Koozali.org: home of the SME Server

OpenVPN for Sme 7.0

Offline AndrewR

  • **
  • 53
  • +0/-0
OpenVPN for Sme 7.0
« Reply #30 on: November 07, 2006, 09:45:42 PM »
Quote from: "VIP-ire"

Well, I first made a function to delete the certificate but I removed it. I think it's better to just revoke it. For example, if one of your certificate is stollen and you don't know it, you remove the certificate without revoking it and the person who have your certificate can still have access.

 


Ok, now I see your logic here. That makes sense. But maybe then with the revoked Certificates, remove them from the list of certificates.. or perhaps change the color to RED or something (similar to the user panel where a locked user account has a RED link for it). Just for ease of visual distinguishing. Perhaps with Deletion.. only allow deletion if the certificates have already been revoked. Otherwise the panel will not allow for Deletion?

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
OpenVPN for Sme 7.0
« Reply #31 on: November 07, 2006, 10:40:21 PM »
Well ok, I'll try to add an option, not to remove the certificate from the server, but just from the list.
C'est la fin du monde !!! :lol:

Offline imcintyre

  • *
  • 609
  • +0/-0
Trouble with Uninstall
« Reply #32 on: November 08, 2006, 03:08:34 AM »
Quote
VIP, I don't know what else you changed.. but I uninstalled 3 and went to beta4, and now my VPN server works! I was actually able to login using a user account, connect, and access the network using OpenVPN


I tried to get this to run but I keep getting uninstall command not found however it is in my directory
Quote
ls
init.d   install~  lzo-1.08-4.2.el4.rf.i386.rpm     panel        sme-openssl.cnf.template              templates  uninstall~           upgrade_from_beta3
install  local     openvpn-2.0.7-1.el4.rf.i386.rpm  scripts_sme  smeserver-openvpn-0.0.1-2.noarch.rpm  uninstall  upgrade_from_beta1~  upgrade_from_beta3~

Am I missing something? Help please

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
OpenVPN for Sme 7.0
« Reply #33 on: November 08, 2006, 09:37:55 AM »
The uninstall script must be run this way:

Code: [Select]
[root@sme #] sh uninstall

You must be in the directory smeserver-openvpn-bridge_betaxx depending on your release
C'est la fin du monde !!! :lol:

Offline imcintyre

  • *
  • 609
  • +0/-0
OpenVPN for Sme 7.0
« Reply #34 on: November 08, 2006, 12:38:43 PM »
Thanks for the reply, everything seems to have run properly
Quote
[root@server1 smeserver-openvpn-bridge_beta3.1]# sh uninstall
stoping the service
Shutting down openvpn: br0: unknown interface: No such device
bridge br0 doesn't exist; can't delete it
Wed Nov  8 06:23:04 2006 TUN/TAP device tap0 opened
Wed Nov  8 06:23:04 2006 Persist state set to: OFF
Stopping dhcpd:                                            [  OK  ]

Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: done
Starting dhcpd:                                            [  OK  ]
                                                           [  OK  ]
ok
removing openvpn entries from the configuration db
ok
removing rpms
ok
removing scripts
ok
removing templates
ok
removing log file
ok
removing the panel
ok
removing db entries

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
OpenVPN for Sme 7.0
« Reply #35 on: November 08, 2006, 01:24:37 PM »
There's a small how-to for the configuration of an SME as client of another SME running smeserver-openvpn-bridge here
C'est la fin du monde !!! :lol:

Offline imcintyre

  • *
  • 609
  • +0/-0
OpenVPN for Sme 7.0
« Reply #36 on: November 08, 2006, 01:32:55 PM »
Daniel;

Thx. I am trying to muddle through things now, but actually have to get on the program vis a vis work. I will continue tonight and let you know.


Ian

Offline imcintyre

  • *
  • 609
  • +0/-0
OpenVPN for Sme 7.0
« Reply #37 on: November 08, 2006, 06:59:04 PM »
VIP-ire;

When I was settingup the certificates, it asks for an email address. What is the significance of this? I do not have mail running off my server so an "internal" address won't work if it actually needs to do anything. I can give it a working address but from my ISP that I should get if the server needs to send anything.

Let me know. Thx in advance.

Ian

Offline imcintyre

  • *
  • 609
  • +0/-0
Configuration Confusion on my part
« Reply #38 on: November 09, 2006, 02:55:58 AM »
Vip-ire;

I went through your instructions (http://sme.firewall-services.com/spip.php?article4 ) and I have some problems with the configuration. Some of this might seem like nitpicking but actually is my noobiness on full display.

1) On the server side, I completed the configuration but there are some things that I did not know if I answered correctly.

a) The bridge interface. Is this the name of the nic on the internet side of my server. As I recall when I set this up, it should be eth1.

b) Tap Interface is a software construct so I will leave this alone. (?)

c) I picked authentication method 5 but did not get a place to enter username/password.  Did I miss something?

d) A bit confused by the "Do you want to use your server as default gateway..." I am using only one server that is in gateway and server mode. I will vpn in from the outside using client machine, so the answer to this is yes (?). I am not sure how to answer the Redirect Gateway question. I picked disabled but is this correct.

2) On the client side, I have my work laptop at home . As per instructions, for windows 2K/XP clients, download the openvpn GUI at http://openvpn.se/files/install_pac... and install it. Everything seems in place.

I then logged into the SME Server admin. As instructed I downloaded the ca.crt file, the Ian_McIntyre.crt file and the Ian_McIntyre.key to my laptop   into the appropriate directory. The next instructions were
Quote
Put these files in the C:\Program Files\OpenVPN\config folder and create a new text file called VPN.ovpn (in the same C:\Program_Files\OpenVPN\config folder). Copy the generated config in this file and save it.


Which of the three files is the generated config file or did I miss something.

Thanks in advance for your help.

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
OpenVPN for Sme 7.0
« Reply #39 on: November 09, 2006, 09:57:56 AM »
Quote from: "imcintyre"
VIP-ire;

When I was settingup the certificates, it asks for an email address. What is the significance of this? I do not have mail running off my server so an "internal" address won't work if it actually needs to do anything. I can give it a working address but from my ISP that I should get if the server needs to send anything.

Let me know. Thx in advance.

Ian


Well, the mail address is just a required field for a X.509 certificate. You can put the address you want, not necessary a mail account of this server. You can enter anything you want.

Quote from: "imcintyre"

a) The bridge interface. Is this the name of the nic on the internet side of my server. As I recall when I set this up, it should be eth1.

b) Tap Interface is a software construct so I will leave this alone. (?)


No, you shouldn't have to change the 3 interfaces, I just put this in the panel for some specific configurations but, most of the time:
the bridge interface is br0 (it's a virtual interface in which we will enslave the 2 others)
the local interface to be bridge is the interface of your local network, not the internet side one. it's normally allways eth0
the Tap interface is the virtual interface of the VPN, it's always tap0

Quote from: "imcintyre"

c) I picked authentication method 5 but did not get a place to enter username/password. Did I miss something?


When you choose a method with login/passwords, it refers to the login/passwords of the differents users accounts.

Quote from: "imcintyre"

d) A bit confused by the "Do you want to use your server as default gateway..." I am using only one server that is in gateway and server mode. I will vpn in from the outside using client machine, so the answer to this is yes (?). I am not sure how to answer the Redirect Gateway question. I picked disabled but is this correct.


If redirect the gateway is enabled, that means that when a client connect to your server via VPN, your VPN server will become his default gateway, so all the communications of the client will pass through the VPN.

Quote from: "imcintyre"

Which of the three files is the generated config file or did I miss something.


None of this 3 files is the configuration file, these are the certificates and the private key of the client (which are needed by the authentication method you choose). To view the configuration file, go in the certificate manager and click on the 'display' link of the certificate of the client you wan't, you will see the configuraiton file and that you need to do then is to copy/past these lines to the vpn.ovpn file.

Hope this will help you
C'est la fin du monde !!! :lol:

Offline jonic

  • *
  • 103
  • +1/-0
OpenVPN for Sme 7.0
« Reply #40 on: November 09, 2006, 12:39:10 PM »
I've installed openvpn beta 4, following the how to. When I ran the installation script I got the following error message :
"copying templates
ERROR: No templates were found for /etc/openvpn/persist-pool. at /sbin/e-smith/expand-template line 45
ok ".

Everything seemed ok afterwards. I've configured openvpn, through server-manager, leaving all the default options and choosing authentication method 3. I created a certificate for my clients (ip and user fields left blank).

When I try to connect to the server I get a "Connection reset by peer" error right after I am asked for my user and password. I have vpn access granted in server-manager for this user.

