Koozali.org: home of the SME Server

Installing VPN server on Koozali 10.1

Offline dallas

  • ***
  • 44
  • +0/-0
Installing VPN server on Koozali 10.1
« on: December 23, 2024, 06:37:55 AM »
I have a GoDaddy SSL certificate on my server that was migrated to 10.1 from a 9.2 server via backup/restore.
I'm trying to implement a VPN server on the 10.1 to restore the remote access I previously enjoyed. I installed the smeserver-phpki-ng contrib and saw the following message.

******************************************************
*
*       !!! IMPORTANT - READ THIS NOW !!!
*
******************************************************
*  This contrib now has higher levels of encryption
*
*  We cannot upgrade your existing certificates
* existing certificates from SME9 or below have either
* md5WithRSAEncryption sha1WithRSAEncryption
* as Signature Algorithm (weak).
* only way to update to sha256 or sha512 is to
* start from scratch.
*
*  If you have existing certificates you want to use
*  then start with a new CA, backup up, and then restore
*  your phpki-store directory in /opt/phpki
*
******************************************************

Since the GoDaddy certificate is SHA2, how do use it?

Offline ReetP

  • *
  • 3,994
  • +6/-0
Re: Installing VPN server on Koozali 10.1
« Reply #1 on: December 24, 2024, 11:04:54 AM »
phpki-ng is for creating your own self signed certificate for vpn use.

Read here.

https://wiki.koozali.org/PHPki

Does your SSL certificate allow VPN connections or is it https only?

If you can use you godaddy cert you don't need phpki-ng.

Note the warning is only for previously created phpki-ng certs. Nothing to do with your godaddy cert.


...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,938
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Installing VPN server on Koozali 10.1
« Reply #2 on: December 25, 2024, 07:41:43 PM »
moving to sme contribs 10 forum

Offline dallas

  • ***
  • 44
  • +0/-0
Re: Installing VPN server on Koozali 10.1
« Reply #3 on: December 26, 2024, 11:33:46 PM »
@ReetP
Thanks for the reply. I have uninstalled phpki-ig. I'm not sure if my GoDaddy cert allows VPN but it all worked OK in 9.2.

Server manager is now showing "IPSEC VPN is not installed. Please install the contrib if you need VPN access." in VPN Settings

However I can't find an IPSEC contrib for 10.1.

Offline ReetP

  • *
  • 3,994
  • +6/-0
Re: Installing VPN server on Koozali 10.1
« Reply #4 on: December 27, 2024, 02:02:10 AM »
No idea.

Did you remove smeserver-phpki-ng ?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline dallas

  • ***
  • 44
  • +0/-0
Re: Installing VPN server on Koozali 10.1
« Reply #5 on: December 27, 2024, 02:54:45 AM »
Yes, I removed  smeserver-phpki-ng.

Offline ReetP

  • *
  • 3,994
  • +6/-0
Re: Installing VPN server on Koozali 10.1
« Reply #6 on: December 27, 2024, 09:31:51 AM »
No idea what you have done.

Not sure why you get an ipsec warning, and I'm a thousand miles from my desktop.

Ipsec is run by the libreswan packages but they don't touch server manager.

I'll check when I'm home over the weekend if no one else leaps in.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,994
  • +6/-0
Re: Installing VPN server on Koozali 10.1
« Reply #7 on: December 28, 2024, 01:59:56 PM »
OK - at a guess as you haven't said anything but I suspect you enabled VPN Access for a user in User Accounts.

Quote
However I can't find an IPSEC contrib for 10.1.

Because it is called Libreswan.

I also suspect that somewhere you have played with ipsec/libreswan at some point and not told us as that setting should probably only show if you have an ipsec setting and you would not have one without installing that contrib at some point.

useraccounts.pm reveals

Code: [Select]
  1223     # Don't show ipsecrw setting unless the status property exists
  1224     return '' unless ($configdb->get('ipsec')

So paste the output from:

Code: [Select]
config show ipsec
Either way it won't affect anything.

Just delete that key if it is not required.

Quote
I'm not sure if my GoDaddy cert allows VPN but it all worked OK in 9.2.

If it did in 9.2 then it should in 10.1 and I am not sure what you have done differently.

Do the same thing you did in v9 - whatever that was.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline dallas

  • ***
  • 44
  • +0/-0
Re: Installing VPN server on Koozali 10.1
« Reply #8 on: December 28, 2024, 09:53:41 PM »
Package smeserver-extrarepositories-libreswan-0.1-45.noarch is already installed.

useraccounts.pm returns nothing. However Server Manager  shows 2 users with VPN client=Yes.

[root@www ~]# config show ipsec
ipsec=service
    UDPPorts=500,4500
    access=private
    auto=start
    connectiontype=tunnel
    debug=none
    dpdaction=restart
    dpddelay=30
    dpdtimeout=10
    ikelifetime=3600s
    ipsecversion=yes
    left=%defaultroute
    pfs=yes
    salifetime=28800s
    security=secret
    status=disabled

Offline ReetP

  • *
  • 3,994
  • +6/-0
Re: Installing VPN server on Koozali 10.1
« Reply #9 on: December 28, 2024, 11:53:36 PM »
Quote
However I can't find an IPSEC contrib for 10.1.

> Because it is called Libreswan.

Quote
Package smeserver-extrarepositories-libreswan-0.1-45.noarch is already installed.

So you must have read this?

https://wiki.koozali.org/Libreswan#Libreswan

You are running us in circles here and wasting peoples time by not explaining properly what you are trying to do, and what you have done so far and why.

So why have you got libreswan installed? What sort of vpn did you run before? Ipsec, openvpn? Bridged, routed, remote device?

