Author Topic: OpenVPN  (Read 43571 times)

dlewis

  • Guru
  • ****
  • Posts: 401
    • View Profile
OpenVPN
« on: May 08, 2009, 03:06:29 pm »
There are a few topics in the forum that discuss OpenVPN, however none of the posts were definitive about people actually setting this up with LinuxMCE... Does anyone successfully have OpenVPN working with LinuxMCE? Thanks!

-dlewis

krys

  • Addicted
  • *
  • Posts: 583
    • View Profile
Re: OpenVPN
« Reply #1 on: May 08, 2009, 03:44:18 pm »
not that it helps much, but I had it installed and running, I just could never get the certificate and keys thing figured out to actually log into it.
-Krys

donpaul

  • Guru
  • ****
  • Posts: 300
    • View Profile
Re: OpenVPN
« Reply #2 on: May 08, 2009, 03:53:39 pm »
I am very familiar with OpenVPN if anyone wants help. I was thinking of creating a script that would set up VPN including the certs and keys. I will also post a wiki page. (once I get some spare time to devote to it).

krys

  • Addicted
  • *
  • Posts: 583
    • View Profile
Re: OpenVPN
« Reply #3 on: May 08, 2009, 03:54:58 pm »
cool, I used Donpaul's wiki to set up email on my core for fowarding voicemail's to me... it was very helpful and I look foward to this one as well!
-Krys

dlewis

  • Guru
  • ****
  • Posts: 401
    • View Profile
Re: OpenVPN
« Reply #4 on: May 08, 2009, 04:26:12 pm »
I am very familiar with OpenVPN if anyone wants help. I was thinking of creating a script that would set up VPN including the certs and keys. I will also post a wiki page. (once I get some spare time to devote to it).

I was just about to post something about possibly automating the process... A script would work well. Once it's done, please provide it for us to put into the release.

Itsik

  • Guru
  • ****
  • Posts: 190
    • View Profile
Re: OpenVPN
« Reply #5 on: May 08, 2009, 05:56:13 pm »
Yes, that would be vary helpfull.

Thnx
Itsik

tschak909

  • LinuxMCE God
  • ****
  • Posts: 5549
  • DOES work for LinuxMCE.
    • View Profile
Re: OpenVPN
« Reply #6 on: May 08, 2009, 06:40:15 pm »
Let's actually integrate this into the system as a feature for linking houses together.

-Thom

dlewis

  • Guru
  • ****
  • Posts: 401
    • View Profile
Re: OpenVPN
« Reply #7 on: May 08, 2009, 07:27:12 pm »
Let's actually integrate this into the system as a feature for linking houses together.

-Thom

Interesting idea... We can definitely link two networks with OpenVPN... What are some ideas for linuxmce feature integration and linking two homes? How would this work technically (from a LinuxMCE perspective).

tschak909

  • LinuxMCE God
  • ****
  • Posts: 5549
  • DOES work for LinuxMCE.
    • View Profile
Re: OpenVPN
« Reply #8 on: May 08, 2009, 09:10:35 pm »
I would imagine, each installation gets a key auto-generated, with the password of the first user.

This would be entered in on the other home, with a screen to select an instalation #, and enter in the key.

The installation # would be looked up on our servers, and an IP produced from it (dyndns anyone?)

and a tunnel would be connected between them, and installation database fragments would be downloaded between them...

NOW WITH THAT SAID....

So many things to worry about:

* Access controls, what can the other house control remotely?
* Media Sharing, what other mechanisms will we need to add to do remote media (remote house, everything downloaded.)
* etc.

much more, and a lot of UI to worry about in the process. In short, this is a monster feature, with monster hours needed. ;)

-Thom

dlewis

  • Guru
  • ****
  • Posts: 401
    • View Profile
Re: OpenVPN
« Reply #9 on: May 08, 2009, 09:17:35 pm »
Yes, I knew everything above the "Now with that said", it's the latter text I'm more worried about.... ;)

donpaul

  • Guru
  • ****
  • Posts: 300
    • View Profile
Re: OpenVPN
« Reply #10 on: May 09, 2009, 05:21:55 am »
I have openvpn installed and working wonderfully... with the firewall disabled. When the lmce firewall is enabled, I can connect but routing is broken. I have a full writeup and am ready to create the script, but I need to solve this problem first.

OpenVPN uses a new interface:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

The route is added by openvpn:

dcerouter_110032:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
192.168.80.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG        0 0          0 tun0
174.99.8.0      0.0.0.0         255.255.248.0   U         0 0          0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
0.0.0.0         174.99.8.1      0.0.0.0         UG        0 0          0 eth1

I am familiar with iptables, but not how linuxmce writes it. Would anyone know what changes need to be made to allow the tun0 interface to route?



donpaul

  • Guru
  • ****
  • Posts: 300
    • View Profile
Re: OpenVPN
« Reply #11 on: May 09, 2009, 05:40:21 am »
Ok, that didn't take long to figure out. I simply had to add these lines to the bottom of /usr/pluto/bin/Network_Firewall.sh:

iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT

Wiki and scripts coming soon!

dlewis

  • Guru
  • ****
  • Posts: 401
    • View Profile
Re: OpenVPN
« Reply #12 on: May 09, 2009, 05:49:42 am »
Nice! Looking forward it it!

dlewis

  • Guru
  • ****
  • Posts: 401
    • View Profile
Re: OpenVPN
« Reply #13 on: May 09, 2009, 05:55:11 am »
Might want to just update this, as it pertains to making wiki updates: http://wiki.linuxmce.org/index.php/VPN

I'll make sure the OpenVPN script (and even the e-mail script mentioned above) become apart of the release...
« Last Edit: May 09, 2009, 06:27:32 am by dlewis »

donpaul

  • Guru
  • ****
  • Posts: 300
    • View Profile
Re: OpenVPN
« Reply #14 on: May 09, 2009, 08:22:05 am »
I have scripts ready for anyone who wants to give it a try. I have OpenVPN fully functional on my core, and can access my network remotely.

ssh to the core, and run:
Code: [Select]
cd /usr/pluto/bin
wget http://donpaul.info/configure_openvpn.tar
tar -xvf configure_openvpn.tar

To install and configure openvpn (one time only), run:
Code: [Select]
./Configure_OpenVPN_Interactive.sh
To configure an OpenVPN user, run:
Code: [Select]
./Configure_OpenVPN_Users.sh   - Repeat for each user that will access OpenVPN

Let me how it goes. I'll get it to the wiki soon.