Koozali.org: home of the SME Server
Obsolete Releases => SME 6.x Contribs => Topic started by: sdelgran on May 17, 2006, 09:57:02 PM
-
I have followed the excellent howto to install OpenVPN on my SME 6 box(http://sme.swerts-knudsen.dk)- thanks a lot!). I have a perfectly working OpenVPN and several happy roadwarriors.
But, since it works so well I would like to use the same OpenVPN server to permanently connect a remote dedicated machine that would replicate some directories (off-site backup).
The client machine connects perfectly (routing implementation of OpenVPN) but I would need it to be able to do so without username/password authentification prompt (the machine must be able to power-off and still reconnect the VPN upon startup)!
Of course, I do not want to remove the --auth-user-pass-verify option on the server side because I need the road-warrrior users to be authenticated... So I thought I would use --auth-user-pass [up] on the client side and put the username and password in a file. The problem is that this option is refused by OpenVPN, probably because of what the MAN page says about it:
Note: OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h
Well, I don't know I haven't made the rpm... And, huh, I probably wouldn't have been able. Would this only be only one file to rebuild and the option to read password from a file would work? Any comment on this?
Then I thought I could use the --client-config-dir dir option to give a special config to this one client (i.e. Without authentification). Well, this option kicked in after authentification (of course...).
I would appreciate if anyone could shed some light on this question. I have done a lot of researches and as it stands I don't see any solution apart from setting another box. :cry: Or I am overlooking the obvious? Any thoughts to share?
-
I just thought I probably have the wrong end of the stick... :lol: I would need to recompile the client exe, not the server (stupid me!). I try this and let you know. ;-)
-
I have done this multiple times by simply adding a new server (just an addtional .conf) without the auth and let this run on a different UDP port (e.g 1195). Then you do not mix the two scenarios and your roadwarrios. If you want to enhance security - ensuring that the roadwarriors can use it - you can simply run the key generation again.
-
Thanks Jesper! I guess I had overlooked a lot of things... So, I could get that thing going in a minute! :-D
I read of a config where the person is actually interconnecting several sites + roadwarriors with the same OpenVPN server. The site routers use a TUN config on the OpenVPN server and the roadwarriors use a TAP config. I like the idea of the TUN config for the router-to-router VPN.
I think I will also implement bridging. Any reason you did not? I might again be overlooking something...
-
When I say new server I didn't mean a new HW platform just a OpenVPN running as multiple deamons (I run 6 different - 1 RW and 5 sites on the same server).
I preper TAP so I get individual subnets for each branch but TUN can surely do the jobs as well - just not what I did.
-
No problem Jesper, I understood your config at the first place. ;-) This is why I said I could get the router of the secondary site linked in a minute, just adding another conf file on the OpenVPN server.
I am now basically trying to decide if I bridge or not and if I use TUN or not.
As far as I understand, TUN being an IP tunnel would not pass the broadcast and other netbios non-ip stuff (network neighbourhood would probably not work). Not a big deal as all the ressources the users need are shown by the WINS server.
As for the bridge, well I need to try one specific client and see if he can do without (3G/HSDPA PCMCIA card locked to the VPN port, but the user want to use the LAN gateway to access the Internet). If he can (that is change the client config to use the LAN gateway), and I don't see why he couldn't, then I am note sure I'll do this either.
I am actually looking for advices as I understand the theory behind it but do not really see what I would really be buying for the users if I implement bridging (and TUN by the same token...)