Topic: [ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm

[Daniel B.]

No, I don't know how to remove this warning from rkhunter report, it doesn't bother me so I never looked at this, but from my memory, there's no option for rkhunter to ignore promiscuous interfaces. Maybe there's one in more recent versions.

[haymann]

Hi VIP-ire,

Thanks for the great contrib. I have been using your beta5 release for awhile, but last week I installed a server for a client and installed your latest release. Very easy to install and start using (with the exception of the "Use of uninitialized value" errors that I have seen on almost every contrib that I have installed on a 7.1 system...)

I was wondering if in your future releases you might consider the option to be able to customize the name of the ca.crt? The reason that I ask is that I have several SME servers that I VPN into and using the OpenVPN GUI all you have to do is create a xxx.ovpn file in the config directory of the client for every server you want to VPN into. Then you copy the .crt and .key files and you can select which server you want to connect to. The only problem was that for my second server when I tried to copy the ca.crt to OpenVPN\config the file already existed from the first server.

It was a pretty easy fix to rename the ca.crt and then modify the xxx.ovpn file to use the name I created instead of ca.crt. If the certificate would have been named name_of_server.crt or something similar, I would not have to change anything...

Now I still haven't figured out a way to use the same login name for each VPN session though as I can't have two files named admin.crt, etc...

Thanks again, your work has been quite helpful and I hope this post makes sense...
Ryan

[crazybob]

haymann, I also use openvpn into about a dozen servers. I keep each remote servers certs, ca's and config files in seperate folders in the config folder for the openvpn gui.  

Bob

[haymann]

haymann, I also use openvpn into about a dozen servers. I keep each remote servers certs, ca's and config files in seperate folders in the config folder for the openvpn gui.  

Bob

Ahh... I didn't think to try sub-folders That would be nicer anyway, could use the same user name, and keeps each config together. Thank you for the tip!
Ryan

[del]

Hi All,

Is there something we can do about the rootkit hunter warning :
"Checking network interfaces (promiscuous mode)... [ WARNING ]".
I started receiving this emails after installing this contrib.

Not really a problem, just annoying.

There is a post here: http://forums.contribs.org/index.php?topic=35361.0

Although it is in the French forum the last post is English. The command appears to be

mcedit /etc/rkhunter.conf ALLOW_SSH_ROOT_USER=1

I hope this helps.

Regards,
Del

[imcintyre]

I love this contrib. I can't believe that this thread is still going strong. Is this a record for the number of viewings, postings, and pages?

Is there any reason why this would not work on a modem line that is 33.6 (kbps) rated? I have a relative who lives in God's country without high speed. He connects to the internet on his modem, throught his company's website (they pay the long distance).

He has connected through a high speed connection so I think the openvpn install is good. I can connect to my network on a high speed modem (50 kbps?), so I don't think that is the issue. I probably can't do anything if his corporate website is blocking something, but I would be interested to know what it is?

Thanks in advance for your help.

[sonoracomm]

Here's a quickie one-line command to disable the rkhunter warnings for root SSH logins.

Code: [Select]

perl -i -p -e 's/\#ALLOW_SSH_ROOT_USER=0/ALLOW_SSH_ROOT_USER=1/' /etc/rkhunter.conf
I just discovered you could do in-place edits with Perl...

...and mcedit.  Very cool.

G

[Daniel B.]

I love this contrib. I can't believe that this thread is still going strong. Is this a record for the number of viewings, postings, and pages?

Is there any reason why this would not work on a modem line that is 33.6 (kbps) rated? I have a relative who lives in God's country without high speed. He connects to the internet on his modem, throught his company's website (they pay the long distance).

He has connected through a high speed connection so I think the openvpn install is good. I can connect to my network on a high speed modem (50 kbps?), so I don't think that is the issue. I probably can't do anything if his corporate website is blocking something, but I would be interested to know what it is?

Thanks in advance for your help.

No, there's no reason for it not to work on a slow connexion (even if I never tested it on slow connexion).
Maybe you should try the last release (v 1.1-0), it's available on our website http://sme.firewall-services.com/spip.php?article2
This release adds some features (advanced configuration, who is connected, etc...) but the most interesting part for you is that it uses by default the directive test-mtu instead of a fixed fragment value. This removes 4 bytes of overhead per pakets and should increase the performances. I think you can see a difference on a very slow connexion. The downside is that you will have to modify the configuration of the client (you can still use the panel to generate the good config file).
Don't worry for those who have a lot of clients and don't want to modify all the config. You can configure this release to be compatible with the old one (1.0-3) and continue using the fragment directive. You won't improve the performances but you'll have some new features...

Cheers, Daniel

[imcintyre]

The modification that you mention to the client, how complicated is it? Is it just updating their key or their crt or the openvpn text? I don't have so many clients and faster is better...

[Daniel B.]

It's very simle, you just have to remove the lines

Code: [Select]


fragment 1400
mssfix 1450
tun-mtu-extra 32


and add one line

Code: [Select]


test-mtu


But the panel should generate the good file for you, then you just have to send the new config file to the client.

[del]

Hi All,

Today I had my server HDD go faulty, I have replaced it and reinstalled SME 7.1 with all updates and then installed this openvpn contrib, generated new keys etc and put them in the config folder and then I tried to connect and it opens a window with this message:

Options error:Unrecognized option or missing parameter(s) in VPN.ovpn:2: protocol (2.0.7) Use Help for more information

Then a window saying

Connecting to VPN failed

The log in server-manager shows:

Wed Feb 14 14:56:28 2007 OpenVPN 2.0.7 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 29 2006
Wed Feb 14 14:56:28 2007 PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so 'login' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Wed Feb 14 14:56:28 2007 Cannot open easy-rsa/keys/bridge/dh.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file
Wed Feb 14 14:56:28 2007 Exiting
Wed Feb 14 15:04:02 2007 OpenVPN 2.0.7 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 29 2006
Wed Feb 14 15:04:02 2007 PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so 'login' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Wed Feb 14 15:04:02 2007 Diffie-Hellman initialized with 1024 bit key
Wed Feb 14 15:04:02 2007 Control Channel Authentication: using 'easy-rsa/keys/bridge/ta.key' as a OpenVPN static key file
Wed Feb 14 15:04:02 2007 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Feb 14 15:04:02 2007 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Feb 14 15:04:02 2007 TLS-Auth MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Feb 14 15:04:02 2007 TUN/TAP device tap0 opened
Wed Feb 14 15:04:02 2007 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Feb 14 15:04:02 2007 chroot to '/etc/openvpn' and cd to '/' succeeded
Wed Feb 14 15:04:02 2007 GID set to nobody
Wed Feb 14 15:04:02 2007 UID set to nobody
Wed Feb 14 15:04:02 2007 UDPv4 link local (bound): [undef]:1194
Wed Feb 14 15:04:02 2007 UDPv4 link remote: [undef]
Wed Feb 14 15:04:02 2007 MULTI: multi_init called, r=256 v=256
Wed Feb 14 15:04:02 2007 IFCONFIG POOL: base=10.0.0.60 size=11
Wed Feb 14 15:04:02 2007 Initialization Sequence Completed
Wed Feb 14 15:05:07 2007 event_wait : Interrupted system call (code=4)
Wed Feb 14 15:05:07 2007 TCP/UDP: Closing socket
Wed Feb 14 15:05:07 2007 Closing TUN/TAP interface
Wed Feb 14 15:05:07 2007 PLUGIN_CLOSE: /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so
Wed Feb 14 15:05:07 2007 SIGTERM[hard,] received, process exiting
Wed Feb 14 15:05:14 2007 OpenVPN 2.0.7 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 29 2006
Wed Feb 14 15:05:14 2007 Control Channel Authentication: using 'easy-rsa/keys/bridge/ta.key' as a OpenVPN static key file
Wed Feb 14 15:05:14 2007 TUN/TAP device tap0 opened
Wed Feb 14 15:05:14 2007 chroot to '/etc/openvpn' and cd to '/' succeeded
Wed Feb 14 15:05:14 2007 GID set to nobody
Wed Feb 14 15:05:14 2007 UID set to nobody
Wed Feb 14 15:05:14 2007 UDPv4 link local (bound): [undef]:1194
Wed Feb 14 15:05:14 2007 UDPv4 link remote: [undef]
Wed Feb 14 15:05:14 2007 Initialization Sequence Completed

This is the only contrib I have installed and it worked OK before the reinstall. I have deleted and generated the the keys etc again but still the same problem. I have downloaded the latest rpms from VIP-ire's site. Any help is appreciated.
EDITED TO ADD: I have compared the old VPN.ovpn and line 2 in the old one reads:proto udp but in the new one it reads:protocol udp

Regards,
Del

[Daniel B.]

Oups, sorry for this problem, I have just uploaded the good rpm. For those who have already install it, just edit the file /etc/e-smith/web/functions/openvpn-bridge

and change the line 1025 from

Code: [Select]

$fic .= "protocol $config{protocol}\n";

to

Code: [Select]

$fic .= "proto $config{protocol}\n";

[del]

HI VIP-ire,

Thanks for the reply, when I have edited /etc/e-smith/web/functions/openvpn-bridge do have to delete and recreate all the certificates or can I just edit line 2 in the VPN.ovpn file from: protocol udp to: proto udp? Thanks again.
EDITED TO ADD: $fic .= "protocol $config{protocol}\n is on line 1012 not 1025, is this possible?

Regards,
Del

[Daniel B.]

well, I have changed some comment in this file, I think that's why it's line 1012 instaed of 1025. Anyway, to be sure, just type the following:

Code: [Select]

cd /tmp && \
wget http://sme.firewall-services.com/downloads/smeserver-openvpn/patch/panel-openvpn-patch-1.1-0 && \
mv panel-openvpn-patch-1.1-0 /etc/e-smith/web/functions/openvpn-bridge && \
chown root:admin /etc/e-smith/web/functions/openvpn-bridge && \
chmod 4750 /etc/e-smith/web/functions/openvpn-bridge && \
wget http://sme.firewall-services.com/downloads/smeserver-openvpn/patch/fr-openvpn-patch-1.1-0 && \
mv fr-openvpn-patch-1.1-0 /usr/share/locale/fr/LC_MESSAGES/openvpn-bridge.mo


it should download the patch and install it automatically, it will just ask you if you want to overwrite two files, just answere 'yes'.

Then, just replace protocol with proto on the client you have already installed, and everything will be ok.

[Shevaresh]

OK, I'm starting to go a little nuts trying to figure this out on my own, so I'm sharing the pain    

I installed the OpenVPN bridge yesterday, and when it is enabled the other computers lose some internet access.

Here's my setup:

                         T1
                          |
           SME/VPN--------*
                 |
            Network

The * is a router owned by a company sharing our building and T1 connection.

The SME server is running a fully updated SME7.1 server, with the OpenVPN software installed per the instructions here: http://sme.firewall-services.com/spip.php?article4

Basically, what's happening is that when the computers on the network attempt to access some (not all) sites, the connection gets reset (and continues to get reset no matter how many times I try to refresh).

A sample of sites that work:
http://www.eve-online.com
http://www.google.com

A sample of sites that do not work:
http://www.yahoo.com
http://www.cnn.com

The sites are still pingable, so it is not the DNS or a general outage; also, as soon as I disable the VPN the network functionality returns to normal.

Any questions or suggestions?  (I'm not currently in front of the machine)