Topic: [ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm

[Daniel B.]

OK cool. I don't think it was a file permission problem, more probably the address range.

[AndrewR]

Ok; I changed my addressing and the permissions on the files and now it works ok. I will find out which solved the problem and post the answer.

Ian

While the addressing isn't necessarily required, it's a good idea. Avoids potential DHCP headaches. As a rule, for ease of Administration, it's best to limit your scope of addresses to amount needed +25% (to allow for growth etc). Then, when you add things like VPN, you use addresses outside the scope, and no problems. Also, when assigning static addresses, assign them outside your scope.

Again, none of this is absolutely necessary..but it does prevent headaches arising from address conflicts.

The permissions probably played a factor.. but after reading VIP's post, I think he might be right. Might have to do with how the DHCP daemon works on that box... but I'm just guessing. I'd have to really look at the code for DHCP and Ovpn.. and frankly, I don't have that kind of time. Glad it's working now!

[imcintyre]

I have tried it from a couple of locations and it is as sweet as Beta4. Well almost, it does seem a little slower but that might be my imagination.

The addressing thing is kind of funny. At work we have a device that does the vpn and the dhcp service and we don't set aside addresses and there is never a conflict.

Regarding the security issue, doesn't this mean somebody would have to log on to the server and find the files to overwrite. If it is not a trivial security detail I may just leave it. You know the old if it ain't broke don't F....ix it rule.

Anyway the reason I started the VPN is that I started a family tree wiki on my server and I wanted my widespread family to contribute stuff I don't know about. I already have my mom beavering away so to speak.

Thanks again Vip-ire for all your help. I will put a reference on the wiki referring to your help.

Ian

[Daniel B.]

I have tried it from a couple of locations and it is as sweet as Beta4. Well almost, it does seem a little slower but that might be my imagination.

The hand-shake can be a bit slower because of TLS auth and certificate CN validation, but once the tunnel is established, it should have the same performances as previous beta. (if you've configured the same cipher)

The addressing thing is kind of funny. At work we have a device that does the vpn and the dhcp service and we don't set aside addresses and there is never a conflict.

I don't know many VPN solution, I mainly worked with openvpn but I think there's always a address range to configure. This contrib uses bridge mode, that's why the address range must be in the same subnet, for routed mode you can choose another subnet.

Regarding the security issue, doesn't this mean somebody would have to log on to the server and find the files to overwrite. If it is not a trivial security detail I may just leave it. You know the old if it ain't broke don't F....ix it rule.

If you're talking about the file permission in ccd-bridge, in fact, it's not a problem, there's no security issue, it was only on my own server and a simple expand-template /etc/openvpn/ccd-bridge/.config solved it. Sounds like I've changed the permission manually before.

[del]

Hi VIP-ere,

Today I did a fresh install of SME 7 at my office, did a yum update and then installed your openvpn contrib, generated the keys etc. and put them in the directory for windows as per your how-to. Now when I get back home I can connect, it gives me the IP I asked for and OpenVPN GUI says I am connected but when I go to network places I can only see my own PC  No matter what I do I can't browse any of the network or see any resources  Can you please tell me what I am missing here  Any help or suggestions welcome. There are no other contribs on the server.

Regards,
Del

[crazybob]

try \\ip of the server from the run command.

[crazybob]

Are you on the same workgroup as the remote server?

[del]

Hi Crazybob,

Are you on the same workgroup as the remote server?

Yes

try \\ip of the server from the run command

Now this may have solved the puzzle  Although the workgroup in my office is the same as my laptop, the IP range and subnet are the same at the office and at home  so maybe this is the problem, I will try and change the IP and subnet mask at the office and start again  I realized this when I ran \\ip of the server from the run command I got all my home server ibays even though the workgroup is not the same  Thanks for the suggestions, I will report back tomorrow evening.

Regards,
Del

[imcintyre]

Del wrote

Although the workgroup in my office is the same as my laptop, the IP range and subnet are the same at the office and at home  so maybe this is the problem, I will try and change the IP and subnet mask at the office and start again

Originally I VPN into the office with no problems.

I started to have problems similar to yours, after installing sme server . I could connect at office and at home, could vpn into home from office but had difficulty with connecting from home to work. I tried making the change to the addressing but that did not solve it. What I found was that the "Server Redirect"  function was implemented on the work vpn device. When I turned that off everything went back to normal.

Not sure the reason, but relatively certain of the effect. Try this first.

I also have not turned on the server redirect for the openvpn contrib from vip-ire.

Good luck.

[del]

Hi imcintyre,

The server redirect is disabled in openvpn (if I am right in believing that this is the Redirect gateway: option) and it is still the same, is there somewhere else I should be looking to turn it off?  If so please enlighten me before I go to the office this afternoon and change all the IP settings

Regards.
Del

[Daniel B.]

Hi everyone. Del it cannot work if your home network and your office network have the same private subnet. You should set different one like for example

192.168.39.0/255.255.255.0 for your home network

192.168.42.0/255.255.255.0 for your office

if they have the same network address, there's a routing problem, your VPN client will try to locally reach your remote server without passing through the VPN.

It'll work then.

The redirect Gateway function doesn't work properly (I've just saw it yesterday). There's a stupid typo. I'll correct this in next release. for now, it's allways disabled even if the panel tells you it's enabled.

[del]

Hi VIP-ire,

I currently use 10.0.0.x/255.0.0.0 for both, can I use 10.0.0.x/255.255.255.0 for one of them? Or should I use 192.168.0.x/255.255.255.0 and make sure they are completely different networks? Thanks again.

Regards,
Del

[Daniel B.]

It'd be better if you have totally different network address, like this

10.1.x.x/255.255.0.0 for one of your network

10.2.x.x/255.255.0.0 for the other one

This way, the two networks cannot be confused

[imcintyre]

Del;

I would follow vip-ire's advice in this instance. I changed my home from 192.168.1.* which is same as works to 192.168.7.* and didn't see an end to my problems until after changing redirect. I guess if you still have issues, try my change.

My vpn device at work (not sme server 7 but a hardware firewall/vpn device) also has a redirect option that when enabled, caused connectivity and mail issues.

Ian

[imcintyre]

Vip-ire;

A question about the keys and certificates. When I am giving a new person vpn access. I have been giving them user.key, user.crt, ca.crt, ta.key, and VPN.ovpn.

Do they need all of this? I had a paranoid moment that I may be creating a security issue.

Thx in advance for your help.

Ian