Changes

From SME Server
Jump to navigationJump to search
2,816 bytes added ,  21:43, 4 May 2009
Detaileed how-to for windows clients
Line 191: Line 191:  
The configuration is the new way to apply specific configuration to a client. As now the certificates are managed separately, you have to create rules separately. It's still quite simple, just add a new rule, enter the common name to match, a comment, choose an optional fixed IP, choose to enable/disable the gateway redirection, or even block a specific client. Then save, and you're done.
 
The configuration is the new way to apply specific configuration to a client. As now the certificates are managed separately, you have to create rules separately. It's still quite simple, just add a new rule, enter the common name to match, a comment, choose an optional fixed IP, choose to enable/disable the gateway redirection, or even block a specific client. Then save, and you're done.
   −
=== Configuration file ===
+
=== Client Configuration ===
   −
On the main page of the panel, you can display a sample configuration file. This file is dynamically generated according to server-side configuration.
+
OpenVPN runs on most platforms.
Here, you'll just need to change the line
+
In any case, the first step will always be the same: you have to create a new certificate for the client.
pkcs12 user.p12
     −
or uncomment and change the lines
+
==== Create the certificate with PHPki ====
#ca cacert.pem
  −
#cert user.pem
  −
#key user-key.pem
     −
to match the certificate name of the client
+
If you use your own PKI tool, you should be able to do it yourself ;)
 +
If you use [[PHPki]], here are the steps to follow
 +
 
 +
* In [[PHPki]] administrative interface, click on the "Create a new certificate" link.
 +
Here, you'll have to enter several informations. Most of them are up to you. Here's an example:
 +
[[File:Phpki_ovpn_bridge_create_client_crt.png|800px|thumb|center|Create a new certificate for the client]]
 +
 
 +
{{Warning box|Valid certificate uses for OpenVPN Bridge are
 +
*Email, SSL Client
 +
*Email, SSL Client, Code Signing
 +
*VPN Client Only
 +
*VPN Client, VPN Server
 +
 
 +
Email, SSL Client and Email, SSL Client, Code Signing require a password to protect the key, so you'll have to enter an additional password when connecting.}}
 +
 
 +
{{Note box|If you plan to use this certificate only for the VPN, the recommended usage is VPN Client Only}}
 +
 
 +
{{Note box|The Certificate Life is useful if you want to grant someone a VPN access for a limited periode of time. Once the certificate has expired, the server will reject it (without the need to manually revoke it)}}
 +
 
 +
{{Note box|Even if PHPki accepts a lot of characters for the common name, I personally recommend to use simple characters (lowercase, numbers, underscore, dash)}}
 +
 
 +
Once you have submitted this form, you'll have a confirmation page. Then your certificate will be ready.
 +
 
 +
Now, go in the "Manage Certificates" menu in [[PHPki]] and click on the Download link corresponding to your certificate, then choose the PKCS#12 bundle format (OpenVPN also accept pem encoded certificate, but the PKCS#12 bundle has the advantage of combining the CA, the certificate and the key in one file).
 +
 
 +
If you have configured and shared secret key on the server, you also need to download it.
 +
 
 +
==== Windows ====
 +
For Windows systems, you should download OpenVPN GUI either from http://openvpn.se/download.html (which include OpenVPN 2.0.9) or from here: http://openvpn.net/index.php/downloads.html (starting with version 2.1, openvpn include the Windows GUI in the installer. 2.1 is still in RC but is quite stable and has some advantages over 2.09. One of the main one is that your can run it on 2000/XP without administrative privileges)
 +
 
 +
On Windows, the configuration directory for OpenVPN is C:\Program Files\OpenVPN\config
 +
Here you can put all the needed files, or create sub-directories if you want to configure several connexions.
 +
Put here (either in the config directory or in a sub folder) the PKCS#12 file you have downloaded earlier, and the shared secret key if you used one on the server.
 +
Now create a text file, and change the extension to be .ovpn (the name isn't important). Edit it with your favorite text editor.
 +
Now, go in the panel of OpenVPN-Bridge and click on the link "Display a functional client configuration file". Copy and past this in your config file (.ovpn), and just change the pkcs12 directive to match your certificate name. Save this file.
 +
Now your client should be able to connect with the OpenVPN GUI.
    
=== Advanced configuration ===
 
=== Advanced configuration ===

Navigation menu