This is one of these.

https://xyproblem.info/

Read this fully please and document everything, and not a few bits.

https://forums.koozali.org/index.php?topic=54724.0

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline dallas

  • ***
  • 44
  • +0/-0
Re: Installing VPN server on Koozali 10.1
« Reply #10 on: December 29, 2024, 07:41:13 AM »
> Because it is called Libreswan.

So you must have read this?

https://wiki.koozali.org/Libreswan#Libreswan

Yes I have read this.

Quote
You are running us in circles here and wasting peoples time by not explaining properly what you are trying to do, and what you have done so far and why.

I want to have remote access to my server to access email on the server as it is only accessible when on my local network. (This is deliberate)

Quote
So why have you got libreswan installed? What sort of vpn did you run before? Ipsec, openvpn? Bridged, routed, remote device?

I thought I needed it for remote access. Previous VPN was L2TP.
I would really like to be running OpenVPN on this server.

In getting to this mess I did the following...
In the order listed..
installed smeserver-bridge-interface + dependencies
installed smeserver-softethervpn-server + dependencies
installed smeserver-openvpn-bridge + dependencies
installed smeserver-libreswan + dependencies
installed smeserver-phpki-ng + dependencies

I have subsequently removed the following.
smeserver-openvpn-bridge
smeserver-phpki-ng

« Last Edit: December 29, 2024, 07:50:18 AM by dallas »

Offline ReetP

  • *
  • 3,994
  • +6/-0
Re: Installing VPN server on Koozali 10.1
« Reply #11 on: December 30, 2024, 10:17:42 PM »
Quote
Yes I have read this.

No, you didn't. Because:

Quote
However I can't find an IPSEC contrib for 10.1.

smeserver-libreswan contrib page says:

Quote
Libreswan is a free software implementation of the most widely supported and standarized VPN protocol based on

 ("IPsec")

<sigh>

Quote
In getting to this mess I did the following...

Quote
installed smeserver-bridge-interface + dependencies
installed smeserver-softethervpn-server + dependencies
installed smeserver-openvpn-bridge + dependencies
installed smeserver-libreswan + dependencies
installed smeserver-phpki-ng + dependencies

So instead of trying to solve a situation you just threw the kitchen sink at it?

Uninstall them all. Remove the ipsec key.

L2TP is (should be) deprecated as seriously insecure. Do not use it.

You should use openvpn (probably the routed version) or wireguard which is available on v10.

Quote
I want to have remote access to my server to access email on the server as it is only accessible when on my local network. (This is deliberate)

So you will allow vpn access but not secure email access using imaps? Ok....

No idea what mode your server runs or if you have a router so can't advise you on how to set it up.

You'll need to read the docs properly. In server gateway it will set up the correct ports.

In server only you need to understand what ports you should permit on your router.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline dallas

  • ***
  • 44
  • +0/-0
Re: Installing VPN server on Koozali 10.1
« Reply #12 on: December 31, 2024, 02:17:13 AM »
Quote
No, you didn't. Because:

Yes I did but I'm not the all knowing developer, just a hapless user.
 
Quote
So instead of trying to solve a situation you just threw the kitchen sink at it?

Why not?  :o

Quote
Uninstall them all. Remove the ipsec key.

Where do I find that key?

Quote
You should use openvpn

That's what I was trying to implement.

Quote
So you will allow vpn access but not secure email access using imaps? Ok....

There is no access to my mail server from outside my local network. Maybe I should be looking at imaps but there are only 2 users that need to collect email remotely and I still need vpn access to manage the server.

Quote
No idea what mode your server runs

Mode is server / gateway
We will be away from home for a couple of weeks so as an interim fix I ran up a Ubuntu machine and installed OpenVPN, port forwarded the ports that I have on the old SME9.2 to the Ubuntu machine and it just works. I'm not sure which port/ports I need but the OpenVPN app on my phone is connecting to 1194 UDP. I'm not sure what the purpose of the other ports are.

I really appreciate the help you have provided even if I've been a little short with my comments.

Offline ReetP

  • *
  • 3,994
  • +6/-0
Re: Installing VPN server on Koozali 10.1
« Reply #13 on: January 03, 2025, 05:10:39 PM »
Yes I did but I'm not the all knowing developer, just a hapless user.

I'm actually just a bit of a hack who spends too much time reading the docs carefully.

Quote
Why not?  :o

See the XY Problem. You just make things complicated for yourself, and then waste lots of other peoples free time as they try and help you sort it out.

Make a lot more sense to have asked "I want to install a VPN. What do you recommend?"

Quote
Where do I find that key?

You already did. See above.

Quote
[root@www ~]# config show ipsec
ipsec=service

Worth a read in the docs on how to remove it.

Quote
That's what I was trying to implement.

So why try everything and not just read the wiki pages on openvpn?

Quote
There is no access to my mail server from outside my local network. Maybe I should be looking at imaps but there are only 2 users that need to collect email remotely and I still need vpn access to manage the server.

Just wireguard. It's in the wiki.


Quote
Mode is server / gateway
We will be away from home for a couple of weeks so as an interim fix I ran up a Ubuntu machine and installed OpenVPN, port forwarded the ports that I have on the old SME9.2 to the Ubuntu machine and it just works.

Quote
just a hapless user.

So not quite so hapless if you managed that then.......

Quote
I'm not sure which port/ports I need but the OpenVPN app on my phone is connecting to 1194 UDP. I'm not sure what the purpose of the other ports are.

The contrib will do that for you.

https://wiki.koozali.org/OpenVPN_Routed

https://wiki.koozali.org/Wireguard
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation