 AM »
Thanks a lot robwellesley for your interest and your repports. You're right, that's not a bad idea to verify if the user has VPN access.
I'll try to add the client-cert-not-requierd as an option in the panel, but I think it's less secure. The thing I'd like to do is a certificate manager. With this, we could generate one certificate by client. With this, openvpn can easily recognise who is connecting, and always give the same IP. But this will take some more time to implement. I'll try to add your ideas as soon as I can.
C'est la fin du monde !!! :lol:

Offline robwellesley

  • *
  • 92
  • +0/-0
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #16 on: October 25, 2006, 12:54:30 PM »
Quote
Thanks a lot robwellesley for your interest and your reports


You're welcome!  Thank you for sharing your knowledge and expertise.

It got us over the persistent problem, whereby multiple PC's on a LAN behind a smeserver can't simultaneously connect using PPTP to a remote smeserver.  With OpenVPN they can.

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #17 on: October 25, 2006, 06:07:00 PM »
beta2 is available, you can see the change log, and the how-to here
I haven't tested all the new functions. Even if everything should works, please, try it on a test server first.

By the way, you can see all the others contribs and how-to from firewall-services on this site: http://dedibox.firewall-services.com/contribs

best regards, daniel
C'est la fin du monde !!! :lol:

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #18 on: October 26, 2006, 11:29:48 AM »
There was a error in the script which validate the user name/password, I forgot to chomp the variable VPNClienAccess, I've just correted it and uploaded it. You can download the new archive at the same place :

http://dedibox.firewall-services.com/downloads/smeserver/smeserver-openvpn/smeserver-openvpn-bridge_beta2.tar.gz
C'est la fin du monde !!! :lol:

Skip

[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #19 on: October 26, 2006, 09:21:15 PM »
Hi Daniel,

Thanks for this excellent contrib! I'm new to Sme (about a month maybe?) and was having issues with the standard pptp due to firewalls blocking GRE from work (at least that's what I *think* was happening).

Anyway, installed this and messed with this a bit and can now get access. :)

One thing I did have to do, and you and others might be able to tell me why this might be bad: I modified the panel code and templates to allow selecting of a TCP port instead of UDP.

The only way I could get through the firewall at work -- it seemed -- was to use the pptp port of 1723 and shut off the standard pptp.

I can supply diffs in the bug tracker for the TCP/UDP changes if there's any worth in that...

Cheers, and thanks again for the great work!

-Skip.

Offline jvels

  • ***
  • 130
  • +0/-0
    • http://vels.dk
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #20 on: October 26, 2006, 10:02:26 PM »
I see:

Quote
It seems to work in server-only mode


Must the  dhcp service = enable in server-only mode or can I run with out it enabled.

Best Regrads
Jesper Vels

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #21 on: October 27, 2006, 10:02:40 AM »
Well, in fact, don't use it yet in server only mode, I've noticed some little bugs. I'll think I'll release beta3 soon with no real changes but with bugs correction, and maybe the choice between TCP and UDP as proto. I'll keep you informed
C'est la fin du monde !!! :lol:

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #22 on: October 27, 2006, 11:58:30 PM »
smeserver-openvpn-bridge_beta3.

I've corrected several bugs of beta2 and added some functions:

- default gateway bug in server only mode
- if dhcpd is disabled, then it's no more started when openvpn start
- bugs in certificate generation at the fisrt install (now it works :p)
- french translation
- you can choose between tcp and udp (even if udp is recommanded)
- possibility to remove all your certificates and to regererate it

It shouldn't be risked to install it on prod server but there maybe some others bugs. (As far as I've tested, everything works)

https://dedibox.firewall-services.com/contribs/spip.php?article2
C'est la fin du monde !!! :lol:

Offline jonroberts

  • ***
  • 111
  • +0/-0
    • http://www.westcountrybusiness.com
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #23 on: October 29, 2006, 11:13:30 PM »
Don't know if you guys can help me, but I'm looking for a VPN solution to bridge between two networks (e.g. SME to SME).

