Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: duncan on August 11, 2004, 10:38:18 AM
-
Available here (http://mirror.contribs.org/smeserver/contribs/dthomas/smeserver/6.x/Beta/Openvpn/).
rpm -ivh *.rpm
/sbin/e-smith/db configuration setprop openvpn status enabled
/sbin/e-smith/signal-event console-save
/sbin/reboot
Configs are in /etc/openvpn. The static.key is generated by the rpm and is unique to your machine.
Use the port-opening package from here (http://mirror.contribs.org/smeserver/contribs/dmay/mitel/contrib/portopening/SME5.6/dmc-mitel-portopening-0.0.1-4.noarch.rpm) to open your UDP/TCP ports.
Configuration howtos here (http://openvpn.sourceforge.net/howto.html)
This is tested on 6.0.1 and does not have a web GUI.
Regards Duncan
-
Bump
I have added a howto here (http://mirror.contribs.org/smeserver/contribs/dthomas/smeserver/6.x/Beta/Openvpn/Openvpn.htm) as well as some example config files that are working well for my guys.
WinXP <-> SMEServer
Regards Duncan
-
Hi duncan,
Great works, that what I'm waiting for long time now.
For port-opening, maybe it will be a good idea to include the follow script in masq template directory
{
my $status = ${'openvpn '}{status} || "disabled";
$OUT = allow_udp_in(5000,
($status eq "enabled") );
}
So that the port opening is effectif only when service are enabled.
Regards.
-
Nice idea. Openvpn is moving towards one port for all tunnels - and when it gets there this will make a great addition - however because there is a need to open a new port for each tunnel - it is probably better to use the port opening contrib for the time being.
Regards Duncan
-
With that code and the sevice enabled I get
denylog udp -- anywhere anywhere udp dpt:5000
[root@mail log]# /sbin/e-smith/db configuration show openvpn
openvpn=service
status=enabled
[root@mail log]#
Any ideas what the problem might be?
Regards Duncan
-
Thanks for the great contrib Duncan, worked fine for me (am using beta11), once I swapped over to tun (I was previously trying to use tap).
Trevor B
-
Thanks for the great contrib Duncan, worked fine for me (am using beta11), once I swapped over to tun (I was previously trying to use tap).
Trevor B
-
Hi Trevor B,
do you have the beta11 rpm (i have troubles getting the multiclient-feature to work with duncan's beta10), and if so, would you be so kind to send it to me??
regards
Michael
-
I just built from the tarball from the openvpn.org site. (openvpn-2.0_beta11-1)
I will place a copy in my beta contribs directory when I remember the password (or get RequestedDeletion to reset it for me....).
http://contrins.org/contribs/trevorb/beta/
Trevor B
PS. I am using TCP rather than UDP (only because I was set up that way due to other problems I was having prior to installing Duncan's contrib). Will put up my configs as well.
-
There now, but in..... :-)
http://mirror.contribs.org/smeserver/contribs/trevorb/beta/openvpn
TrevorB
-
Thanks a lot
regards Michael
-
I have tried to have XP client connect the the SME server and have access to the private net without complete luck. I get denylog entries in the message log. I decided to use tap as it allows better control from the server side. The client connects fine to the remote server and I can ping the server (192.168.1.1). When I try to access (ping) anything inside the private LAN (192.168.1.x) I get denylogs. I expect that I need to set up IP tables rules but am not sure which. I would like to allow all traffic to route between eth0 and tap0. I have stored the two confif files in http://sme.swerts-knudsen.dk/downloads/OpenVPN/ for reference.
The tapo interface runs on 192.168.100.1 and the XP client gets 192.168.100.6.
A typical messagelog entry when trying to ping 192.168.1.50 from the XP client (192.168.100.6):
Oct 26 15:38:12 gateway kernel: denylog:IN=tap0 OUT=eth0 SRC=192.168.100.6 DST=192.168.1.50 LEN=92 TOS=0x00 PREC=0x00 TTL=15 ID=857 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=15104
any good ideas or suggestions?
Thanks,
Jesper
-
Jesper,
Have you added your 192.168.100.x subnet into the local networks under the security settings in the Server Manager?
HTH
David.
-
The problem doing so is that the gateway is eth0 and adding that as the gateway for 192.168.100.0 does not help (actually makes me not be able to ping 192.168.1.1 anymore). The route table also looks fine.
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
80.196.46.140 * 255.255.255.252 U 0 0 0 eth1
192.168.100.0 * 255.255.255.0 U 0 0 0 tap0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default atm0-0-0-150113 0.0.0.0 UG 0 0 0 eth1
-
Hi,
Add the network as you normally would in the server manager to add the firewall rules. Enable "office.up" but put a "route del" entry in to remove the route to eth0.
Regards Duncan
-
As uasual, I humbly bow for you 'oh all mighty bit busters' being able to arrange bits in such a way it actually it becomes something USEFULL!
;-)
RequestedDeletion
-
Alright - Add the office.up with this content (del rather than add):
#!/bin/bash
route del -net 192.168.100.0 netmask 255.255.255.0 gw $5
and add 192.168.100.0 mask 255.255.255.0 but with what gateway? As this is a seperate interface (tap0) its real gateway would be 192.168.1.1 (default system gateway). This is not valid as the GW should be in the same net. Should it be 192.168.100.1?
-
Hi,
This is one I am using here. Its a network <=> network setup but it might shed some clues.
!/bin/bash
route del -net 10.1.0.0 netmask 255.255.255.0 gw 10.0.0.1
route del -net 192.168.1.0 netmask 255.255.255.0 gw 10.0.0.1
route add -net 192.168.1.0 netmask 255.255.255.0 gw $5
The server is in server only mode - and eth0 is 10.0.0.1.
Regards Duncan