LinuxMCE Forums

General => Users => Topic started by: dlewis on May 08, 2009, 03:06:29 pm

Title: OpenVPN
Post by: dlewis on May 08, 2009, 03:06:29 pm
There are a few topics in the forum that discuss OpenVPN, however none of the posts were definitive about people actually setting this up with LinuxMCE... Does anyone successfully have OpenVPN working with LinuxMCE? Thanks!

-dlewis
Title: Re: OpenVPN
Post by: krys on May 08, 2009, 03:44:18 pm
not that it helps much, but I had it installed and running, I just could never get the certificate and keys thing figured out to actually log into it.
-Krys
Title: Re: OpenVPN
Post by: donpaul on May 08, 2009, 03:53:39 pm
I am very familiar with OpenVPN if anyone wants help. I was thinking of creating a script that would set up VPN including the certs and keys. I will also post a wiki page. (once I get some spare time to devote to it).
Title: Re: OpenVPN
Post by: krys on May 08, 2009, 03:54:58 pm
cool, I used Donpaul's wiki to set up email on my core for fowarding voicemail's to me... it was very helpful and I look foward to this one as well!
-Krys
Title: Re: OpenVPN
Post by: dlewis on May 08, 2009, 04:26:12 pm
I am very familiar with OpenVPN if anyone wants help. I was thinking of creating a script that would set up VPN including the certs and keys. I will also post a wiki page. (once I get some spare time to devote to it).

I was just about to post something about possibly automating the process... A script would work well. Once it's done, please provide it for us to put into the release.
Title: Re: OpenVPN
Post by: Itsik on May 08, 2009, 05:56:13 pm
Yes, that would be vary helpfull.

Thnx
Itsik
Title: Re: OpenVPN
Post by: tschak909 on May 08, 2009, 06:40:15 pm
Let's actually integrate this into the system as a feature for linking houses together.

-Thom
Title: Re: OpenVPN
Post by: dlewis on May 08, 2009, 07:27:12 pm
Let's actually integrate this into the system as a feature for linking houses together.

-Thom

Interesting idea... We can definitely link two networks with OpenVPN... What are some ideas for linuxmce feature integration and linking two homes? How would this work technically (from a LinuxMCE perspective).
Title: Re: OpenVPN
Post by: tschak909 on May 08, 2009, 09:10:35 pm
I would imagine, each installation gets a key auto-generated, with the password of the first user.

This would be entered in on the other home, with a screen to select an instalation #, and enter in the key.

The installation # would be looked up on our servers, and an IP produced from it (dyndns anyone?)

and a tunnel would be connected between them, and installation database fragments would be downloaded between them...

NOW WITH THAT SAID....

So many things to worry about:

* Access controls, what can the other house control remotely?
* Media Sharing, what other mechanisms will we need to add to do remote media (remote house, everything downloaded.)
* etc.

much more, and a lot of UI to worry about in the process. In short, this is a monster feature, with monster hours needed. ;)

-Thom
Title: Re: OpenVPN
Post by: dlewis on May 08, 2009, 09:17:35 pm
Yes, I knew everything above the "Now with that said", it's the latter text I'm more worried about.... ;)
Title: Re: OpenVPN
Post by: donpaul on May 09, 2009, 05:21:55 am
I have openvpn installed and working wonderfully... with the firewall disabled. When the lmce firewall is enabled, I can connect but routing is broken. I have a full writeup and am ready to create the script, but I need to solve this problem first.

OpenVPN uses a new interface:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

The route is added by openvpn:

dcerouter_110032:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
192.168.80.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG        0 0          0 tun0
174.99.8.0      0.0.0.0         255.255.248.0   U         0 0          0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
0.0.0.0         174.99.8.1      0.0.0.0         UG        0 0          0 eth1

I am familiar with iptables, but not how linuxmce writes it. Would anyone know what changes need to be made to allow the tun0 interface to route?


Title: Re: OpenVPN
Post by: donpaul on May 09, 2009, 05:40:21 am
Ok, that didn't take long to figure out. I simply had to add these lines to the bottom of /usr/pluto/bin/Network_Firewall.sh:

iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT

Wiki and scripts coming soon!
Title: Re: OpenVPN
Post by: dlewis on May 09, 2009, 05:49:42 am
Nice! Looking forward it it!
Title: Re: OpenVPN
Post by: dlewis on May 09, 2009, 05:55:11 am
Might want to just update this, as it pertains to making wiki updates: http://wiki.linuxmce.org/index.php/VPN

I'll make sure the OpenVPN script (and even the e-mail script mentioned above) become apart of the release...
Title: Re: OpenVPN
Post by: donpaul on May 09, 2009, 08:22:05 am
I have scripts ready for anyone who wants to give it a try. I have OpenVPN fully functional on my core, and can access my network remotely.

ssh to the core, and run:
Code: [Select]
cd /usr/pluto/bin
wget http://donpaul.info/configure_openvpn.tar
tar -xvf configure_openvpn.tar

To install and configure openvpn (one time only), run:
Code: [Select]
./Configure_OpenVPN_Interactive.sh
To configure an OpenVPN user, run:
Code: [Select]
./Configure_OpenVPN_Users.sh   - Repeat for each user that will access OpenVPN

Let me how it goes. I'll get it to the wiki soon.
Title: Re: OpenVPN
Post by: alx2k on May 09, 2009, 11:04:57 am
I find this idea very attractive! Maybe not for media sharing (I run ADSL, and maybe upload speed is not fast enough for video streaming) but for remote house control.

With the VPN running, a vpn enabled router and a hardware ip to X10 (or any other protocol) controller, It might be possible to remote control your holiday apartment lighting, heating or window blinds, or even have IP cameras connected to your main LMCE setup in that apartment that would trigger an alarm in your daylife home. Would this be possible?

Anyways, for those willing to have a remote MD on the other side of the tunnel, it might be necessary a HD based media director, Installing or starting a diskless MD through a VPN would take a lot of time to start.
Title: Re: OpenVPN
Post by: cirion on May 09, 2009, 12:36:51 pm
I find this idea very attractive! Maybe not for media sharing (I run ADSL, and maybe upload speed is not fast enough for video streaming) but for remote house control.

Anyways, for those willing to have a remote MD on the other side of the tunnel, it might be necessary a HD based media director, Installing or starting a diskless MD through a VPN would take a lot of time to start.
Think bigger...

A VPN between 2 Cores could open up the possibility to sync data between them. This could be done while you are not using the system or your internet connection has low usage. That way you could not only control your hollyday appartment, but you can still se your favorite TV shows or DVD collection when you are there.
Title: Re: OpenVPN
Post by: alx2k on May 09, 2009, 01:05:41 pm
That didn't came into my mind, and it's great...
If this is included in LMCE, well... Take that WMC
LOL
Title: Re: OpenVPN
Post by: posde on May 09, 2009, 02:20:05 pm
I find this idea very attractive! Maybe not for media sharing (I run ADSL, and maybe upload speed is not fast enough for video streaming) but for remote house control.

Anyways, for those willing to have a remote MD on the other side of the tunnel, it might be necessary a HD based media director, Installing or starting a diskless MD through a VPN would take a lot of time to start.
Think bigger...

A VPN between 2 Cores could open up the possibility to sync data between them. This could be done while you are not using the system or your internet connection has low usage. That way you could not only control your hollyday appartment, but you can still se your favorite TV shows or DVD collection when you are there.

In theory this sounds good, and I agree, it should be implemented (any volunteers?). However, right now, the pipes are just not big enough atm. But in general, having linked LinuxMCE system, is something worth while.
Title: Re: OpenVPN
Post by: dlewis on May 09, 2009, 02:30:36 pm
I find this idea very attractive! Maybe not for media sharing (I run ADSL, and maybe upload speed is not fast enough for video streaming) but for remote house control.

Anyways, for those willing to have a remote MD on the other side of the tunnel, it might be necessary a HD based media director, Installing or starting a diskless MD through a VPN would take a lot of time to start.
Think bigger...

A VPN between 2 Cores could open up the possibility to sync data between them. This could be done while you are not using the system or your internet connection has low usage. That way you could not only control your hollyday appartment, but you can still se your favorite TV shows or DVD collection when you are there.

In theory this sounds good, and I agree, it should be implemented (any volunteers?). However, right now, the pipes are just not big enough atm. But in general, having linked LinuxMCE system, is something worth while.

The pipes would definitely need to be big enough to shuttle data between two cores in completely different locations (especially if they may be across a large country or even in two separate countries).

As for implementing this into LinuxMCE, posde mentioned to me earlier that it would be best to make the script a new screen to the initial setup wizard where people can select what users to add and it would also allow for the other information to be entered in the initial set up (the same should be done for the Postfix install)... Any volunteers to implement this for OpenVPN and Postfix?
Title: Re: OpenVPN
Post by: donpaul on May 09, 2009, 03:33:19 pm
I agree that using vpn to link cores and share information is a great idea. Linking cores would be great for syncing user information, lights, climate, security, automation, etc. I would want to monitor and control a remote location, and receive alerts from the remote location. Also, the vpn pipe doesn't need to be active all the time. openvpn makes the connection within a couple seconds and the core should initiate the connection only when needed. A constant vpn pipe could impact your wan bandwidth, and piss off your ISP.

I am willing to help in any way I can.
Title: Re: OpenVPN
Post by: dlewis on May 09, 2009, 03:56:10 pm
I am willing to help in any way I can.

Thanks for the work you've done so far donpaul and for assisting to work on this further. Thom and I will have a planning session to discuss how we should proceed with bring this idea to fruition. The first thought is to work on getting OpenVPN implemented into LinuxMCE. A wizard screen in the web admin should be created for that. Do you think you would be able to work on that?

Also, don't forget that we have an IRC channel that makes things easier to converse about these kinds of things. I don't want to move the conversation to IRC, but just wanted to let yall know about it... IRC chat room found information found here: #linuxmce-devel (http://wiki.linuxmce.org/index.php/Chat)
Title: Re: OpenVPN
Post by: donpaul on May 09, 2009, 04:43:09 pm
Yes, I will help as best I can. I'll need to find out how to get to and edit the code.
Title: Re: OpenVPN
Post by: zug on May 09, 2009, 09:09:04 pm
I'll help if I can. I have loads of experience of Openvpn.
Title: Re: OpenVPN
Post by: tschak909 on May 09, 2009, 10:02:15 pm
The code can be retrieved with subversion, here:

http://svn.linuxmce.org/svn/branches/LinuxMCE-0810

you should put this in a place such as /home/src

The web admin bits are in the web/ folder. While source for various scripts are usually in src/BootScripts and a few other places.

-Thom
Title: Re: OpenVPN
Post by: dlewis on May 10, 2009, 07:49:12 pm
donpaul and zug, do you guys have all you need to get working on this?
Title: Re: OpenVPN
Post by: dlewis on May 10, 2009, 09:34:36 pm
donpaul,

zug is working on some of this now... Please reach out to him to assist.
Title: Re: OpenVPN
Post by: PlatypusPedersen on May 11, 2009, 04:36:48 am
LMCE with OpenVPN on a bootable USB stick? Just a thought. :)
Title: Re: OpenVPN
Post by: dlewis on May 11, 2009, 04:46:45 am
Lets work on getting it integrated first...
Title: Re: OpenVPN
Post by: PlatypusPedersen on May 11, 2009, 04:52:24 am
Of course, I was just thinking out loud.
Title: Re: OpenVPN
Post by: dlewis on May 11, 2009, 04:54:07 am
Just wondering... What would be the benefit of OpenVPN and LinuxMCE on a bootable USB stick? Is it just a cool factor or...?
Title: Re: OpenVPN
Post by: donpaul on May 11, 2009, 05:39:13 am
I checked out the code, but I'm not sure how much I can help with the web admin part. I don't know PHP as well as I'd like, but I'll give it a look. I can certainly help out with architecture, OpenVPN itself and anything on the OS.

A page could be added to the network section and collect name/country/state/email/etc, then pass it to the script to configure openvpn. The Wizard/User section could be modified to collect user information and pass it to the user script to create the user cert. Then present the tar file as a download link for each user. I wish I knew php well enough to write it myself.

Also, the firewall rules should be changed to allow UDP port 1194 to the core.
Title: Re: OpenVPN
Post by: dlewis on May 11, 2009, 05:58:00 am
I can certainly help out with architecture, OpenVPN itself and anything on the OS.

Reach out to zug. He was in the IRC chat today and talked about working on the webmin part, among other things... I know he's done some work already. One thing you can begin to think about would be how we can connect cores in different locations and secure everything around it... Also, zug brought up an idea to use a CA or PKI for this... Maybe you can work on ideas for that.
Title: Re: OpenVPN
Post by: donpaul on May 11, 2009, 06:22:25 am
FYI, I modified the scripts to optionally take arguments.

To configure openvpn:
./Configure_OpenVPN.sh "name" email country state

To configure users:
./Configure_OpenVPN_Users.sh "name" email country state username WAN-IP

-The user's openvpn package will be found at \\dcerouter\public\lmce-$username.tar

My scripts setup the CA/PKI on the core. All that is needed is a webadmin page to pass the arguments. It would be very easy to then link cores. Each core could simply be a user, and configured as such.
Title: Re: OpenVPN
Post by: krys on May 11, 2009, 09:48:09 pm
Has anyone else used this script yet? I run into errors when trying to start the vpn daemon.

28016 Mon May 11 14:43:11 CDT 2009 Unlock 'Firewall' (Firewall)
28016 Mon May 11 14:43:11 CDT 2009 Unlock 'Firewall' (Firewall) success
Stopping virtual private network daemon:.
Starting virtual private network daemon: lmce-server(FAILED).
dcerouter_108183:/usr/pluto/bin# openvpn lmce-server.conf
Options error: In [CMD-LINE]:1: Error opening configuration file: lmce-server.conf
Use --help for more information.
dcerouter_108183:/usr/pluto/bin# openvpn lmce-server
Options error: In [CMD-LINE]:1: Error opening configuration file: lmce-server
Use --help for more information.
Title: Re: OpenVPN
Post by: merkur2k on May 11, 2009, 10:34:31 pm
I will add my notes in progress here as well.
I do have some experience with OpenVPN as I have setup a couple VPNs with it in the past.
To start off with, these are the immediate issues i noticed (I still havent gotten it to work yet):
1) There is really no need to ask for personal information for self-signed certs. Canned info is just fine.
2) Paths in the config file may need to be absolute.
3) Config file looks for ta.key, should be looking for lmce-ta.key.
4) There is no server.crt anywhere that i can find.
I will continue working this stuff out to see how to best solve the issues.
I also have considerable experience with php and am willing to tackle the web admin stuff. Will just need to figure out exactly what the web pages need to do.
Title: Re: OpenVPN
Post by: donpaul on May 11, 2009, 10:44:28 pm
I think I put the wrong scripts up, before I made some corrections, I'll upload the correct ones in a bit.
Title: Re: OpenVPN
Post by: krys on May 11, 2009, 11:22:41 pm
there were two places that I found ta.key in the lmce-server.conf file, I replaced them both with lmce-ta.key and still got the error

Starting virtual private network daemon: lmce-server(FAILED).
Title: Re: OpenVPN
Post by: donpaul on May 11, 2009, 11:23:53 pm
I uploaded the correct scripts, let me know how it goes. I tested it on mine and it worked, but we'll see.
Title: Re: OpenVPN
Post by: krys on May 11, 2009, 11:33:47 pm
I re-downloaded the script and still seem to have issues


cp: cannot stat `/etc/openvpn/easy-rsa/keys/ca.crt': No such file or directory
cp: cannot stat `/etc/openvpn/easy-rsa/keys/server.crt': No such file or directory
cp: cannot stat `/etc/openvpn/easy-rsa/keys/server.key': No such file or directory
25829 Mon May 11 16:32:45 CDT 2009 WaitLock 'Firewall' (Firewall)
25829 Mon May 11 16:32:45 CDT 2009 WaitLock 'Firewall' (Firewall) success
Clearing firewall
Enabling packet forwarding
Setting up firewall
Setting up forwarded ports
  Source port: 3080/tcp; Destination: 127.0.0.1:80
  Source port: 21/tcp; Destination: 192.168.80.254:21
  Source port: 1194/tcp; Destination: 192.168.80.1:1194
  Source port: 3877/tcp; Destination: 192.168.80.1:3877
Opening specified ports to exterior
  Port: 4569:4569/udp
  Port: 5060:5060/udp
  Port: 2000:2000/udp
  Port: 2000:2000/tcp
  Port: 22:22/tcp
  Port: 55237:55237/tcp
25829 Mon May 11 16:32:46 CDT 2009 Unlock 'Firewall' (Firewall)
25829 Mon May 11 16:32:46 CDT 2009 Unlock 'Firewall' (Firewall) success
Stopping virtual private network daemon:.
Starting virtual private network daemon: lmce-server(FAILED).
Title: Re: OpenVPN
Post by: donpaul on May 12, 2009, 02:04:18 am
Damnit, lol.  I'll work it out.
Title: Re: OpenVPN
Post by: donpaul on May 12, 2009, 03:39:07 am
Ok. So I modified the script to first remove any existing openvpn package and any configuration. This was a good idea anyway so that nothing gets hosed if the script is run a second time. Anyway, grab it again, and you should be good to go.

Code: [Select]
cd /usr/pluto/bin ; wget http://donpaul.info/configure_openvpn.tar ; tar -xvf configure_openvpn.tar ; ./Configure_OpenVPN.sh
Title: Re: OpenVPN
Post by: dlewis on May 12, 2009, 03:50:14 am
thanks donpaul... Zug, how's the webadmin stuff going?
Title: Re: OpenVPN
Post by: krys on May 12, 2009, 03:09:10 pm
Good news! Looks like the VPN daemon is up and running on the server. Now I just need to figure out how to set up the client and I will be good to go.

Big thanks to DonPaul for sticking with me.

-Krys
Title: Re: OpenVPN
Post by: krys on May 12, 2009, 03:42:32 pm
Alright, so I copied the user config file from the \\dcerouter\public to the config folder on my client computer. I right click on lmce-user1.ovpn to open the VPN and I get some TLS errors

TLS Error: TLS key negotiation failed to occur within 60 seconds
TLS Error: TLS handshake failed

The only other thing that sticks out to me is it says

WARNING: No server  certificate verification method has been enabled.

Any ideas?

-Krys
Title: Re: OpenVPN
Post by: donpaul on May 12, 2009, 03:53:00 pm
Thanks for helping me test it, Krys. Can you verify that you have all of the files needed in the tar, and in your openvpn conf dir? If so, and if it still doesn't work, run the Configure_Users.sh script again and copy the new files over.

lmce-user1.ovpn
user1.crt
user1.key
lmce-ca.crt
lmce-ta.key
Title: Re: OpenVPN
Post by: krys on May 12, 2009, 04:07:37 pm
They are all there, plus I have one additional file lmce-user1.conf

I copied the files over via ftp, I wasnt actually on the network... I assume that is ok?

I will re-run the user config and see if that helps.

-Krys
Title: Re: OpenVPN
Post by: krys on May 12, 2009, 05:03:09 pm
alrighty, tried running user config again and with the new user I get the same error as with the previous one
-Krys

you might wait to mess with it till I get a chance to try it outside of my office... our firewall could be the problem.
Title: Re: OpenVPN
Post by: donpaul on May 12, 2009, 05:04:43 pm
FTP should be fine. The error you had seems to indicate that the lmce-ta.key doesn't match. You can view the .key and .crt files on the server and your clients, they should all match. If not, that is your problem. If they all match, there could be a firewall issue.
Title: Re: OpenVPN
Post by: donpaul on May 13, 2009, 08:05:48 pm
UPDATE: To enable NAT (so that we can get out to the internet while on VPN), a line is needed at the bottom of /usr/pluto/bin/Network_Firewall.sh

Code: [Select]
iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -d ! 10.8.0.0/255.255.255.0 -o $ExtIf -j MASQUERADE
I will add it to my script tonight. But if anyone currently has openvpn configured, you should add it manually and run the Network_Firewall.sh script.
Title: Re: OpenVPN
Post by: dlewis on June 03, 2009, 09:11:13 pm
Have we made the a 100% working script to be implemented into 0810?

Also, how is the webadmin portion going?
Title: Re: OpenVPN
Post by: qball4 on June 26, 2009, 12:29:04 am
I had to change the scripts to reflect the addition of easy-rsa 2.0, but it was just adding the /2.0 on the end of /etc/openvpn/easy-rsa in a few places. Other than that, they work great.  That being said, they default to tun interface on port 1194, so if you want anything different, the generated lmce-server.conf, conf/ovpn files in the user tarballs, and Network_Firewall.sh script still need to be edited by hand.

:Matt
Title: Re: OpenVPN
Post by: bulek on June 27, 2009, 01:33:31 pm
I had to change the scripts to reflect the addition of easy-rsa 2.0, but it was just adding the /2.0 on the end of /etc/openvpn/easy-rsa in a few places. Other than that, they work great.  That being said, they default to tun interface on port 1194, so if you want anything different, the generated lmce-server.conf, conf/ovpn files in the user tarballs, and Network_Firewall.sh script still need to be edited by hand.

:Matt
Hi,

did I understand right, you've setup OpenVPN under 8.10? If yes, please put instructions on wiki - it will be helpful to others...

Thanks ,

regards,

Bulek.
Title: Re: OpenVPN
Post by: nite_man on July 24, 2009, 02:53:47 pm
It'd be very helpful for the rest people if you update the existing article (http://wiki.linuxmce.org/index.php/VPN) about VPN in the wiki.
Title: Re: OpenVPN
Post by: dlewis on August 24, 2009, 03:42:57 am
any updates on creating a script/patch for this?
Title: Re: OpenVPN
Post by: donpaul on August 27, 2009, 06:37:15 am
I wonder if pptp would be easier and more widely accepted? Obviously SSL (OpenVPN) is superior to PPTP, but SSL clients are not always available.
Title: Re: OpenVPN
Post by: tschak909 on August 27, 2009, 06:50:36 am
i'm not sure you guys completely get it... The point is to provide a COMPLETE END TO END SOLUTION.

So that means, we do both the server end, and provide a pre-configured client to connect in.

-Thom
Title: Re: OpenVPN
Post by: donpaul on August 27, 2009, 04:32:56 pm
i'm not sure you guys completely get it... The point is to provide a COMPLETE END TO END SOLUTION.

So that means, we do both the server end, and provide a pre-configured client to connect in.

-Thom

I get it Thom, I just enjoy sharing my finds and progress - that's the point of open source right? :) I was excited to vpn into the core with my iPhone and make free sip phone calls from Jamaica, and launch the web orbiter to control my house. I think there is value in building some powerful and secure server features that more knowledgeable users can enjoy, even if we can't provide a complete end to end solution right away. Agree?

