Topic: sme 7.2 compatible with swerts knudsen OpenVPN contrib?

[smeusr]

Hi,

I just finished spending the entire night rebuilding my sme 7.1 server.  I'm a little nervous to bring my server upto 7.2.  I'm worried that it won't be compatible with swerts knudsen OpenVPN contrib.  Has anyone been using SME 7.2 with swerts knudsen OpenVPN Contrib?


Your advice is really appreciated.

[idp_qbn]

I have been testing it at home. I set up a second network (ie a different IP range) and it worked perfectly.
I have not yet tested it "outside" - just a matter of time and availability. I will need to get a DYNDNS account set up.

At home, I just used the following .ovpn file, which is basically what was generated, just make the changes marked :
----------------------
rport 1194
proto udp
dev tap
nobind
remote 192.168.1.183 <=== "external" address of my second network
tls-client
tls-auth ta.key 1
tls-remote server
ns-cert-type server
auth-user-pass
ca ca.crt
cert fred.crt  <==  the name of the  certificate file
key fred.key  <==  the name of the  key file
mtu-test
pull
comp-lzo
verb 4

----------------------

So far it has worked flawlessly.
Cheers
Ian

[smeusr]

Thanks for your response.  Can you please keep us posted with your testing?

Thanks.

[tropicalview]

I installed OpenVPN on my SME7.2 with the instructions of:
http://sme.firewall-services.com/spip.php?rubrique3

It works great, and it's in production.

Kind regards,

[smeusr]

That's great news.  Thanks.

 

[smeusr]

I installed OpenVPN on my SME7.2 with the instructions of:
http://sme.firewall-services.com/spip.php?rubrique3

It works great, and it's in production.

Kind regards,

tropicalview, I just found this thread.  Are you aware of this or experiencing this?

http://forums.contribs.org/index.php?topic=38468.0

Cheers.

[haymann]

Are you aware of this or experiencing this?

http://forums.contribs.org/index.php?topic=38468.0

I have been using VIP-ire's OpenVPN contrib (mentioned by tropicalview) for around a year w/ no problems. I have it on two production machines currently and don't have any problems (other than a decent GUI Linux client...). I am not positive that I have added a new entry on "Hostnames and Address" since I have upgraded my servers to 7.2, but I have not seen the error mentioned in that post.

[Daniel B.]

Hi everyone.
I know this error can occure when you change ssh access, you add host names or you add virtual domains through the server-manager. But I'm working on the next release, much more clean (I wrote this contrib before reading the dev guide, I know it's very bad). I tink I'll release it in one or two weeks, I'm now testing it. There will be very few new functions but it'll be more efficient, faster to start/restart, more stable, and much more integrated in SME. This time the dhcp bug should really be fixed (I know I've announce this for the last two release, but this time I'm quite sure).
Anyway, I use the actual release (1.1-2) on about 15 servers in production, and I'm quite happy with it, I just check the messages log each time I change a setting in the server manager. If dhcpd cannot start a /etc/init.d/openvpn-bridge restart can correct it.

[jonic]

Hi everyone.
I know this error can occure when you change ssh access, you add host names or you add virtual domains through the server-manager. But I'm working on the next release, much more clean (I wrote this contrib before reading the dev guide, I know it's very bad). I tink I'll release it in one or two weeks, I'm now testing it. There will be very few new functions but it'll be more efficient, faster to start/restart, more stable, and much more integrated in SME. This time the dhcp bug should really be fixed (I know I've announce this for the last two release, but this time I'm quite sure).
Anyway, I use the actual release (1.1-2) on about 15 servers in production, and I'm quite happy with it, I just check the messages log each time I change a setting in the server manager. If dhcpd cannot start a /etc/init.d/openvpn-bridge restart can correct it.

If you are rewriting this contrib, just a suggestion, could you get rid of the warning email sent by rootkit hunter complaining about the promiscuous interfaces?
Anyway big thanks for this great contrib!

[Daniel B.]

Hi.
I've read some documentation on rkhunter, and haven't find any parameters to make it ignores promisc interfaces. If anyone knows how, I'll integrate it in the contrib.

[jonic]

From http://linux.die.net/man/8/rkhunter

--check-listen
    In addition to the ifconfig and "ip" promiscuous mode tests this makes rkhunter check for any applications that are listening on interfaces. Use on systems where the libpcap "-p" flag enables you to avoid interface promiscuous mode. Note any ifconfig or "ip" based promiscuous mode checks are obsolete on GNU/Linux systems running kernel 2.6. Unfortunately there is no easy way to distinguish between illegitimate libpcap/libnet-using applications, legit ones like IDSes or plain old DHCP clients. In short, this will definately cause false positives so enable whitelisting for 'known good' applications. Examples are provided in the config file.

What I understand from this is if you set the libcap -p flag to the openvpn interface, you will avoid the promiscuous mode.
I don't really know if this can be done, but I hope it helps you.

[Daniel B.]

From what I understand of this (I've allready read this) the -p flag of libpcap allows applications (such as wireshark) to listen on an interfaces as if it was in promisc mode, without setting the promisc mode, but for openvpn we need to explicitly set the promisc

[jonic]

From what I understand of this (I've allready read this) the -p flag of libpcap allows applications (such as wireshark) to listen on an interfaces as if it was in promisc mode, without setting the promisc mode, but for openvpn we need to explicitly set the promisc

Yeah, I think you're right.

However I found this: http://rkhunter.sourceforge.net/.
It appears that in version 1.3.0 (which is currently beta) there is a new option '--disable' that allows to ignore certain tests.

I think we have to wait for this new version to make its way into SME.

[pcowley]

I am having issues tring to regenerate the client certificates after clearing all the certificates out and regenerating them again.

The ca is generated fine, as is the server certificate but I get this wne I try and generate the client certificate:

commonName            :PRINTABLE:'server'
emailAddress          :IA5STRING:'admin@pcowley.my-net-space.net'
Certificate is to be certified until Jan 16 11:38:32 2018 GMT (3650 days)
Sign the certificate? [y/n]:y

failed to update database

TXT_DB error number 2  <-- note this is the error



And the client.crt file generated is 0 bytes long!  I tried it again with the same result.

Does anyone have any idea?

Cheers
Pete