Topic: Mutliple SME OPENVPN

[dbaddour]

Hi All,

I am trying to connect multiple SME servers in different location into one hub server, where most of our data reside so all other offices need to access. i was looking at the site-to-site config, it did work good, the question now is how can i have the road warriors to connect to the server via VPN. Config the VPN as "How-To" with the contribs after installing the site-to-site cause conflict downloading the .rpm and not able to procceed. anyone have an idea on how can perform this please.

[Daniel B.]

What I do in this case is to use the smeserver-openvpn-s2s contrib to inter-connect the servers, and then install and configure smeserver-openvpn-bridge on one server for road warriors. Both openvpn contrib can run at the same time without any conflict (as long as you choose different ports). Please, take a look at this: http://wiki.contribs.org/OpenVPN_Bridge.

Regards, Daniel

[dbaddour]

Hi Daniel,

Thank you for the info, just out of curiosity why cannot use the routed VPN instead of Bridged. I remember having this conversation back with my boss and he completly was against bridging? By any way I can install and use routed VPN with the site-to-site connection? that was the idea


Thank you
David

[Daniel B.]

The site to site contribs creates point to point connections, so if you want to use it for road warriors, you'll have to configure one daemon per client. The bridge contrib configure just one daemon, and any number of clients can connect. Another advantage of the bridge contrib for road warrios is that you can use dual authentication (certificate and password), the site to site contrib can't do that (because it's made for server to server, there's no password prompt). And there's a final advantage of the bridge contrib: as clients are connected on the internal subnet, any communications passes, even some which doesn't use TCP/IP, broadcast also just work (mDNS/bonjour for example).

Regards, Daniel

[dbaddour]

Again Daniel, thank you so much for the fast repply.
Here is my task, we have multiple offices around the globe, let us take example: one office in UK, one in Australia, one in Alaska and the main office is in Nova scotia (CA). In my testing enviroment i have all the hardware with me all 4 SME servers are installed. I want all these servers to connect to the main office NS as it holds all the data in our datacenter. So i have to create multiple site to site connection from all servers to NS, (of course one daemon to one client) this can be done using the site-to-site in the server manager GUI. This completely I understand as straight thru connection between the servers only as long the user are connected to the same subnet as the sme server. the second part of this task is: the staff in those different location they travel fair a bit for field work and they need the connection to their office for "stuff", what i want to do is to have server to client OpenVPN installed on these server so only the staff in and around their location can connect to their office thru the VPN. I do like the Bridge technologie and the dual security feature, but my manager disagree with me as he prefere using routed VPN instead as he claim it is more secure and doesn't advertise the internal (local) IP address while connecting.
My question to you Daniel:- is this plan good to go, in a way that i would like it to preform?
- Is their something that i don't see regarding the security feature between routed and bridged connection?
- if i go with my plan and use bridged VPN, this means it will be installed on each of these servers, and only the staff of each location will have the Password and Cert of the server where their office belong? is that how it suppose to be.

Thank you so much, hope you have a great holdays

[Daniel B.]

The second part of this task is: the staff in those different location they travel fair a bit for field work and they need the connection to their office for "stuff", what i want to do is to have server to client OpenVPN installed on these server so only the staff in and around their location can connect to their office thru the VPN. I do like the Bridge technologie and the dual security feature, but my manager disagree with me as he prefere using routed VPN instead as he claim it is more secure and doesn't advertise the internal (local) IP address while connecting.

Well, you should explain your manager that routed VPN doesn't bring extra security by itself. Routed VPN can be more secured, because VPN clients are on a separated network, and you can easily apply firewall rules (but good luck to integrate this cleanly on SME). If you don't need/want to limit what VPN clients can access on your internal network, bridge is better IMHO. And if you need this kind of filtering, you can also do it with bridged setup (with ebtables instead of iptables).

My question to you Daniel:- is this plan good to go, in a way that i would like it to preform?
- Is their something that i don't see regarding the security feature between routed and bridged connection?
- if i go with my plan and use bridged VPN, this means it will be installed on each of these servers, and only the staff of each location will have the Password and Cert of the server where their office belong? is that how it suppose to be.

If all the 4 servers are connected to the central one, you can install the bridge contrib on just one of them (most probably the central one). If you have configured all the routes correctly, road warriors will be able to contact every other local networks. So I suggest you only install the road warriors VPN server on your central location.

[dbaddour]

Hi Again,
Great that we both agree on the Bridging technologie,
just for verification on the second part of your reply to my question: So all you suggest is to install the site-to-site server on the main server with 3 different deamon for each other server. the other 3 server will be clients that way connected to the main server. of course with some work on routes in between?

[Daniel B.]

I suggest the following:

- on the central server, you install the site to site contrib, and configure 3 daemons. You also install the bridge contrib, which will handle road warriors
- on the other servers, you just install the site to site contrib

[dbaddour]

Hi Again,

Ok all is well, what is the "How To" to follow the same senario but instead of using the Bridgen VPN use the Routed VPN (i would not have enouth IP for the Bridge internaly). I have tried using the routed VPN with the Site-To-site config i end up with conflict between routed and the sitetosite core configuration.
Routed VPN was originaly request by my manager, he still expecting me to use it.

Would anyone please shed a light on this for me.

Many thanks and hope everyone had a great Holidays

Cheers
David

[dbaddour]

Hi Again,

Sorry for going back to this requirement again. It was required by management to set up site-to-site connection (which i have already done using the above link in previouse reply) working fine thank you. The second big requirement is to have Routed VPN "Not Bridged" OpenVPN for the road users.
Here what i did or followed so far:
- for the Site-To-site i followed these instruction from: smeserver-openvpn-s2s contrib Installation
this workded fine and tested.
Now to use the OPENVPN for off site users i followed these instruction from: http://wiki.contribs.org/OpenVPN Routed. This caused me issues: the version would not compatible with the one for "smeserver-openvpn-s2s contrib" tried to get a compatible version the same, end up with some files couldn't be writing as it is already been used by the site-to-site.
Would you please Someone guide me thru the right directions please if you have it done this way please send me the links for or where to download from.

Thank you, HELP please.

[dbaddour]

Hi again,

Finaly i went that far now with Site-to-site and configure the Routed OpenVPN for road warriors. But i am stuck on this now, OpenVPN would not start i received the following error:
[root@jso-dmtvpn1 ~]# service openvpn start
Starting openvpn: ./openvpn.up: line 3: route: command not found
./openvpn.up: line 4: route: command not found
./openvpn.up: line 5: route: command not found
                                                           [FAILED]
also i received the same is i use the /etc/init.d/openvpn start



Idea? Help?