We have two sites connected by a dedicated leased line, which we want to get rid of.  For reasons I won't go into, the two sites need to share the same IP subnet.

Will this contrib give me to option to replace the leased line by bridging our two sites over an Internet link?

Any thoughts much appreciated.

Jon
......

Offline erykwol

  • 9
  • +0/-0
    • http://www.art4others.com
One small problem after a forced reboot of the server
« Reply #24 on: October 30, 2006, 01:59:04 PM »
Hallo,

Nice contribution.

When I was testing it, I have discovered a small problem.
After an unclean or forced shutdown of the server there is a problem with a network setup.
If before shutdown openvpn was running, the configuration file states that the  internal interface is still br0. This will give problems on startup.
One possible solution would be to run a script at boot-time to reset the configuration file just before launching of any scripts using this settings.

I could be:
/etc/rc7.d/S15reset-openvpn -> /etc/init.d/reset-openvpn

#!/bin/bash
####################################
# Reset SME openvpn configuration after unclean shutdown
####################################
eth=$(/sbin/e-smith/db configuration getprop openvpn localInf)
/sbin/e-smith/db configuration setprop InternalInterface Name $eth

It would be nice if VIP-ire could integrate it in his rpm.

Any other solutions much appreciated.

Eryk

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #25 on: October 30, 2006, 02:24:01 PM »
Not a bad idea at all. Will Integrate it in beta3.1 this afternoon as I've noticed some error in beta3
C'est la fin du monde !!! :lol:

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #26 on: October 30, 2006, 02:26:03 PM »
Quote from: "jonroberts"
Don't know if you guys can help me, but I'm looking for a VPN solution to bridge between two networks (e.g. SME to SME).

We have two sites connected by a dedicated leased line, which we want to get rid of.  For reasons I won't go into, the two sites need to share the same IP subnet.

Will this contrib give me to option to replace the leased line by bridging our two sites over an Internet link?

Any thoughts much appreciated.

Jon


Well openvpn in bridge mode can be a good solution for interconnecting two sites with same subnet. I'll write an how-to for the configuration of an SME server as a client of another SME with this contrib. Will post when it'll be online
C'est la fin du monde !!! :lol:

Offline jonroberts

  • ***
  • 111
  • +0/-0
    • http://www.westcountrybusiness.com
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #27 on: October 30, 2006, 02:30:08 PM »
Quote from: "VIP-ire"
I'll write an how-to for the configuration of an SME server as a client of another SME with this contrib. Will post when it'll be online


Hey, that would be great & certainly be a massive help for me.  I'll look forward to reading it.

Thanks
Jon
......

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
[ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm
« Reply #28 on: October 30, 2006, 02:49:55 PM »
smeserver-openvpn-bridge_beta3.1 available.

https://dedibox.firewall-services.com/contribs/spip.php?article2
C'est la fin du monde !!! :lol:

Offline AndrewR

  • **
  • 53
  • +0/-0
Re: [ANNOUNCE] openVPN in bridge mode with a panel (beta)
« Reply #29 on: November 03, 2006, 07:22:07 PM »
Quote from: "VIP-ire"
I've just made a little pack wich install openVPN in bridge mode on SME 7.0

The hardest work have been done by swerts knudsen so all the thanks are for him, i've just made a little panel in the server manager to change some configuration, this panel can also generate the client configuration according to the server configuration. You can also download the different certificate and key needed by the client. As bridging can be dangerous for the connexion (if something goes wrong during the start of the service, you may loose all the connexion, even the local one so be sure you have an physical access to your server) I think you should only install it on test server for now. When it would be tested enough I think it will be very usefull.

For now, the panel just work for the bridge mode, maybe I'll try to integrate other functions latter.

If you have some suggest or comment, email me: daniel@firewall-services.com

you can download the archive at

http://sme.firewall-services.com/files/openvpn/smeserver-openvpn-bridge_beta1.tar.gz

and its how-to:

http://sme.firewall-services.com/files/openvpn/smeserver-openvpn-bridge_beta1.pdf


I tried to DL these files from the links above... but they're not present. Is there an alternate Download Location?