Topic: Openvpn

[duncan]

Available here.

rpm -ivh *.rpm

/sbin/e-smith/db configuration setprop openvpn status enabled
/sbin/e-smith/signal-event console-save
/sbin/reboot

Configs are in /etc/openvpn. The static.key is generated by the rpm and is unique to your machine.

Use the port-opening package from here to open your UDP/TCP ports.

Configuration howtos here

This is tested on 6.0.1 and does not have a web GUI.

Regards Duncan

[duncan]

Bump

I have added a howto here as well as some example config files that are working well for my guys.

WinXP <-> SMEServer

Regards Duncan

[MasterSleepy]

Hi duncan,

Great works, that what I'm waiting for long time now.

For port-opening, maybe it will be a good idea to include the follow script in masq template directory

Code: [Select]


{
    my $status = ${'openvpn '}{status} || "disabled";

    $OUT = allow_udp_in(5000,
            ($status eq "enabled") );
}

So that the port opening is effectif only when service are enabled.

Regards.

[duncan]

Nice idea. Openvpn is moving towards one port for all tunnels - and when it gets there this will make a great addition - however because there is a need to open a new port for each tunnel - it is probably better to use the port opening contrib for the time being.

Regards Duncan

[duncan]

With that code and the sevice enabled I get

denylog    udp  --  anywhere             anywhere           udp dpt:5000

[root@mail log]# /sbin/e-smith/db configuration show openvpn
openvpn=service
    status=enabled
[root@mail log]#

Any ideas what the problem might be?

Regards Duncan

[TrevorB]

Thanks for the great contrib Duncan, worked fine for me (am using beta11), once I swapped over to tun (I was previously trying to use tap).

Trevor B

[TrevorB]

Thanks for the great contrib Duncan, worked fine for me (am using beta11), once I swapped over to tun (I was previously trying to use tap).

Trevor B

[salesman]

Hi Trevor B,
do you have the beta11 rpm (i have troubles getting the multiclient-feature to work with duncan's beta10), and if so, would you be so kind to send it to me??

regards
Michael

[TrevorB]

I just built from the tarball from the openvpn.org site. (openvpn-2.0_beta11-1)

I will place a copy in my beta contribs directory when I remember the password (or get RequestedDeletion to reset it for me....).

http://contrins.org/contribs/trevorb/beta/

Trevor B
PS. I am using TCP rather than UDP (only because I was set up that way due to other problems I was having prior to installing Duncan's contrib). Will put up my configs as well.

[TrevorB]

There now, but in.....

http://mirror.contribs.org/smeserver/contribs/trevorb/beta/openvpn

TrevorB

[salesman]

Thanks a lot

regards Michael

[Knuddi]

I have tried to have XP client connect the the SME server and have access to the private net without complete luck. I get denylog entries in the message log. I decided to use tap as it allows better control from the server side. The client connects fine to the remote server and I can ping the server (192.168.1.1). When I try to access (ping) anything inside the private LAN (192.168.1.x) I get denylogs. I expect that I need to set up IP tables rules but am not sure which. I would like to allow all traffic to route between eth0 and tap0. I have stored the two confif files in http://sme.swerts-knudsen.dk/downloads/OpenVPN/ for reference.

The tapo interface runs on 192.168.100.1 and the XP client gets 192.168.100.6.

A typical messagelog entry when trying to ping 192.168.1.50 from the XP client (192.168.100.6):

Oct 26 15:38:12 gateway kernel: denylog:IN=tap0 OUT=eth0 SRC=192.168.100.6 DST=192.168.1.50 LEN=92 TOS=0x00 PREC=0x00 TTL=15 ID=857 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=15104


any good ideas or suggestions?

Thanks,
Jesper

[dhardy]

Jesper,

Have you added your 192.168.100.x subnet into the local networks under the security settings in the Server Manager?

HTH

David.

[Knuddi]

The problem doing so is that the gateway is eth0 and adding that as the gateway for 192.168.100.0 does not help (actually makes me not be able to ping 192.168.1.1 anymore). The route table also looks fine.

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
80.196.46.140   *               255.255.255.252 U     0      0        0 eth1
192.168.100.0   *               255.255.255.0   U     0      0        0 tap0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         atm0-0-0-150113 0.0.0.0         UG    0      0        0 eth1

[duncan]

Hi,

Add the network as you normally would in the server manager to add the firewall rules. Enable "office.up" but put a "route del" entry in to remove the route to eth0.

Regards Duncan