Koozali.org: home of the SME Server

SME Openvpn-s2s as SERVER with OPENWRT clients??

Offline M3kk

  • 18
  • +0/-0
SME Openvpn-s2s as SERVER with OPENWRT clients??
« on: December 19, 2012, 10:16:38 AM »
Hello, i have a question, problem..

I have 9 locations (a Central and 8 small locations). All the locations have different ISPs and i use the smeserver-openvpn-s2s for tunneling between them..
At the CENTRAL i have the "BIG" SME Server, with 192.168.0.x LAN, and the others are with 2.x, 3.x, 4.x .. 9.x, all with an SME Server configured (PC) with smeserver-openvpn-s2s too, configured as the clients..

I would like to change that locations servers with an OPENWRT capable routers, but keeping this tunnels..
So my question is.. it is possible to do this, to keep the smeserver-openvpn-s2s on the "Central" PC Server, and from the locations connect to it from OPENWRT based routers?

Sorry for my bad english, and ask if u dont understand something well :).

Thanks in advice.

Offline Stefano

  • *
  • 10,874
  • +3/-0
Re: SME Openvpn-s2s as SERVER with OPENWRT clients??
« Reply #1 on: December 19, 2012, 10:38:51 AM »
AFAIK smeserver-openvpn-s2s only "helps" you to configure a site-to-site openvpn tunnel..

you could take a look into /etc/ directory (in one of your "external" SME) for openvpn conf file (I bet it's in /etc/openvpn) and other files.. make a copy of all of them (backup, always backup), then copy them on your router and try..

easier to do than to say

Offline M3kk

  • 18
  • +0/-0
Re: SME Openvpn-s2s as SERVER with OPENWRT clients??
« Reply #2 on: December 19, 2012, 11:02:53 AM »
Hello,

we i already have the site to site tunnels.. but at the 2.x, 3.x etc places i have a PC configured with SME too, with OpenVNP site to site as clients.. And i want to change them with an OpenWRT capable routers, and use the site-to-site tunnel as i used with the SME servers.. Its useless to keep 9 PCs only for tunneling..

Thx..

Offline Stefano

  • *
  • 10,874
  • +3/-0
Re: SME Openvpn-s2s as SERVER with OPENWRT clients??
« Reply #3 on: December 19, 2012, 11:06:01 AM »
M3kk, as I suggested, all you need (I guess) is a copy of your configuration files (and certificates and so on) from one of your pc..
then copy them on your router and try..  it should work

Offline M3kk

  • 18
  • +0/-0
Re: SME Openvpn-s2s as SERVER with OPENWRT clients??
« Reply #4 on: December 19, 2012, 11:08:10 AM »
OK, i got them, but..

In the conf files i have openvpn users and groups..
And.. i dont know if i need to install any package or something similar for the openwrt.. or where to copy the config files, etc..

thx.

Offline Stefano

  • *
  • 10,874
  • +3/-0
Re: SME Openvpn-s2s as SERVER with OPENWRT clients??
« Reply #5 on: December 19, 2012, 11:34:58 AM »
OK, i got them, but..

In the conf files i have openvpn users and groups..
And.. i dont know if i need to install any package or something similar for the openwrt.. or where to copy the config files, etc..

thx.

then you should ask for support on any OPENWRT forum/related site, telling them "I have these files, how can I use them with OPENWRT? is there anything I have to install on my router?" :-)

your problem is with OPENWRT now, not SME :-)

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: SME Openvpn-s2s as SERVER with OPENWRT clients??
« Reply #6 on: December 19, 2012, 12:13:54 PM »
Hi. I use OpenWRT (on linksys devices) as OpenVPN-s2s client (4 clients use a setup like that). I've written a small how-to here: https://wikit.firewall-services.com/doku.php?id=tuto:ipasserelle:vpn:vpn_wrt (sorry, it's in french, but google might help you with translation ;-))
C'est la fin du monde !!! :lol:

Offline M3kk

  • 18
  • +0/-0
Re: SME Openvpn-s2s as SERVER with OPENWRT clients??
« Reply #7 on: December 19, 2012, 12:33:31 PM »
Hello :).

Yes, i found that, but google cant transalate it because of https :P.
Can you PM me with a quick setup regardin the clients (openwrt) side?

Thank you in advice! :).

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: SME Openvpn-s2s as SERVER with OPENWRT clients??
« Reply #8 on: December 19, 2012, 12:35:42 PM »
you can just copy/past the how to on http://translate.google.com/ ....
C'est la fin du monde !!! :lol:

Offline M3kk

  • 18
  • +0/-0
Re: SME Openvpn-s2s as SERVER with OPENWRT clients??
« Reply #9 on: December 19, 2012, 12:54:02 PM »
Ok, i think i got it..

I have 2 questions also.. :).
About this part:
cacert.pem (the certificate authoritarian)
cert.pem (the certificate that will be used by the WRT to generate with PHPki example)


cacert.pem - from where i can find, or where i can generate it?
cert.pem - i undersand i can generate with PHPki, but from which file?

I can find this 2 files on the client SME too, but they are empty ..

BTW, my current WORKING config on the SME Client machine is:

Quote
#------------------------------------------------------------
#          !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://www.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------


port 33309
proto udp
dev tunmc
nobind
remote xxx.xxx.xxx.xxx


# Drop down privileges
user openvpn
group openvpn
chroot /etc/openvpn/s2s

persist-key
persist-tun

# Authentication
secret priv/mc_sharedkey.pem


route-noexec
up bin/up

# Remote Networks
route 192.168.0.0 255.255.255.0

setenv vpnid mc


ifconfig 10.21.0.109 10.21.0.9

# Options
comp-lzo adaptive


keepalive 5 20
mtu-test
passtos

# Custom options


# Log
status-version 2
status status-mc.txt
verb 3
log-append /var/log/openvpn-s2s/mc.log


« Last Edit: December 19, 2012, 01:00:14 PM by M3kk »

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: SME Openvpn-s2s as SERVER with OPENWRT clients??
« Reply #10 on: December 19, 2012, 06:27:47 PM »
the example in the how to uses TLS auth, you use shared secret, you just have to adapt it (just ignore all the tls-client, cert, key and cacert directives)
C'est la fin du monde !!! :lol: