Topic: Installing VPN server on Koozali 10.1

[dallas]

I have a GoDaddy SSL certificate on my server that was migrated to 10.1 from a 9.2 server via backup/restore.
I'm trying to implement a VPN server on the 10.1 to restore the remote access I previously enjoyed. I installed the smeserver-phpki-ng contrib and saw the following message.

******************************************************
*
*       !!! IMPORTANT - READ THIS NOW !!!
*
******************************************************
*  This contrib now has higher levels of encryption
*
*  We cannot upgrade your existing certificates
* existing certificates from SME9 or below have either
* md5WithRSAEncryption sha1WithRSAEncryption
* as Signature Algorithm (weak).
* only way to update to sha256 or sha512 is to
* start from scratch.
*
*  If you have existing certificates you want to use
*  then start with a new CA, backup up, and then restore
*  your phpki-store directory in /opt/phpki
*
******************************************************

Since the GoDaddy certificate is SHA2, how do use it?

[ReetP]

phpki-ng is for creating your own self signed certificate for vpn use.

Read here.

https://wiki.koozali.org/PHPki

Does your SSL certificate allow VPN connections or is it https only?

If you can use you godaddy cert you don't need phpki-ng.

Note the warning is only for previously created phpki-ng certs. Nothing to do with your godaddy cert.

[Jean-Philippe Pialasse]

moving to sme contribs 10 forum

[dallas]

@ReetP
Thanks for the reply. I have uninstalled phpki-ig. I'm not sure if my GoDaddy cert allows VPN but it all worked OK in 9.2.

Server manager is now showing "IPSEC VPN is not installed. Please install the contrib if you need VPN access." in VPN Settings

However I can't find an IPSEC contrib for 10.1.

[ReetP]

No idea.

Did you remove smeserver-phpki-ng ?

[dallas]

Yes, I removed  smeserver-phpki-ng.

[ReetP]

No idea what you have done.

Not sure why you get an ipsec warning, and I'm a thousand miles from my desktop.

Ipsec is run by the libreswan packages but they don't touch server manager.

I'll check when I'm home over the weekend if no one else leaps in.

[ReetP]

OK - at a guess as you haven't said anything but I suspect you enabled VPN Access for a user in User Accounts.

However I can't find an IPSEC contrib for 10.1.

Because it is called Libreswan.

I also suspect that somewhere you have played with ipsec/libreswan at some point and not told us as that setting should probably only show if you have an ipsec setting and you would not have one without installing that contrib at some point.

useraccounts.pm reveals

Code: [Select]

  1223     # Don't show ipsecrw setting unless the status property exists
  1224     return '' unless ($configdb->get('ipsec')

So paste the output from:

Code: [Select]

config show ipsec
Either way it won't affect anything.

Just delete that key if it is not required.

I'm not sure if my GoDaddy cert allows VPN but it all worked OK in 9.2.

If it did in 9.2 then it should in 10.1 and I am not sure what you have done differently.

Do the same thing you did in v9 - whatever that was.

[dallas]

Package smeserver-extrarepositories-libreswan-0.1-45.noarch is already installed.

useraccounts.pm returns nothing. However Server Manager  shows 2 users with VPN client=Yes.

[root@www ~]# config show ipsec
ipsec=service
    UDPPorts=500,4500
    access=private
    auto=start
    connectiontype=tunnel
    debug=none
    dpdaction=restart
    dpddelay=30
    dpdtimeout=10
    ikelifetime=3600s
    ipsecversion=yes
    left=%defaultroute
    pfs=yes
    salifetime=28800s
    security=secret
    status=disabled

[ReetP]

However I can't find an IPSEC contrib for 10.1.

> Because it is called Libreswan.

Package smeserver-extrarepositories-libreswan-0.1-45.noarch is already installed.

So you must have read this?

https://wiki.koozali.org/Libreswan#Libreswan

You are running us in circles here and wasting peoples time by not explaining properly what you are trying to do, and what you have done so far and why.

So why have you got libreswan installed? What sort of vpn did you run before? Ipsec, openvpn? Bridged, routed, remote device?

This is one of these.

https://xyproblem.info/

Read this fully please and document everything, and not a few bits.

https://forums.koozali.org/index.php?topic=54724.0

[dallas]

> Because it is called Libreswan.

So you must have read this?

https://wiki.koozali.org/Libreswan#Libreswan

Yes I have read this.

You are running us in circles here and wasting peoples time by not explaining properly what you are trying to do, and what you have done so far and why.

I want to have remote access to my server to access email on the server as it is only accessible when on my local network. (This is deliberate)

So why have you got libreswan installed? What sort of vpn did you run before? Ipsec, openvpn? Bridged, routed, remote device?

I thought I needed it for remote access. Previous VPN was L2TP.
I would really like to be running OpenVPN on this server.

In getting to this mess I did the following...
In the order listed..
installed smeserver-bridge-interface + dependencies
installed smeserver-softethervpn-server + dependencies
installed smeserver-openvpn-bridge + dependencies
installed smeserver-libreswan + dependencies
installed smeserver-phpki-ng + dependencies

I have subsequently removed the following.
smeserver-openvpn-bridge
smeserver-phpki-ng

[ReetP]

Yes I have read this.

No, you didn't. Because:

However I can't find an IPSEC contrib for 10.1.

smeserver-libreswan contrib page says:

Libreswan is a free software implementation of the most widely supported and standarized VPN protocol based on

 ("IPsec")

<sigh>

In getting to this mess I did the following...

installed smeserver-bridge-interface + dependencies
installed smeserver-softethervpn-server + dependencies
installed smeserver-openvpn-bridge + dependencies
installed smeserver-libreswan + dependencies
installed smeserver-phpki-ng + dependencies

So instead of trying to solve a situation you just threw the kitchen sink at it?

Uninstall them all. Remove the ipsec key.

L2TP is (should be) deprecated as seriously insecure. Do not use it.

You should use openvpn (probably the routed version) or wireguard which is available on v10.

I want to have remote access to my server to access email on the server as it is only accessible when on my local network. (This is deliberate)

So you will allow vpn access but not secure email access using imaps? Ok....

No idea what mode your server runs or if you have a router so can't advise you on how to set it up.

You'll need to read the docs properly. In server gateway it will set up the correct ports.

In server only you need to understand what ports you should permit on your router.

[dallas]

No, you didn't. Because:

Yes I did but I'm not the all knowing developer, just a hapless user.
 

So instead of trying to solve a situation you just threw the kitchen sink at it?

Why not? 

Uninstall them all. Remove the ipsec key.

Where do I find that key?

You should use openvpn

That's what I was trying to implement.

So you will allow vpn access but not secure email access using imaps? Ok....

There is no access to my mail server from outside my local network. Maybe I should be looking at imaps but there are only 2 users that need to collect email remotely and I still need vpn access to manage the server.

No idea what mode your server runs

Mode is server / gateway
We will be away from home for a couple of weeks so as an interim fix I ran up a Ubuntu machine and installed OpenVPN, port forwarded the ports that I have on the old SME9.2 to the Ubuntu machine and it just works. I'm not sure which port/ports I need but the OpenVPN app on my phone is connecting to 1194 UDP. I'm not sure what the purpose of the other ports are.

I really appreciate the help you have provided even if I've been a little short with my comments.

[ReetP]

Yes I did but I'm not the all knowing developer, just a hapless user.

I'm actually just a bit of a hack who spends too much time reading the docs carefully.

Why not? 

See the XY Problem. You just make things complicated for yourself, and then waste lots of other peoples free time as they try and help you sort it out.

Make a lot more sense to have asked "I want to install a VPN. What do you recommend?"

Where do I find that key?

You already did. See above.

[root@www ~]# config show ipsec
ipsec=service

Worth a read in the docs on how to remove it.

That's what I was trying to implement.

So why try everything and not just read the wiki pages on openvpn?

There is no access to my mail server from outside my local network. Maybe I should be looking at imaps but there are only 2 users that need to collect email remotely and I still need vpn access to manage the server.

Just wireguard. It's in the wiki.

Mode is server / gateway
We will be away from home for a couple of weeks so as an interim fix I ran up a Ubuntu machine and installed OpenVPN, port forwarded the ports that I have on the old SME9.2 to the Ubuntu machine and it just works.

just a hapless user.

So not quite so hapless if you managed that then.......

I'm not sure which port/ports I need but the OpenVPN app on my phone is connecting to 1194 UDP. I'm not sure what the purpose of the other ports are.

The contrib will do that for you.

https://wiki.koozali.org/OpenVPN_Routed

https://wiki.koozali.org/Wireguard