Changes

From SME Server
Jump to navigationJump to search
3,127 bytes added ,  14:01, 16 March 2009
no edit summary
Line 63: Line 63:  
Once you submit this form, the service should start. You can check everything is ok with this command:
 
Once you submit this form, the service should start. You can check everything is ok with this command:
 
  tailf /var/log/openvpn-bridge/current
 
  tailf /var/log/openvpn-bridge/current
 +
 +
 +
=== Using PHPki to manage the certificates ===
 +
 +
With this new release, you can manage the certificates the way you want, but most of you will use [http://wiki.contribs.org/PHPki PHPki] for this.
 +
 +
* Initialize your PKI
 +
This should allready be done as you have installed the contrib following [http://wiki.contribs.org/PHPki#Installation this how-to]
 +
 +
* Create a certificate for the server
 +
 +
Now you need to create a certificate for OpenVPN on the server. For this, go in PHPki interface, then "create a new certificate". Here, you'll have to enter some informations about the certificate:
 +
 +
**Common Name: this is the name of the certificate. You can enter what you want, for example "openvpn-bridge"
 +
**Email address: the email address of the technical contact (this field is not used, you can enter what you want as long as it's a valid email adress), for example admin@domain.tld
 +
**Organization, Department, Locality, State and Country fields should have the values you entered when you have created your PKI. You can let those values.
 +
**Password: '''This field must be blank'''. Remember that OpenVPN daemon starts without human intervention when the server boots, so it need to have access to the certificate key without being prompted for a password.
 +
**Certificate life: How-long the certificate will be valid. Enter what you want, but remember, when the certificate expires, you'll have to create another one, and deploy it on each client.
 +
**Key size: you can enter what you want (I use 2048 in general). The bigger, the stronger, but will use a bit more CPU power when the session key is negociated (at the connection, and once an hour)
 +
**Certificate Use: you should use "VPN Server Only"
 +
 +
 +
 +
 +
*Configure openvpn with the newly created certificates
 +
 +
Now, you can configure OpenVPN with your certificates. Go in the server-manager->OpenVPN-Bridge->certificates configuration.
 +
 +
Here you have som efields to setup:
 +
 +
**URL to update the CRL: you should let the default: http://localhost:940/phpki/index.php?stage=dl_crl_pem
 +
**CA certificate: You should put here the Root certificate in PEM format. You can get it in PHPki, clicking on the link "Display the Root Certificate (PEM Encoded)"
 +
**Server certificate: You should put here the certificate of the server. You can get it in PHPki, manage certificates, click on the download link corresponding to the certificate you have created for the server ("openvpn-bridge" in the example), choose PEM certificate in the dropdown menu, download it. You can open this file with a text editor.
 +
**Server private key: This is the private key associated with the server's certificate. To get it, follow the same steps as above, but choose "PEM Key" in the dropdown menu instead of "PEM Certificate"
 +
**DH Parameters: To get the DH Parameters, click on the "Display the Diffie-Hellman parameters" link in PHPki
 +
**Static Key: This is optional. You can get it using the "Display the static pre-shared key" link in PHPki. Note that if you enter this key on the server, you'll have to deploy it on each client.
 +
 +
 +
 +
You can now submit the request. "Certificates are ready" should be displayed.
 +
    
=== Upgrade from smeserver-openvpn-bridge-fws-1.1-2 ===
 
=== Upgrade from smeserver-openvpn-bridge-fws-1.1-2 ===

Navigation menu