Author Topic: OpenVPN  (Read 12662 times)

dlewis

  • Guru
  • ****
  • Posts: 401
    • View Profile
Re: OpenVPN
« Reply #30 on: May 11, 2009, 04:54:07 am »
Just wondering... What would be the benefit of OpenVPN and LinuxMCE on a bootable USB stick? Is it just a cool factor or...?

donpaul

  • Guru
  • ****
  • Posts: 300
    • View Profile
Re: OpenVPN
« Reply #31 on: May 11, 2009, 05:39:13 am »
I checked out the code, but I'm not sure how much I can help with the web admin part. I don't know PHP as well as I'd like, but I'll give it a look. I can certainly help out with architecture, OpenVPN itself and anything on the OS.

A page could be added to the network section and collect name/country/state/email/etc, then pass it to the script to configure openvpn. The Wizard/User section could be modified to collect user information and pass it to the user script to create the user cert. Then present the tar file as a download link for each user. I wish I knew php well enough to write it myself.

Also, the firewall rules should be changed to allow UDP port 1194 to the core.

dlewis

  • Guru
  • ****
  • Posts: 401
    • View Profile
Re: OpenVPN
« Reply #32 on: May 11, 2009, 05:58:00 am »
I can certainly help out with architecture, OpenVPN itself and anything on the OS.

Reach out to zug. He was in the IRC chat today and talked about working on the webmin part, among other things... I know he's done some work already. One thing you can begin to think about would be how we can connect cores in different locations and secure everything around it... Also, zug brought up an idea to use a CA or PKI for this... Maybe you can work on ideas for that.

donpaul

  • Guru
  • ****
  • Posts: 300
    • View Profile
Re: OpenVPN
« Reply #33 on: May 11, 2009, 06:22:25 am »
FYI, I modified the scripts to optionally take arguments.

To configure openvpn:
./Configure_OpenVPN.sh "name" email country state

To configure users:
./Configure_OpenVPN_Users.sh "name" email country state username WAN-IP

-The user's openvpn package will be found at \\dcerouter\public\lmce-$username.tar

My scripts setup the CA/PKI on the core. All that is needed is a webadmin page to pass the arguments. It would be very easy to then link cores. Each core could simply be a user, and configured as such.
« Last Edit: May 11, 2009, 06:24:21 am by donpaul »

krys

  • Addicted
  • *
  • Posts: 583
    • View Profile
Re: OpenVPN
« Reply #34 on: May 11, 2009, 09:48:09 pm »
Has anyone else used this script yet? I run into errors when trying to start the vpn daemon.

28016 Mon May 11 14:43:11 CDT 2009 Unlock 'Firewall' (Firewall)
28016 Mon May 11 14:43:11 CDT 2009 Unlock 'Firewall' (Firewall) success
Stopping virtual private network daemon:.
Starting virtual private network daemon: lmce-server(FAILED).
dcerouter_108183:/usr/pluto/bin# openvpn lmce-server.conf
Options error: In [CMD-LINE]:1: Error opening configuration file: lmce-server.conf
Use --help for more information.
dcerouter_108183:/usr/pluto/bin# openvpn lmce-server
Options error: In [CMD-LINE]:1: Error opening configuration file: lmce-server
Use --help for more information.

merkur2k

  • Addicted
  • *
  • Posts: 513
    • View Profile
Re: OpenVPN
« Reply #35 on: May 11, 2009, 10:34:31 pm »
I will add my notes in progress here as well.
I do have some experience with OpenVPN as I have setup a couple VPNs with it in the past.
To start off with, these are the immediate issues i noticed (I still havent gotten it to work yet):
1) There is really no need to ask for personal information for self-signed certs. Canned info is just fine.
2) Paths in the config file may need to be absolute.
3) Config file looks for ta.key, should be looking for lmce-ta.key.
4) There is no server.crt anywhere that i can find.
I will continue working this stuff out to see how to best solve the issues.
I also have considerable experience with php and am willing to tackle the web admin stuff. Will just need to figure out exactly what the web pages need to do.

donpaul

  • Guru
  • ****
  • Posts: 300
    • View Profile
Re: OpenVPN
« Reply #36 on: May 11, 2009, 10:44:28 pm »
I think I put the wrong scripts up, before I made some corrections, I'll upload the correct ones in a bit.

krys

  • Addicted
  • *
  • Posts: 583
    • View Profile
Re: OpenVPN
« Reply #37 on: May 11, 2009, 11:22:41 pm »
there were two places that I found ta.key in the lmce-server.conf file, I replaced them both with lmce-ta.key and still got the error

Starting virtual private network daemon: lmce-server(FAILED).

donpaul

  • Guru
  • ****
  • Posts: 300
    • View Profile
Re: OpenVPN
« Reply #38 on: May 11, 2009, 11:23:53 pm »
I uploaded the correct scripts, let me know how it goes. I tested it on mine and it worked, but we'll see.

krys

  • Addicted
  • *
  • Posts: 583
    • View Profile
Re: OpenVPN
« Reply #39 on: May 11, 2009, 11:33:47 pm »
I re-downloaded the script and still seem to have issues


cp: cannot stat `/etc/openvpn/easy-rsa/keys/ca.crt': No such file or directory
cp: cannot stat `/etc/openvpn/easy-rsa/keys/server.crt': No such file or directory
cp: cannot stat `/etc/openvpn/easy-rsa/keys/server.key': No such file or directory
25829 Mon May 11 16:32:45 CDT 2009 WaitLock 'Firewall' (Firewall)
25829 Mon May 11 16:32:45 CDT 2009 WaitLock 'Firewall' (Firewall) success
Clearing firewall
Enabling packet forwarding
Setting up firewall
Setting up forwarded ports
  Source port: 3080/tcp; Destination: 127.0.0.1:80
  Source port: 21/tcp; Destination: 192.168.80.254:21
  Source port: 1194/tcp; Destination: 192.168.80.1:1194
  Source port: 3877/tcp; Destination: 192.168.80.1:3877
Opening specified ports to exterior
  Port: 4569:4569/udp
  Port: 5060:5060/udp
  Port: 2000:2000/udp
  Port: 2000:2000/tcp
  Port: 22:22/tcp
  Port: 55237:55237/tcp
25829 Mon May 11 16:32:46 CDT 2009 Unlock 'Firewall' (Firewall)
25829 Mon May 11 16:32:46 CDT 2009 Unlock 'Firewall' (Firewall) success
Stopping virtual private network daemon:.
Starting virtual private network daemon: lmce-server(FAILED).

donpaul

  • Guru
  • ****
  • Posts: 300
    • View Profile
Re: OpenVPN
« Reply #40 on: May 12, 2009, 02:04:18 am »
Damnit, lol.  I'll work it out.

donpaul

  • Guru
  • ****
  • Posts: 300
    • View Profile
Re: OpenVPN
« Reply #41 on: May 12, 2009, 03:39:07 am »
Ok. So I modified the script to first remove any existing openvpn package and any configuration. This was a good idea anyway so that nothing gets hosed if the script is run a second time. Anyway, grab it again, and you should be good to go.

Code: [Select]
cd /usr/pluto/bin ; wget http://donpaul.info/configure_openvpn.tar ; tar -xvf configure_openvpn.tar ; ./Configure_OpenVPN.sh

dlewis

  • Guru
  • ****
  • Posts: 401
    • View Profile
Re: OpenVPN
« Reply #42 on: May 12, 2009, 03:50:14 am »
thanks donpaul... Zug, how's the webadmin stuff going?

krys

  • Addicted
  • *
  • Posts: 583
    • View Profile
Re: OpenVPN
« Reply #43 on: May 12, 2009, 03:09:10 pm »
Good news! Looks like the VPN daemon is up and running on the server. Now I just need to figure out how to set up the client and I will be good to go.

Big thanks to DonPaul for sticking with me.

-Krys

krys

  • Addicted
  • *
  • Posts: 583
    • View Profile
Re: OpenVPN
« Reply #44 on: May 12, 2009, 03:42:32 pm »
Alright, so I copied the user config file from the \\dcerouter\public to the config folder on my client computer. I right click on lmce-user1.ovpn to open the VPN and I get some TLS errors

TLS Error: TLS key negotiation failed to occur within 60 seconds
TLS Error: TLS handshake failed

The only other thing that sticks out to me is it says

WARNING: No server  certificate verification method has been enabled.

Any ideas?

-Krys