Topic: [ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm

[Daniel B.]

I'd just like to announce version 1.1-2 of the contrib. Just a few changes:
- the bug with dhcpd is fixed (as fare as I've tested)
- italian translation (thanks to Romano Romano)

To upgrade, just type:

Code: [Select]


rpm -Uvh http://sme.firewall-services.com/downloads/smeserver-openvpn/rpms/smeserver-openvpn-bridge-fws-1.1-2.noarch.rpm
/etc/init.d/openvpn-bridge start


Daniel,

I am not shure whether your contrib has a "view record" with 38782 views, but at least your contrib seems to belong to the interesting ones. Might be the time has come now to consider an integration of your contrib into the SME distribution - provided the consent of all concerned parts. It is just an idea - not more please.  

But personally I would just to like to say a "simple thank you" for your contribution. And I am keen to see your ovpn version "du sud-ouest".

salutations

gerd

Well, thanks. I also think it could be a good contribution to add to the base (and of course, I'd be very proud if it was included in the next release of SME), but I think I need to work a little more on it in order to be fully integrated into SME server distribution, espacially:
- replace the start script by a supervisor
- add the possibility to download all the necessary files (certs, key, config) in one zip archive
- add a how-to for the configuration of the client (one for windows, one for mac OS X, one for linux)
- integrate the management interface so we could see active connexions in real time (and kill those we want for example)
- auto-detection of the subnet, and configuration of the IP range according to it (for a first install)
- add verification scripts (if the login of the user doesn't match the CN of the certificate, the connexion is refused)
- add conexion/disconexion scripts (to send a email to the user and the admin for example, or to fill a mysql database so we could keep a trace of every conexion)

By the way, who must I contact to suggest the integration of this contrib into the distribution?

Cheers, Daniel

[stefan24]

Then *please* consider to make a donation.

I have already done this for two customer servers, which I installed with Daniel's OpenVPN contrib. Including my own SME server, all of them are working perfectly with OpenVPN. Installation is so easy now (unlike my former manual method)!

[gerd]

Daniel,

is my assumption correct that the update of the openvpn does not affect the certificates & keys, or do I have to regenerate them??

regards

gerd

[Daniel B.]

Daniel,

is my assumption correct that the update of the openvpn does not affect the certificates & keys, or do I have to regenerate them??

regards

gerd

No, certificates and keys won't be affected of course.

[gerd]

...new update works perfectly with SME in server-only modus...

un grand merci

gerd

[haymann]

Well I hate to make an insanely long thread longer, but...

Well, to be honest, I mainly use it with linux clients.

add a how-to for the configuration of the client (one for windows, one for mac OS X, one for linux)

Can someone point me to some info on configuring a linux client please? I have been using this great contrib on XP for a long time, but I just installed Ubuntu Studio (looks like their site as down at the moment...) and would love to be able to connect to my servers from this Linux OS. I installed OpenVPN - Admin (one of the choices listed here), but I was having trouble filling in all the blanks... I would appreciate any assistance!
Thanks,
Ryan

[Daniel B.]

Well, I use the command line to use openvpn on linux client, because I didn't find any GUI I like (network-manage-openvpn on ubuntu is nearly a good client, but the pull option is missing). So, to configure openvpn on linux:
- install openvpn, lzo and resolvconf

Code: [Select]

sudo apt-get install openvpn resolvconf
- create a directory where you store the certificates (for example /hom/user/.ovpn)
- edit a new config file in this directory

Code: [Select]

vim /home/user/.ovpn/config
- past the config file generated by the panel in it
- add the full path for the key (ta.key), the master certificate (ca.crt), the client certificate (client.crt) and the client private key (client.key). In our example, add /home/user/.ovpn/
- download those 4 files and put them in the directory /home/user/.ovpn

The VPN can work now, but if you wan't the client's DNS to be updated just like windows does, do the following:

- add to your config file

Code: [Select]

up /home/user/.ovpn/domain.up
down /home/user/.ovpn/domain.down
- edit a new file

Code: [Select]

vim /home/user/.ovpn/domain.up
- past the following in it

Code: [Select]

#!/bin/sh

# really naff script to add nameserver entry on up

DEV=$1
set | sed -n "
  s/^foreign_option_.* DNS \(.*\)'/nameserver \1/; T next; p;
  :next; s/^foreign_option_.* DOMAIN \(.*\)'/domain \1/; T; p;
  " | resolvconf -a $DEV
resolvconf -u



- edit a new file

Code: [Select]

vim /home/user/.ovpn/domain.down
- past the following in it

Code: [Select]


#!/bin/sh

# really naff script to delete nameserver entry on down
DEV=$1
resolvconf -d $DEV
resolvconf -u


- make those files executable

Code: [Select]

chmod +x /home/user/.ovpn/domain.*


You can start the VPN with the command

Code: [Select]

sudo openvpn --config /home/user/.ovpn/config

Hope that can help. I'll try to add this how-to on http://sme.firewall-services.com soon

[haymann]

Thank you, I will test this out as soon as I get a chance. I am glad to see that I wasn't the only one that didn't see all the options of the Linux GUIs. I was going to try to install the Windows client using Wine, but I have not had very good results doing anything w/ Wine so far...

Again, thanks for the help.
Ryan

[AndrewR]

Daniel, if you get this into the base install of SME, I'll buy you a beer.

Seriously, if you did.. I use SME + ovpn for my clients who want a VPN solution... as opposed to using the VPN RRAS on a Windows Server (shudder). The install of OVPN is already soooo difficult.. so if you were to save me the downloads after install.. well that just makes my life so much easier.

Daniel: One question: once we do the upgrade... will this contrib work with server-only mode in 7.1.3 and beyond? Rather than do the workaround script.. I just disabled the updates on SME. Can I safely enable them again?

[Daniel B.]

Daniel, if you get this into the base install of SME, I'll buy you a beer.

Seriously, if you did.. I use SME + ovpn for my clients who want a VPN solution... as opposed to using the VPN RRAS on a Windows Server (shudder). The install of OVPN is already soooo difficult.. so if you were to save me the downloads after install.. well that just makes my life so much easier.

Daniel: One question: once we do the upgrade... will this contrib work with server-only mode in 7.1.3 and beyond? Rather than do the workaround script.. I just disabled the updates on SME. Can I safely enable them again?

I haven't worked on this contrib since release 1.1-2, and I've just saw that there's still a problem with the dhcp, so, it's not stable enaugh to be aded into the base yet.
I also need to work harder on rpm packaging because, I found really hard to perform clean upgrades between different versions (with my rpms, you can only upgrade from the previous version).
For the bug in server-only mode, it should be corrected in SME 7.2, for now, if you do the upgrade (to 7.1.3), you'll have to add the custom template as explain on my web site.

[gerd]

As to SME7.2 in server only mode - and status as of today - OpenVPN release 1.1-2 - works perfect. It tested this week-end with the latest SME7.2 update.

gerd

[cl]

With regards to the DHCP problem, have you tried just doing this:

/sbin/e-smith/db configuration setprop InternalInterface Name br0
service dhcpd restart

I added this to the end of my "openvpn-startup" script and it solved the problem (not sure what else it effects though).

[Daniel B.]

With regards to the DHCP problem, have you tried just doing this:

/sbin/e-smith/db configuration setprop InternalInterface Name br0
service dhcpd restart

I added this to the end of my "openvpn-startup" script and it solved the problem (not sure what else it effects though).

This is allready done (of course) by the startup script with the default config. The problem of the dhcp looping seems to come from some signal-events sending the restart signal to the dhcpd daemon instead of the sigterm signal. I've tried to replace each 'restart' signal with a sigterm in the signal-event wich causes problem, and this seems to solve the problem. I need to do more tests before but I think it'll be soon corrected

[wr19026]

I have installed this contrib on two servers (SME version 7.2) and on both I get the message that the daemon is not running. On both servers the IP ranges have been entered.

DHCP server (which is not the SME server) assigns in teh range of 192.168.2.1 through 192.168.2.255, so I have set the start and end range for OpenVPN connections to 192.168.2.1.150 through 192.168.1.200

Even after a reboot the daemon does not start.

Any ideas?

[crazybob]

Try

/etc/init.d/openvpn-bridge start