Any ideas?

And by the way, thanks for this contrib!

Edit: I had no other previous versions of this contrib installed.

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
OpenVPN for Sme 7.0
« Reply #41 on: November 09, 2006, 12:49:53 PM »
Quote from: "jonic"
I've installed openvpn beta 4, following the how to. When I ran the installation script I got the following error message :
"copying templates
ERROR: No templates were found for /etc/openvpn/persist-pool. at /sbin/e-smith/expand-template line 45
ok ".


oups, that's my fault. I just forgot to remove a line from the install script, but it's not verry important.

Quote from: "jonic"

Everything seemed ok afterwards. I've configured openvpn, through server-manager, leaving all the default options and choosing authentification method 3. I created a certificate for my clients (ip and user fields left blank).

When I try to connect to the server I get a "Connection reset by peer" error right after I am asked for my user and password. I have vpn access granted in server-manager for this user.


You say you let the default options, but have you enabled the service (in the panel)?
Did you used the config file from the panel?
Have you checked that the 2 certificates (ca.crt and client.crt) and the private key (client.key) are not empty (they normally shouldn't but in previous release, it could appen)
Can you give me the output of
tail /var/log/openvpn/logins and
tail /var/log/openvpn/openvpn.log
after trying to login.
C'est la fin du monde !!! :lol:

Offline jonic

  • *
  • 103
  • +1/-0
OpenVPN for Sme 7.0
« Reply #42 on: November 09, 2006, 01:16:45 PM »
Quote from: "VIP-ire"

You say you let the default options, but have you enabled the service (in the panel)?

Yes, I did.

Quote from: "VIP-ire"

Did you used the config file from the panel?
Have you checked that the 2 certificates (ca.crt and client.crt) and the private key (client.key) are not empty (they normally shouldn't but in previous release, it could happen)


Yes I used the config file from the panel. I needed to modify the hostname of the server from mrm.ro to server.mrm.ro (I don't have a dns record for mrm.ro).
I checked the certificates and they are not empty. I did modify the name of the ca.crt to ca-mrm.crt, and I modified the client ovpn configuration file accordingly (this shouldn't be a problem I think).

Quote from: "VIP-ire"

Can you give me the output of
tail /var/log/openvpn/logins and
tail /var/log/openvpn/openvpn.log
after trying to login.


There is no logins log, and checking the openvpn.log I've seen the following error:
"Options error: --server-bridge IP addresses 192.168.57.1 and 192.168.200.25 are not in the same 255.255.255.0 subnet"

It seems that I forgot to modify the ip's for openvpn clients to be in the same network as my local network. Once I did this everything worked like a charm.

Thanks for this great contrib, and for the quick replies . :)

Offline imcintyre

  • *
  • 609
  • +0/-0
OpenVPN for Sme 7.0
« Reply #43 on: November 09, 2006, 04:39:29 PM »
VIP-ire;

Got everything reinstalled and set up on laptop. Will probably test tomorrow when I am not on site. I tried it on site and it failed which is not surprising since I am already on the network I am trying to vpn into.

One concern I have is last night I noticed the following entry at the bottom of my sme server admin manage page.
Quote
Collaboration
Users
Groups
Quotas
Pseudonyms
Information bays
Administration
Backup or restore
View log files
Mail log file analysis
Reboot or shutdown
Security
Remote access
Local networks
Port forwarding
Proxy settings
Configuration
OpenVPN
Software installer
Date and time
Workgroup
Directory
Printers
Hostnames and addresses
Domains
E-mail
Antivirus (ClamAV)
Review configuration
Crontab Manager
Miscellaneous
Support and licensing
Create starter web site
Unknown
.rnd


When I click on the .rnd option, I get the following message.

Quote
Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, admin and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.


I searched through the log files you get when you go into the "view Log files" feature. I looked for "error" and ".rnd" and could not find anything. Googled ".rnd" and could not see anything relevant.

I thought about rebooting server but am supposed to be working at home later today and am not so inclined to be without internet access.

Any insight? Thx in advance for your help.

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
OpenVPN for Sme 7.0
« Reply #44 on: November 10, 2006, 12:14:56 PM »
Ok, i've just saw that I have the same problem. This file is created during certificates generation. Anyway, I'm working on beta5 and it'll be corrected. This beta will seriously improve the security and will correct the last little problems like the .rnd one
C'est la fin du monde !!! :lol: