Changes

=== Description ===

=== Description ===

smeserver-openvpn-s2s lets you inter-connect several SME servers, and their local networks with secure VPN. It uses OpenVPN as backend, using either the simple shared secret method, or the stronger, but more complex TLS mechanism.

smeserver-openvpn-s2s lets you inter-connect several SME servers, and their local networks with secure VPN. It uses OpenVPN as backend, using either the simple shared secret method, or the stronger, but more complex TLS mechanism. It's well integrated in SME, providing a panel to configure most settings.

=== Installation ===

=== Installation ===

=== Configuration ===

=== Configuration ===

This contrib lets you create as many servers and clients daemon. A server can only be used by one client (it's not a one server for multiple clients solution), so if you wan't to connect several SME to one central server, you'll need to create several server daemon, binding on different ports.

This contrib lets you create as many servers and clients daemon as you want. A server can only be used by one client (it's not a one server for multiple clients solution), so if you want to connect several SME to one central server, you'll need to create several server daemon, binding on different ports.

Once conected, OpenVPN makes no difference between client and server, we just need to define which endpoint will bind on a local port waiting for a connection of the remote endpoint.

Once connected, OpenVPN makes no difference between client and server, we just need to define which endpoint will bind on a local port waiting for a connection of the remote endpoint.

Lets take a simple example. We manage two SME servers  

Lets take a simple example. We manage two SME servers  

[[File:Ovpn_s2s_add_client.png|768px|thumb|center|Configure a new client daemon]]

[[File:Ovpn_s2s_add_client.png|768px|thumb|center|Configure a new client daemon]]

Then, click on the next button, we'll have a page to configure the shared secret key. We can generate such keys using openvpn command (on your SME Server, or on another linux box. I'm not sure if we can do the same under Windows). To create a new key, type the following command on your shell:

Then, click on the next button, we'll have a page to configure the shared secret key. We can generate such keys using openvpn command (on your SME Server, or on another Linux box. I'm not sure if we can do the same under Windows). To create a new key, type the following command on your shell:

  openvpn --genkey --secret /dev/stdout

  openvpn --genkey --secret /dev/stdout

* '''Remote Host''' (available on client only): IP or FQDN to the remote peer

* '''Remote Host''' (available on client only): IP or FQDN to the remote peer

* '''Remote Port''' (available on client only): port used by the remote server

* '''Remote Port''' (available on client only): port used by the remote server

* '''Local Port''' (available on server only): port on which the openvpn server will bind, waiting for connection of the remote peer. Remote Port on the client and Local Port on the server should be the same

* '''Local Port''' (available on server only): port on which the OpenVPN server will bind, waiting for connection of the remote peer. Remote Port on the client and Local Port on the server should be the same

* '''Local Virtual IP''': the IP used internally by OpenVPN. You should choose a IP outside of any local networks

* '''Local Virtual IP''': the IP used internally by OpenVPN. You should choose a IP outside of any local networks

* '''Remote Virtual IP''': the IP used internally by OpenVPN on the other side. Those two virtual IP should be reversed between the client and the server

* '''Remote Virtual IP''': the IP used internally by OpenVPN on the other side. Those two virtual IP should be reversed between the client and the server

Some advanced settings are not available on the panel, but only with db commands:

Some advanced settings are not available on the panel, but only with db commands:

* '''LogLevel''': if you want to increase the verbosity of a daemon (either client or server), you set the LogLevel property. Valid LogLevel value are numbers between 0 (no output except fatal errors) to 11 (really verbose)

* '''LogLevel''': if you want to increase the verbosity of a daemon (either client or server), you set the LogLevel property. Valid LogLevel value are numbers between 0 (no output except fatal errors) to 11 (really verbose)

* '''Protocol''': can be tcp or udp. The default is to use udp. You shouldn't change this setting unless you have good reason to do so. This setting should match the other endpoint.

* '''Protocol''': can be tcp or udp. The default is to use udp. You shouldn't change this setting unless you have good reason to do so. This setting should match on both the server and the client.

* '''Cipher''': The cipher used. The default is to use the BlowFish algorithm. This setting should match on both the server and the client. You can get a list of available ciphers using this command:

* '''Cipher''': The cipher used. The default is to use the BlowFish algorithm. This setting should match on both the server and the client. You can get a list of available ciphers using this command:

  openvpn --show-ciphers | egrep '^[A-Z]{2}' | awk {'print $1'}

  openvpn --show-ciphers | egrep '^[A-Z]{2}' | awk {'print $1'}

  echo "reneg-sec 900" >> /etc/openvpn/s2s/myvpn.conf.custom

  echo "reneg-sec 900" >> /etc/openvpn/s2s/myvpn.conf.custom

  signal-event openvpn-s2s-update

  signal-event openvpn-s2s-update

=== Backup and Restore ===

=== Backup and Restore ===

----

----

[[Category:Contrib]]

[[Category:Contrib]]