Topic: [ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm

[del]

Hi Bob,

When you were removing openvpn, did you delete the entire /etc/openvpn folder? That is what I did when I changed from routing to bridge, and things went pretty well.

No I didn't  But I have removed all three rpms, deleted the entire /etc/openvpn folder, rebooted for good measure and reinstalled the rpms created the cert and it works So I still don't know what I did wrong but it is now saying the daemon is running. I just need to try and connect from my client  I will let you know the outcome

Regards,
Del

[Daniel B.]

Well, I'm glade it's finally working for you (or at least, the daemon is running). But I still wonder why the certificate generation doesn't work all the time. I cannot understand. I had some problems with the previous beta, but since beta4, I never had a problem with the generation. Del, can you please send me your file /var/log/httpd/admin_error_log by mail so I try to understand the problem.

[del]

Hi VIP-ire,

Del, can you please send me your file /var/log/httpd/admin_error_log by mail so I try to understand the problem.

Email sent, I hope it helps.

Regards,
Del

[gerd]

@ VIP-ire
I am just considering to install your contrib "smeserver-openvpn-bridge-fws-1.0-3.noarch" during christmas holidays. As of today, I have installed the OPENVPN according to SWERTS-Knudsen - and it works (SAMBA shares etc), however I can get through the firewall to get access to the network printer or to my workstation in the company office. Say I have to modify the IP-tables...and I don't like that too much.

Does the Open VPN bridge mode means that I can get through the firewall of the SME server and e.g. to start a print job fm the home office for the network printer in the company office or to access my office computer without "touching" the IP-tabel rules of the SME server??

Would be great if you can enlighten me...

thanx

gerd

[Daniel B.]

Yes you can, my contrib uses bridge mode wich means that when you are connected to the VPN (from anywhere outside your network), it's exactly as if you where in your local network: you have an IP address in the same subnet as your local network so there's no need to modify iptables. You can access every hosts of your internal network, every printers, every services. The only difference is the bandwidth. That's why I worked on the bridge mode, because SME's iptables rules are quite hard to modify

[gerd]

Bon dieu, c'est vraiement une réponse rapide.
Jesus, what a quick reply. So fist of all thanx.

What do you mean by "The only difference is the bandwith"? Does this mean that the routed network connection needs  higher bandwith, hence lower transmission speed??

Any concerns as to security routed VPN versus Bridge Mode VPN???

regards

gerd

[Daniel B.]

I mean, when you're connected through the VPN, it's just as if you where on your local network but you have less bandwith because it uses your internet connexion. If you have a 100Mb internet connexion, it'll be exactly the same, but I don't think so. For the security, I spent a lot of time to improve it since the first beta. I think it's now quite secure (depending on the authentication method you choose, the size of the key, the strengh of the passwords and of course, the way you deploy the certificates: they must be kept secret). But it's more for mobile clients than for site-to-site connexion, even if it can work, it's not optimized.

[gerd]

Is it mandatory that the local network uses DHCP?? In the company office for the moment I use fix IP fm 192.168.yy.1xx to 192.168.yy.200 . For the VPN address range I have opted for 192.168.yy.060 to 192.168.yy.70. Number of clients  allowed at the same time: 4.

Possible / not possible??

best regards

gerd

[Daniel B.]

Seems to be ok, if nobody uses the range 192.168.yy.60 to 192.168.yy.70 (nor DHCP neither fixed IP), it's ok.

[AndrewR]

Is it mandatory that the local network uses DHCP?? In the company office for the moment I use fix IP fm 192.168.yy.1xx to 192.168.yy.200 . For the VPN address range I have opted for 192.168.yy.060 to 192.168.yy.70. Number of clients  allowed at the same time: 4.

Possible / not possible??

best regards

gerd

It's never mandatory to use DHCP... but you sure make your life hell if there's a change on the network. In your office... how many machines are there? If you're using all 100 address... that's a lot of unecessary work. Depending on your infrastructure.. configuring DHCP can save you a lot of time as the administrator to focus on more important aspects like security, infrastructure upgrades / maintenance, etc... Why are you not using DHCP?

[del]

Hi VIP-ere,

Well I tried to connect today and had no luck, so I just turned off my test server and installed openvpn on my server/gateway and I connected straight away  I must admit that I have never had much luck with port forwarding in SME, I couldn't get SAIL/Asterisk to work on my test server, but that worked OK as soon as I installed on my main server  So thanks for all your help and hard work with this contrib, I look forward to using my network even when I am away

Regards,
Del

[imcintyre]

Vip-ire wrote:

The last lines of the server's log (you can get it through the panel) would be more helpfull. Just do the following:
- restart openvpn-bridge (/etc/init.d/openvpn-bridge restart)
- try to connect again (it should do the same error)
go in the server manager and copy past the last 30~40 lines of the logs

I restarted ovenvpn-bridge as above and got the following (which looks okay):

[root@mcserver1 etc]# /etc/init.d/openvpn-bridge restart
Shutting down openvpn: Tue Dec 12 21:38:39 2006 TUN/TAP device tap0 opened
Tue Dec 12 21:38:39 2006 Persist state set to: OFF
Stopping dhcpd:                                            [  OK  ]

Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: done
Starting dhcpd:                                            [  OK  ]
                                                           [  OK  ]
Starting openvpn: Tue Dec 12 21:38:47 2006 TUN/TAP device tap0 opened
Tue Dec 12 21:38:47 2006 Persist state set to: ON
Stopping dhcpd:                                            [  OK  ]

Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: done
Starting dhcpd:                                            [  OK  ]
                                                           [  OK  ]
[root@mcserver1 etc]#

I tried to connect again today and got the same problem, the username and password window keeps popping up. This is all of my log from today:

Wed Dec 13 11:39:05 2006 MULTI: multi_create_instance called
Wed Dec 13 11:39:06 2006 207.245.239.187:53670 Re-using SSL/TLS context
Wed Dec 13 11:39:06 2006 207.245.239.187:53670 LZO compression initialized
Wed Dec 13 11:39:06 2006 207.245.239.187:53670 Control Channel MTU parms [ L:1578 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Dec 13 11:39:06 2006 207.245.239.187:53670 Data Channel MTU parms [ L:1578 D:1400 EF:46 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Dec 13 11:39:06 2006 207.245.239.187:53670 Fragmentation MTU parms [ L:1578 D:1400 EF:45 EB:135 ET:33 EL:0 AF:3/1 ]
Wed Dec 13 11:39:06 2006 207.245.239.187:53670 Local Options hash (VER=V4): '8f3da10b'
Wed Dec 13 11:39:06 2006 207.245.239.187:53670 Expected Remote Options hash (VER=V4): 'a257ef04'
Wed Dec 13 11:39:06 2006 207.245.239.187:53670 TLS: Initial packet from 207.245.239.187:53670, sid=cf27f5cc af1c7310
Wed Dec 13 11:39:07 2006 207.245.239.187:53670 CRL CHECK OK: /C=CA/ST=Canada/L=Toronto/O=McIntyres/OU=VPN/CN=server-bridge/emailAddress=ianmcintyre@sympatico.ca
Wed Dec 13 11:39:07 2006 207.245.239.187:53670 VERIFY OK: depth=1, /C=CA/ST=Canada/L=Toronto/O=McIntyres/OU=VPN/CN=server-bridge/emailAddress=ianmcintyre@sympatico.ca
Wed Dec 13 11:39:07 2006 207.245.239.187:53670 CRL CHECK OK: /C=CA/ST=Canada/O=McIntyres/OU=VPN/CN=ian/emailAddress=ianmcintyre@sympatico.ca
Wed Dec 13 11:39:07 2006 207.245.239.187:53670 VERIFY OK: depth=0, /C=CA/ST=Canada/O=McIntyres/OU=VPN/CN=ian/emailAddress=ianmcintyre@sympatico.ca
Wed Dec 13 11:39:07 2006 207.245.239.187:53670 PLUGIN_CALL: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Wed Dec 13 11:39:07 2006 207.245.239.187:53670 TLS: Username/Password authentication succeeded for username 'ian'
Wed Dec 13 11:39:07 2006 207.245.239.187:53670 TLS Auth Error: --client-config-dir authentication failed for common name 'ian' file='ccd-bridge/ian'
Wed Dec 13 11:39:07 2006 207.245.239.187:53670 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Dec 13 11:39:07 2006 207.245.239.187:53670 [ian] Peer Connection Initiated with 207.245.239.187:53670
Wed Dec 13 11:39:08 2006 207.245.239.187:53670 PUSH: Received control message: 'PUSH_REQUEST'
Wed Dec 13 11:39:08 2006 207.245.239.187:53670 SENT CONTROL [ian]: 'AUTH_FAILED' (status=1)
Wed Dec 13 11:39:08 2006 207.245.239.187:53670 Delayed exit in 5 seconds
Wed Dec 13 11:39:13 2006 207.245.239.187:53670 SIGTERM[soft,delayed-exit] received, client-instance exiting
Wed Dec 13 11:39:31 2006 MULTI: multi_create_instance called
Wed Dec 13 11:39:31 2006 207.245.239.187:53688 Re-using SSL/TLS context
Wed Dec 13 11:39:31 2006 207.245.239.187:53688 LZO compression initialized
Wed Dec 13 11:39:31 2006 207.245.239.187:53688 Control Channel MTU parms [ L:1578 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Dec 13 11:39:31 2006 207.245.239.187:53688 Data Channel MTU parms [ L:1578 D:1400 EF:46 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Dec 13 11:39:31 2006 207.245.239.187:53688 Fragmentation MTU parms [ L:1578 D:1400 EF:45 EB:135 ET:33 EL:0 AF:3/1 ]
Wed Dec 13 11:39:31 2006 207.245.239.187:53688 Local Options hash (VER=V4): '8f3da10b'
Wed Dec 13 11:39:31 2006 207.245.239.187:53688 Expected Remote Options hash (VER=V4): 'a257ef04'
Wed Dec 13 11:39:31 2006 207.245.239.187:53688 TLS: Initial packet from 207.245.239.187:53688, sid=dcdfa94f 91218fda
Wed Dec 13 11:39:32 2006 207.245.239.187:53688 CRL CHECK OK: /C=CA/ST=Canada/L=Toronto/O=McIntyres/OU=VPN/CN=server-bridge/emailAddress=ianmcintyre@sympatico.ca
Wed Dec 13 11:39:32 2006 207.245.239.187:53688 VERIFY OK: depth=1, /C=CA/ST=Canada/L=Toronto/O=McIntyres/OU=VPN/CN=server-bridge/emailAddress=ianmcintyre@sympatico.ca
Wed Dec 13 11:39:32 2006 207.245.239.187:53688 CRL CHECK OK: /C=CA/ST=Canada/O=McIntyres/OU=VPN/CN=ian/emailAddress=ianmcintyre@sympatico.ca
Wed Dec 13 11:39:32 2006 207.245.239.187:53688 VERIFY OK: depth=0, /C=CA/ST=Canada/O=McIntyres/OU=VPN/CN=ian/emailAddress=ianmcintyre@sympatico.ca
Wed Dec 13 11:39:32 2006 207.245.239.187:53688 PLUGIN_CALL: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Wed Dec 13 11:39:32 2006 207.245.239.187:53688 TLS: Username/Password authentication succeeded for username 'ian'
Wed Dec 13 11:39:32 2006 207.245.239.187:53688 TLS Auth Error: --client-config-dir authentication failed for common name 'ian' file='ccd-bridge/ian'
Wed Dec 13 11:39:32 2006 207.245.239.187:53688 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Dec 13 11:39:32 2006 207.245.239.187:53688 [ian] Peer Connection Initiated with 207.245.239.187:53688
Wed Dec 13 11:39:33 2006 207.245.239.187:53688 PUSH: Received control message: 'PUSH_REQUEST'
Wed Dec 13 11:39:33 2006 207.245.239.187:53688 SENT CONTROL [ian]: 'AUTH_FAILED' (status=1)
Wed Dec 13 11:39:33 2006 207.245.239.187:53688 Delayed exit in 5 seconds
Wed Dec 13 11:39:39 2006 207.245.239.187:53688 SIGTERM[soft,delayed-exit] received, client-instance exiting

It says on the sme server manager page that "daemon is running, pid: 5102". I didn't notice this before and you had asked if the daemon is running so I guess I can answer yes.

Thanks in advance for your help.

Ian

[Daniel B.]

ok, now I've got a better idea of what's going wrong (I still don't know exactly). Here is the problem:

Code: [Select]

TLS Auth Error: --client-config-dir authentication failed for common name 'ian' file='ccd-bridge/ian'

It's because, as additionnal security, I prevent any user who don't have a specific configuration file in /etc/openvpn/ccd-bridge to connect. These configuration files should be generated automaticaly according to the authentication method:

for method 1 and 3, it uses the user account. Each user who have VPNClientAcces=yes will have a configuration file, the others will have one with the directive --diable and this is how the access is controled with the VPNClientAccess variable. For method 1 and 3, the CN of the user is set to it's login and the CN of the certificate (if used with method 3) is ignored so the configuration file name must match the login of the user

for method 2 and 4, the clients certificates are used to generate the config files. A file is generated only for non-revoked certificates of course, the revokated one has a file with the directive --disable. For those two method, the CN is set to the CN of the certificate presented so the configuration file name must match the CN of the certificate presented.

You can have a look at the template /etc/e-smith/templates-custom/etc/openvpn/ccd-bridge/.config if you wan't, I think it'll be easier for you to understand how it works.

Now, look at your directory /etc/openvpn/ccd-bridge and which configuration files are present. If there's no 'ian' file, there's a problem somewhere, try the following:

Code: [Select]

expand-template /etc/openvpn/ccd-bridge/.config
and if there's still no 'ian' file, repport it here.
If there's a 'ian' file, it will probably have the directive --disable, that mean either:
- you use method 1 or 3 and you don't have VPNClientAccess set to yes
- you use method 2 or 4 and your certificate is marked as revoked

Hi VIP-ere,

Well I tried to connect today and had no luck, so I just turned off my test server and installed openvpn on my server/gateway and I connected straight away Very Happy I must admit that I have never had much luck with port forwarding in SME, I couldn't get SAIL/Asterisk to work on my test server, but that worked OK as soon as I installed on my main server Shocked So thanks for all your help and hard work with this contrib, I look forward to using my network even when I am away Cool

Regards,
Del

Quite strange, I think it's a port redirection problem because I developped it on a server-only SME and everything seems to work (but I tested most of the functions on a server& gateway mode so maybe I forgot something). Does anyone else uses server-only mode and can tell if it's working or not please?

[imcintyre]

Vip-ire

Some "interesting" results to your instructions.

Vip-ire wrote

expand-template /etc/openvpn/ccd-bridge/.config

I tried this at the root log in with no obvious result. I went into the directory and found two  files ian and server. I went into midnight commander and found 3 files, .config, ian, and server.

The contents of .config are:

This file is only used to generate the per client config file

The contents of ian are:

--ifconfig-push 192.168.7.200 255.255.255.0

The contents of server are:

--ifconfig-push 192.168.7.200 255.255.255.0

I noticed that they were identical, so I checked again to confirm and they are.

I went back through your instructions:

You can have a look at the template /etc/e-smith/templates-custom/etc/openvpn/ccd-bridge/.config if you wan't, I think it'll be easier for you to understand how it works.

I changed directories to look at the .config file and found there was nothing in the directory:

[root@mcserver1 ~]# cd /etc/e-smith/templates-custom/etc/openvpn/ccd-bridge/
[root@mcserver1 ccd-bridge]# ls
[root@mcserver1 ccd-bridge]#

I checked my vpn status in the SME Server manager page as follows:

ian     Ian McIntyre     Yes     Modify     Reset password     Lock account     Remove

I checked the status of Openvpn and got the following:

daemon is running, pid: 5102

Do you wan't to enable the service ?
Status:    Enabled

I hope that this is helpful, thanks again for your patience

[Daniel B.]

the .config file is normal, don't touch it, I didn't find a way to generate all the config files without this one. The most interesting is the content of the file ian
please try a

Code: [Select]

cat /etc/openvpn/ccd-bridge/ian

and post the result

I noticed a little error in the template .config which generate all the config files but it has nothing to do with your porblem, it's just that the config file server should have the directive --disable.