I have already began trying a script to configure the windows vpn client, but I can't provide a client for the iPhone, besides that would be silly since the iPhone has the built in client. There is no reason we can't use openvpn and pptp, then provide the openvpn client and/or the pptp client configuration. I am working on it in my spare time, which has been extremely scarce lately - sorry.
Title: Re: OpenVPN
Post by: davegravy on August 28, 2009, 08:55:52 pm
Quote
cp: cannot stat `/etc/openvpn/easy-rsa/keys/ca.crt': No such file or directory
cp: cannot stat `/etc/openvpn/easy-rsa/keys/server.crt': No such file or directory
cp: cannot stat `/etc/openvpn/easy-rsa/keys/server.key': No such file or directory
25829 Mon May 11 16:32:45 CDT 2009 WaitLock 'Firewall' (Firewall)
25829 Mon May 11 16:32:45 CDT 2009 WaitLock 'Firewall' (Firewall) success
Clearing firewall
Enabling packet forwarding
Setting up firewall
Setting up forwarded ports
  Source port: 3080/tcp; Destination: 127.0.0.1:80
  Source port: 21/tcp; Destination: 192.168.80.254:21
  Source port: 1194/tcp; Destination: 192.168.80.1:1194
  Source port: 3877/tcp; Destination: 192.168.80.1:3877
Opening specified ports to exterior
  Port: 4569:4569/udp
  Port: 5060:5060/udp
  Port: 2000:2000/udp
  Port: 2000:2000/tcp
  Port: 22:22/tcp
  Port: 55237:55237/tcp
25829 Mon May 11 16:32:46 CDT 2009 Unlock 'Firewall' (Firewall)
25829 Mon May 11 16:32:46 CDT 2009 Unlock 'Firewall' (Firewall) success
Stopping virtual private network daemon:.
Starting virtual private network daemon: lmce-server(FAILED).

I just downloaded and ran the script, and got the same errors krys_ got before.

Title: Re: OpenVPN
Post by: donpaul on August 28, 2009, 10:16:16 pm

I just downloaded and ran the script, and got the same errors krys_ got before.


I have intergrated PPTP vpn into LinuxMCE, if you would rather go that route.

http://forum.linuxmce.org/index.php?topic=8767.15

When I get a minute, I'll take a look at the OpenVPN script.
Title: Re: OpenVPN
Post by: davegravy on August 29, 2009, 03:52:49 pm
My reason for wanting to try openvpn, fyi, is as follows:

My workplace has a seriously draconian IT policy, dispite being a small company. I have HTTP, HTTPS (thankfully), FTP, RDP, and not much more in the way of non-firewalled ports. I want to use my core at home as a proxy to allow me unrestricted web communications. I can use ssh tunnelling via putty for most things, but not anything UDP (such as my office IAX/SIP softphone). I tried to ssh tunnel port 1723 to my core, and tried to establish a pptp vpn connection to no avail. Apparently it uses another protocol in tandem with tcp port 1723 (called GRE or something).

I'm interested to know if OpenVPN can do what I want, especially since it uses SSL which is supposedly UDP friendly.
Title: Re: OpenVPN
Post by: donpaul on August 31, 2009, 08:02:19 pm
I just downloaded and ran the script, and got the same errors krys_ got before.

Did you run the script as root? I never get those errors when run as root. I will be making changes and incorporating OpenVPN into LinuxMCE web admin soon.
Title: Re: OpenVPN
Post by: davegravy on August 31, 2009, 09:20:27 pm
Did you run the script as root? I never get those errors when run as root. I will be making changes and incorporating OpenVPN into LinuxMCE web admin soon.

Yes, I ran as root.

After the script terminates the contents of /etc/openvpn/easy-rsa/ are as follows:

1.0  2.0  build.sh

There is no /keys directory.

Title: Re: OpenVPN
Post by: donpaul on August 31, 2009, 10:28:22 pm
Did you run the script as root? I never get those errors when run as root. I will be making changes and incorporating OpenVPN into LinuxMCE web admin soon.

Yes, I ran as root.

After the script terminates the contents of /etc/openvpn/easy-rsa/ are as follows:

1.0  2.0  build.sh

There is no /keys directory.



ok, I see the problem. I'll fix it.
Title: Re: OpenVPN
Post by: donpaul on August 31, 2009, 10:38:32 pm
I fixed it (I hope), grab the latest tar from donpaul.info and give it a shot.
Title: Re: OpenVPN
Post by: davegravy on September 01, 2009, 10:13:28 pm
Sorry! Not yet  ;)

#ls /etc/openvpn/easy-rsa/2.0/

build-ca          build-key-server  list-crl              revoke-full
build-dh          build-req         Makefile              sign-req
build-inter       build-req-pass    openssl-0.9.6.cnf.gz  vars
build-key         build.sh          openssl.cnf           whichopensslcnf
build-key-pass    clean-all         pkitool
build-key-pkcs12  inherit-inter     README.gz

There's no /keys directory here either... I'm not sure why the keys aren't being generated in their proper location.
Title: Re: OpenVPN
Post by: davegravy on September 01, 2009, 10:52:12 pm
I'm not sure build.sh is running from Configure_OpenVPN_Keys.sh... when I run the script manually it generates the keys directory along with all the keys, but does not do this when run from Configure_OpenVPN_Keys.sh

I don't know anything much about .sh scripts, but is the spawn syntax correct?

EDIT: the problem is that the 'expect' package is not installed by default. Add it to the list of packages installed in the script.
Title: Re: OpenVPN
Post by: donpaul on September 04, 2009, 04:23:06 pm
I'm not sure build.sh is running from Configure_OpenVPN_Keys.sh... when I run the script manually it generates the keys directory along with all the keys, but does not do this when run from Configure_OpenVPN_Keys.sh

I don't know anything much about .sh scripts, but is the spawn syntax correct?

EDIT: the problem is that the 'expect' package is not installed by default. Add it to the list of packages installed in the script.

Excellent, thanks. Will add it.
Title: Re: OpenVPN
Post by: dlewis on September 15, 2009, 09:55:31 pm
Are we closer to making this solid and adding this to the next release?
Title: Re: OpenVPN
Post by: donpaul on September 15, 2009, 10:40:11 pm
Yes... closer. I am going to run/test it on a fresh 810 soon.
Title: Re: OpenVPN
Post by: dlewis on September 16, 2009, 03:30:11 am
thanks!
Title: Re: OpenVPN
Post by: donpaul on September 18, 2009, 11:10:19 pm
I have made changes for 8.10, and integrated it into the lmce-admin. I am running through the test, and so far so good. If anyone has a suggestion, now is the time.

(http://donpaul.info/openvpn.png)
Title: Re: OpenVPN
Post by: jimbodude on September 18, 2009, 11:43:12 pm
This looks sweet...

I like the "Delete User" button - that was missing from the PPTP implementation.

I'm not sure if there is an easy way to do this - but we do have the hostname if the user configures the DDNS, maybe it could show up here?  If the user has a static IP, a "detect external IP" button would be nice too.

Does this already open up the proper ports in the firewall?

Great work, thanks.
Title: Re: OpenVPN
Post by: donpaul on September 19, 2009, 01:44:58 am
I thought about the DDNS field, and I agree on the get IP button - good idea. I'll see what I can do for both of those.

BTW, I added a delete button to the PPTP patch.
Title: Re: OpenVPN
Post by: jimbodude on September 19, 2009, 04:50:46 am
Nice.  Good work.
Title: Re: OpenVPN
Post by: jimbodude on October 15, 2009, 02:10:20 am
Status on this?  Is there a Trac ticket for OpenVPN?  I see one for PPTP (http://svn.linuxmce.org/trac.cgi/ticket/339) but it looks like it hasn't made it into SVN yet.
Title: Re: OpenVPN
Post by: donpaul on October 16, 2009, 04:14:11 am
OpenVPN and PPTP have been combined and are on the same ticket. The SVN diff is in, so hopefully it will make it to the code soon.
Title: Re: OpenVPN
Post by: dlewis on October 16, 2009, 04:21:57 am
items only make it into the next release if the alpha2 install page is updated:

http://wiki.linuxmce.org/index.php/LinuxMCE-0810_alpha2

I've added the ticket.
Title: Re: OpenVPN
Post by: dlewis on October 20, 2009, 05:14:36 am
donpaul, please update this wiki site with instructions:

http://wiki.linuxmce.org/index.php/VPN

Try to also include images. Thanks!
Title: Re: OpenVPN
Post by: Kooma on January 03, 2010, 01:44:39 pm
Hi, I would like to access web pages on core securely from outside and have been searching various topics and wiki. I suppose this thread is the most current one - is it so? From the previous posts it looked like the OpenVPN was about to be integrated but it's been a bit quiet on this lately.
Any progress?
Title: Re: OpenVPN
Post by: coley on July 02, 2010, 03:24:23 pm
bump?
Is there any update on this?
I tried the scripts from the svn ticket and am getting errors on a current 0810 install.

thx
-Coley.
Title: Re: OpenVPN
Post by: Kooma on July 02, 2010, 03:46:02 pm
I solved my needs by applying these instructions: HTTPS / SSL access on the outside http://wiki.linuxmce.org/index.php/HTTPS

Works very well.


Title: Re: OpenVPN
Post by: donpaul on July 26, 2010, 05:27:59 pm
I have been absent for a while, but I'm back with a fresh core and will have an updated and working patch soon. Hopefully my time will allow for more contributions.
Title: Re: OpenVPN
Post by: tschak909 on July 26, 2010, 08:14:54 pm
Uh.

Why an RPM? You do realize this is a debian distribution?

-Thom
Title: Re: OpenVPN
Post by: donpaul on July 26, 2010, 08:19:20 pm
I don't know, cause I like building rpm - but you're right. :)  Here are the scripts in a tarball instead.

*UPDATE: Updated the vpn.tar - minor change to enable IP forward
Title: Re: OpenVPN
Post by: donpaul on July 26, 2010, 08:45:40 pm
Here is the updated SVN diff.

Can someone with perms update the TRAC ticket, since I get an error for spam?
http://svn.linuxmce.org/trac.cgi/ticket/339

*Modified: Updated the svn diff to 23202
Title: Re: OpenVPN
Post by: coley on July 27, 2010, 01:52:51 pm
donpaul,
Your diff is out of date its not diff'd to the latest rev (23202)
Can you update please?

thx
-Coley.
Title: Re: OpenVPN
Post by: donpaul on July 27, 2010, 03:40:48 pm
I added an updated svn diff, and I created a .deb package for the vpn scripts, and attached. If you want PPTP and OpenVPN, simply apply the diff patch and install the deb.

Can somebody test/add the deb to LinuxMCE repository and update the ticket?
Title: Re: OpenVPN
Post by: posde on July 27, 2010, 04:05:11 pm
Can somebody test/add the deb to LinuxMCE repository and update the ticket?

We don't add the deb itself, but would prefer to have the source to the deb, so we can build the deb it as part of our regular building process.
Title: Re: OpenVPN
Post by: coley on July 27, 2010, 04:13:44 pm
Applied the patch, installed the deb - I'm missing the file userOpenVPN.php  :(

-Coley.
Title: Re: OpenVPN
Post by: donpaul on July 27, 2010, 04:36:52 pm
Applied the patch, installed the deb - I'm missing the file userOpenVPN.php  :(

-Coley.

Ah, ok, here are the php scripts. Untar in /var/www/lmce-admin.

We don't add the deb itself, but would prefer to have the source to the deb, so we can build the deb it as part of our regular building process.

Ok, I will provide the source.
Title: Re: OpenVPN
Post by: coley on July 27, 2010, 05:04:03 pm
:) that seems to operate a bit better, tar file looks healthier.
Will see if I can get into my core from outside ( once my isp gets back to me so I can see my IP  >:( )

-Coley.
Title: Re: OpenVPN
Post by: donpaul on July 27, 2010, 05:42:37 pm
I have a Wiki page started:

http://wiki.linuxmce.com/index.php/VPN

More to come once the captcha is fixed.
Title: Re: OpenVPN
Post by: donpaul on July 29, 2010, 12:01:21 am
Here is the source.
Title: Re: OpenVPN
Post by: posde on July 29, 2010, 06:04:54 am
donpaul,

looking at the tar, I fail to see any web admin stuff. Do I miss anything, or is the web admin stuff elsewhere?
Title: Re: OpenVPN
Post by: donpaul on July 29, 2010, 06:18:57 am
donpaul,

looking at the tar, I fail to see any web admin stuff. Do I miss anything, or is the web admin stuff elsewhere?

I attached the diff svn patch and a tar of the added php scripts earlier in the thread. I did not put those in my deb source - I assumed they should go in the existing web admin package.

Let me know what I can do to help get it in the next snapshot.
Title: Re: OpenVPN
Post by: Enigmus on October 23, 2010, 06:07:54 pm
Did this ever make it into the release?  If not, can we get this in as a regular feature?
Title: Re: OpenVPN
Post by: merkur2k on October 25, 2010, 01:49:12 am
it has not.
I have been looking at it lately, but it will need a lot of work to make it play nice with all the other parts of lmce.
Title: Re: OpenVPN
Post by: donpaul on November 15, 2010, 11:28:51 pm
it has not.
I have been looking at it lately, but it will need a lot of work to make it play nice with all the other parts of LinuxMCE.

What other parts must it play nice with? And what kind of work does it need?
Title: Re: OpenVPN
Post by: merkur2k on November 16, 2010, 06:19:56 pm
it modifies several scripts that will get overwritten by other lmce packages at the next update, most notably the firewall script.
Title: Re: OpenVPN
Post by: donpaul on November 28, 2010, 05:42:42 pm
The only ones that will be modified are the firewall script, and the sysctl.conf file. Both changes are required for openvpn, but not pptpd. I see no reason why the pptpd vpn can't be included, even if the changes can't be made for openvpn.
Title: Re: OpenVPN
Post by: merkur2k on November 28, 2010, 07:00:45 pm
i didn't say it couldnt be done, just that its going to require touching some lmce stuff. and I havent really decided on the best course of action yet.
Title: Re: OpenVPN
Post by: Enigmus on December 08, 2010, 04:32:16 pm
Thank you, Merkur2k, for investigating and working on this feature.
Title: Re: OpenVPN
Post by: gonesurfing on December 19, 2010, 01:04:01 am
HI
Is this working ? The current wiki on vpn has broken links and was unable to install it
steve