Changes

From SME Server
Jump to navigationJump to search
654 bytes added ,  01:54, 15 January 2019
Line 3: Line 3:  
<blockquote style="float: right;">[[File:openvpn.png|250px]]</blockquote><br>
 
<blockquote style="float: right;">[[File:openvpn.png|250px]]</blockquote><br>
 
===Maintainer===
 
===Maintainer===
[mailto:daniel@firewall-services.com[[User:VIP-ire|Daniel B.]]] from [http://www.firewall-services.com Firewall Services]
+
[mailto:daniel@firewall-services.com][[User:VIP-ire|Daniel B.]] from [http://www.firewall-services.com Firewall Services]
    
=== Version ===
 
=== Version ===
   −
{{ #smeversion: smeserver-openvpn-bridge }}
+
{{#smeversion: smeserver-openvpn-bridge }}
 
  −
{{ #smeversion: smeserver-bridge-interface}}
      +
{{#smeversion: smeserver-bridge-interface}}
      Line 33: Line 32:     
  yum --enablerepo=smecontribs,epel install smeserver-openvpn-bridge
 
  yum --enablerepo=smecontribs,epel install smeserver-openvpn-bridge
<headertabs/>
+
<headertabs />
      Line 168: Line 167:  
  # Blank out the IP if defined as 'undef'
 
  # Blank out the IP if defined as 'undef'
 
  if [ $IP == 'undef' ]; then
 
  if [ $IP == 'undef' ]; then
  IP=''
+
  IP=
 
  fi
 
  fi
 
  /sbin/e-smith/db $DBNAME set $CERT rule comment "$COM" redirectGW "$REDIR" ip "$IP"
 
  /sbin/e-smith/db $DBNAME set $CERT rule comment "$COM" redirectGW "$REDIR" ip "$IP"
Line 287: Line 286:  
* at TLS authentication, give the path of the takey.pem and enable it with the direction 1 (if needed)
 
* at TLS authentication, give the path of the takey.pem and enable it with the direction 1 (if needed)
 
* click on the small folder near the first certificate and go to the bundle certificate downloaded into convenient folder - all certificates should be filled up  
 
* click on the small folder near the first certificate and go to the bundle certificate downloaded into convenient folder - all certificates should be filled up  
* Note: I recommend to check also in '''IPv4 > route''' ''Use this connection only for resources on its network"
+
* Note: I recommend to check also in '''IPv4 > route''' ''Use this connection only for resources on its network"''
 
* save and test
 
* save and test
   Line 323: Line 322:  
* click on the small folder near the second certificate and go to the cacert.pem certificate downloaded into convenient folder
 
* click on the small folder near the second certificate and go to the cacert.pem certificate downloaded into convenient folder
 
* click on the small folder near the third certificate and go to the user-key.pem certificate downloaded into convenient folder   
 
* click on the small folder near the third certificate and go to the user-key.pem certificate downloaded into convenient folder   
** Note: I recommend to check also in '''IPv4 > route''' ''Use this connection only for resources on its network"
+
** Note: I recommend to check also in '''IPv4 > route''' ''Use this connection only for resources on its network"''
 
* save and test
 
* save and test
   Line 421: Line 420:     
[[Image:proxy-setting.png|width|800px]]<br />
 
[[Image:proxy-setting.png|width|800px]]<br />
 +
 +
=== Workarounds and known issues ===
 +
if you migrate from SME8 to SME9 and are not able to connect after correctly migrating your certificates, this might be related to not secure enough algorithm. CentOS 6.9 release notes state that "Support for insecure cryptographic protocols and algorithms has been dropped. This affects usage of MD5, SHA0, RC4 and DH parameters shorter than 1024 bits." Of course real solution would be to migrate all your certs to better algorithm.
 +
 +
workaround :<syntaxhighlight lang="bash">
 +
echo -e "LegacySigningMDs md2 md5\nMinimumDHBits 512\n" >> /etc/pki/tls/legacy-settings
 +
service openvpn-bridge restart
 +
</syntaxhighlight>
    
=== Bugs ===
 
=== Bugs ===
Super Admin, Wiki & Docs Team, Bureaucrats, Interface administrators, Administrators
3,254

edits

Navigation menu