Topic: [ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm

[gerd]

First of all a happy and prosperous new year...

Of course, the ca.crt, ta.key, client.crt and client.key are in the config directory....

So I restarted fm scratch again:

Today (as I am in the office again) I deleted all certifiactes, recreated them and downloaded them via an USB stick to my laptop - in the config file directory:

- I tried to download the certificates and keys via the OPERA Browser - no way. What you can see is the content of the files, but no download. So I used again the Internet Browser.

- When I tried to download the client certificate/client key the download window (Internet Explorer 7.0) showed instead: server certificate/server key.  When I chose "display configuration file" I get the message: "Configuration file are only generated for client certificate, not server". Strange... So I had a look intothe file : "etc/openvpn/easy-rsa/keys/bridge" ...no client certificate/client key is availible.

Do I have to rename server certificate/server key into client certificate/client key (thats what I have done during my trial runs at christmas time)?? Or what else could be wrong?

How comes that I can't see the configuration file for the client??

Any ideas???

[Daniel B.]

Ok, it's not working because you are trying to use the server certificate on a client. Each certificate is marked as server or as client. By default, there's only one certificate in the certificate-manager which the one used on the server side. You need to generate a new certificate, choose a unique CN, an optionnal IP and comment, then, let the type to 'client'. Now configure your client with this new certificate. When you click on the link 'display' of a client certificate, you'll have the correct configuration file, it doesn't work for servers' certificate, that's why you get the message "Configuration file are only generated for client certificate, not server"

[gerd]

....un grand merci...

It seems to work, le WinXP client starts smoothly now (et il ne rouspete plus....). But I can't check now, because the network I am connected to is the same as the OpenVpn Server - say I am in the office....

I will keep you informed as soon as I have the opportunity to test...

best regards

gerx

[crazybob]

VIP-ire,
     I understand, Thanks


Bob

[gerd]

....I have just made some extensive tests: ca marche nickel... It works perfectly.

VPI-ire, thankx

gerd

[hanscees]

hi,
perhaps a stupid question.
The setup is a bridged one. What does the resulting ip-setup look like?

something like this?

client-tap device 192.168.1.11 --- server-tap 192.168.1.1 -- /

internal network 192.168.2.0/24

and the client has a route to 192.168.2.0/24 via 192.168.1.11?

Just curious.

Hans-Cees

[Daniel B.]

Well, in bridge mode, the tap interface of the server (tap0) and the internal interface (eth0) are bridge in one interface: br0. br0 take the IP of eth0, so eth0 and tap0 share the same IP.

If you have a local network with ip 192.168.2.0/24, in this network, your server is 192.168.2.1
When a client connects to the VPN server from the outside, the server gives him an IP address in the  same subnet: 192.168.2.0/24 (you can configure a range of IP address). As the client has now an interface in the subnet 192.168.2.0/24, he can directly reach the internal network, it's exactly as if he were connected inside the internal network.

Code: [Select]


client tap device 192.168.2.20 ----- server tap interface --------\
                                                                   |----- br0 192.168.2.1
                                      server internal interface --/



I hope this post answere your question.

Cheers, Daniel

[hanscees]

Well, in bridge mode, the tap interface of the server (tap0) and the internal interface (eth0) are bridge in one interface: br0. br0 take the IP of eth0, so eth0 and tap0 share the same IP.

If you have a local network with ip 192.168.2.0/24, in this network, your server is 192.168.2.1
When a client connects to the VPN server from the outside, the server gives him an IP address in the  same subnet: 192.168.2.0/24 (you can configure a range of IP address). As the client has now an interface in the subnet 192.168.2.0/24, he can directly reach the internal network, it's exactly as if he were connected inside the internal network.

Code: [Select]


client tap device 192.168.2.20 ----- server tap interface --------\
                                                                   |----- br0 192.168.2.1
                                      server internal interface --/



I hope this post answere your question.

Cheers, Daniel

It does exactly.  Thanks!

[del]

Hi VIP-ire,

Due to my own stupidity I have had to reinstall SME 7.1 (if want to know why see here http://forums.contribs.org/index.php?topic=34950.0 ) I therefore installed openvpn contrib as before but know I can't get it to connect After looking through things I have noticed that when I add a client and download the certificates that the client user.crt  file is 0 (zero) bytes but the old one from the previous installation of SME was about 4kb If I open up the new user.crt in a text editor it is in fact a blank document  and of course there is lots of text stuff if I open the old user.crt Any ideas or pointers to what I am doing wrong? I have revoked and added the user and the result is the same everytime  Thanks.

Regards,
Del

[AndrewR]

Del,

I ran into similar problems.. what I ended up having to do was delete all certificates and regenerate them. You may have to do it a few times before it will work.. so be patient. Once the certs actually have a size, then you should be fine. Don't know what caused the problem.. but that's what fixed it for me.

[del]

Hi AndrewR,

Thanks for the reply, I have already deleted/created a few times but I will give it a go and see

Regards,
Del

[del]

Hi AndrewR,

Just a thought, do you mean the client or server certificates or both?

Regards,
Del

[AndrewR]

Del,

I meant both. You will also want to re-generate the DH key.

[Daniel B.]

Del, AndrewR means delete them via the panel with the link ''click here to delete all the certificate and to regenerate it'. It's curious because I'm not having this problem anymore since beta4. You can have a look at the log /var/log/httpd/admin_error_log. You can have some information why the generation has failed

[jonic]

Is there something we can do about the rootkit hunter warning :
"Checking network interfaces (promiscuous mode)... [ WARNING ]".
I started receiving this emails after installing this contrib.

Not really a problem, just annoying.

Anyway, thanks for this great contrib! It really does the job.