Line 13: |
Line 13: |
| === Description === | | === Description === |
| | | |
− | [http://openvpn.net OpenVPN] is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. Starting with the fundamental premise that complexity is the enemy of security, OpenVPN offers a cost-effective, lightweight alternative to other VPN technologies that is well-targeted for the SME and enterprise markets. | + | [http://openvpn.net OpenVPN] is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, fail-over, and fine-grained access-controls. Starting with the fundamental premise that complexity is the enemy of security, OpenVPN offers a cost-effective, lightweight alternative to other VPN technologies that is well-targeted for the SME and enterprise markets. |
| | | |
| This contrib will help you configuring OpenVPN in bridge mode. With this mode, clients connecting to the VPN from the outside will get an IP in the local subnet, the VPN and the Internal Interface are bridged. There's no routing problem, no additional firewall rules. The downside is that you cannot limit which services VPN clients has access to, they are just treated as locally connected computers. | | This contrib will help you configuring OpenVPN in bridge mode. With this mode, clients connecting to the VPN from the outside will get an IP in the local subnet, the VPN and the Internal Interface are bridged. There's no routing problem, no additional firewall rules. The downside is that you cannot limit which services VPN clients has access to, they are just treated as locally connected computers. |
Line 49: |
Line 49: |
| {{Note box|You can let this field blank if you don't want to use the additional TLS auth}} | | {{Note box|You can let this field blank if you don't want to use the additional TLS auth}} |
| | | |
− | You can use [[PHPki]] contrib to manage this easily. [[PHPki]] doesn't need to be installed on the same server. You can also manage your PKI by hands, or with your own PKI tool if you allready use one (for example, [http://tinyca.sm-zone.net/ tinyCA]) | + | You can use [[PHPki]] contrib to manage this easily. [[PHPki]] doesn't need to be installed on the same server. You can also manage your PKI by hands, or with your own PKI tool if you already use one (for example, [http://tinyca.sm-zone.net/ tinyCA]) |
| | | |
| Once you have enter all the required information, just submit the form. | | Once you have enter all the required information, just submit the form. |
Line 76: |
Line 76: |
| | | |
| * Initialize your PKI | | * Initialize your PKI |
− | This should allready be done as you have installed the contrib following [[PHPki#Installation|this how-to]] | + | This should already be done as you have installed the contrib following [[PHPki#Installation|this how-to]] |
| | | |
| * Create a certificate for the server | | * Create a certificate for the server |
Line 83: |
Line 83: |
| | | |
| **Common Name: this is the name of the certificate. You can enter what you want, for example "openvpn-bridge" | | **Common Name: this is the name of the certificate. You can enter what you want, for example "openvpn-bridge" |
− | **Email address: the email address of the technical contact (this field is not used, you can enter what you want as long as it's a valid email adress), for example admin@domain.tld | + | **Email address: the email address of the technical contact (this field is not used, you can enter what you want as long as it's a valid email address), for example admin@domain.tld |
| **Organization, Department, Locality, State and Country fields should have the values you entered when you have created your PKI. You can let those values. | | **Organization, Department, Locality, State and Country fields should have the values you entered when you have created your PKI. You can let those values. |
| **Password: '''This field must be blank'''. Remember that OpenVPN daemon starts without human intervention when the server boots, so it need to have access to the certificate key without being prompted for a password. | | **Password: '''This field must be blank'''. Remember that OpenVPN daemon starts without human intervention when the server boots, so it need to have access to the certificate key without being prompted for a password. |
| **Certificate life: How-long the certificate will be valid. Enter what you want, but remember, when the certificate expires, you'll have to create another one, and deploy it on each client. | | **Certificate life: How-long the certificate will be valid. Enter what you want, but remember, when the certificate expires, you'll have to create another one, and deploy it on each client. |
− | **Key size: you can enter what you want (I use 2048 in general). The bigger, the stronger, but will use a bit more CPU power when the session key is negociated (at the connection, and once an hour) | + | **Key size: you can enter what you want (I use 2048 in general). The bigger, the stronger, but will use a bit more CPU power when the session key is negotiated (at the connection, and once an hour) |
| **Certificate Use: you should use "VPN Server Only" | | **Certificate Use: you should use "VPN Server Only" |
| | | |
Line 100: |
Line 100: |
| | | |
| **URL to update the CRL: you should let the default: http://localhost:940/phpki/index.php?stage=dl_crl_pem | | **URL to update the CRL: you should let the default: http://localhost:940/phpki/index.php?stage=dl_crl_pem |
− | **CA certificate: You should put here the Root certificate in PEM format. You can get it in PHPki, clicking on the link "Display the Root Certificate (PEM Encoded)" | + | **CA certificate: You should put here the Root certificate in PEM format. You can get it in [[PHPki]], clicking on the link "Display the Root Certificate (PEM Encoded)" |
− | **Server certificate: You should put here the certificate of the server. You can get it in PHPki, manage certificates, click on the download link corresponding to the certificate you have created for the server ("openvpn-bridge" in the example), choose PEM certificate in the dropdown menu, download it. You can open this file with a text editor. | + | **Server certificate: You should put here the certificate of the server. You can get it in [[PHPki]], manage certificates, click on the download link corresponding to the certificate you have created for the server ("openvpn-bridge" in the example), choose PEM certificate in the drop-down menu, download it. You can open this file with a text editor. |
− | **Server private key: This is the private key associated with the server's certificate. To get it, follow the same steps as above, but choose "PEM Key" in the dropdown menu instead of "PEM Certificate" | + | **Server private key: This is the private key associated with the server's certificate. To get it, follow the same steps as above, but choose "PEM Key" in the drop-down menu instead of "PEM Certificate" |
− | **DH Parameters: To get the DH Parameters, click on the "Display the Diffie-Hellman parameters" link in PHPki | + | **DH Parameters: To get the DH Parameters, click on the "Display the Diffie-Hellman parameters" link in [[PHPki]] |
− | **Static Key: This is optional. You can get it using the "Display the static pre-shared key" link in PHPki. Note that if you enter this key on the server, you'll have to deploy it on each client. | + | **Static Key: This is optional. You can get it using the "Display the static pre-shared key" link in [[PHPki]]. Note that if you enter this key on the server, you'll have to deploy it on each client. |
| | | |
| | | |
Line 112: |
Line 112: |
| === Upgrade from smeserver-openvpn-bridge-fws-1.1-2 === | | === Upgrade from smeserver-openvpn-bridge-fws-1.1-2 === |
| | | |
− | If you was using the previous version of the contrib, you'll need some additionnal steps to migrate your configuration. | + | If you was using the previous version of the contrib, you'll need some additional steps to migrate your configuration. |
| | | |
| *Install [[PHPki]] | | *Install [[PHPki]] |
Line 184: |
Line 184: |
| === Configuration rules === | | === Configuration rules === |
| | | |
− | The configuration is the new way to apply specific configuration to a client. As now the certificates are managed separatly, you have to create rules separatly. It's still quite simple, just add a new rule, enter the common name to match, a comment, choose an optional fixed IP, choose to enable/disable the gateway redirection, or even block a specific client. Then save, and you're done. | + | The configuration is the new way to apply specific configuration to a client. As now the certificates are managed separately, you have to create rules separately. It's still quite simple, just add a new rule, enter the common name to match, a comment, choose an optional fixed IP, choose to enable/disable the gateway redirection, or even block a specific client. Then save, and you're done. |
| | | |
| === Configuration file === | | === Configuration file === |
Line 242: |
Line 242: |
| yum remove smerver-phpki phpki smeserver-bridge-interface perl-Net-OpenVPN-Manage perl-Net-Telnet | | yum remove smerver-phpki phpki smeserver-bridge-interface perl-Net-OpenVPN-Manage perl-Net-Telnet |
| | | |
− | === Source ===
| |
− | The source for this contrib can be found in the smeserver [http://smeserver.cvs.sourceforge.net/smeserver/smeserver-openvpn-bridge/ CVS] on sourceforge.
| |
| === Bugs === | | === Bugs === |
| Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla] | | Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla] |