Changes

From SME Server
Jump to navigationJump to search
5,551 bytes added ,  20:02, 17 March 2020
Line 475: Line 475:     
https://wiki.contribs.org/OpenVPN_Routed
 
https://wiki.contribs.org/OpenVPN_Routed
 +
=== Advanced configuration ===
 +
 +
Some advanced options are not presented in the panel. The goal was to keep the panel as simple as possible as most installations won't need to change advanced settings. But advanced options are still available with some DB keys:
 +
 +
*'''ConfigRequired''': (enabled|disabled). If set to enable, clients will be rejected unless a configuration rule match the common name of their certificate. This can be useful if you use just one CA to sign a lot of different certificates, but only want a limited number of certificates to connect to the VPN
 +
 +
*'''UDPPort''': (number) Change the port the server listen to when running in UDP mode
 +
 +
*'''TCPPort''': (number) Change the port the server listen to when running in TCP mode
 +
 +
*'''access''': (private|public) you should let this to public as running a VPN server just for the local network make no sens
 +
 +
*'''cipher''': (valid cipher name) You can force the cipher to use. If you put auto, or delete this key, client and server will negotiate the stronger cipher both side support. To have the list of the supported cipher, issue the command
 +
openvpn --show-ciphers
 +
 +
*'''clientToClient''': (enabled|disabled) If you want to prevent two clients to communicate, you should enable this option
 +
 +
*'''duplicateCN''': (enabled|disabled) If you want to allow several clients to connect simultaneously using the same certificate, you need to enable this option (default is disabled)
 +
 +
*'''compLzo''': (enabled|disabled) This option control the usage of real time LZO compression. Enabling it usually improve the performance at no cost. It uses an adaptive algorithm, if data sent over the tunnel are uncompress-able, the compression will automatically be disabled. You may want to disable it on small hardware.
 +
 +
*'''management''': (<ip to bind to>:<port>:<password>) this key control the management interface of OpenVPN. The default is to listen only on the loopback interface. It's used to display connected clients. You can allow the access on the local network to get some more statistics using for example: http://www.mertech.com.au/mertech-products-openvpnusermanager.aspx
 +
 +
*'''maxClients''': (number) maximum number of clients connected at a time
 +
 +
*'''mtuTest''': (enabled|disabled) When using UDP as transport protocol, mtu-test will measure the best MTU for the virtual interface. You should let it enabled unless you know what you're doing
 +
 +
*'''protocol''': (udp|tcp) The transport protocol to use. UDP is recommended for both security and performance, but there are situations where you'll need to use TCP. If you use TCP, you should set TCPPort directive to set the port the daemon will listen on (instead of UDPPort)
 +
 +
*'''redirectGW''': (perClient|always) The default is to enable the gateway redirection on a per client basis. But if you want the redirection to be always enabled, you can set this key to "always". This way, you won't have to create a new rule for each client.
 +
 +
*'''tapIf''': (tap interface) use this tap interface. You should use a free tap interface enslaved in the bridge interface (configured with the [http://wiki.contribs.org/BridgeInterface#Installation bridge-interface] contrib). Do not change this setting unless you know what you're doing
 +
 +
Once you have configured the service like you want, just run the command
 +
signal-event openvpn-bridge-update
 +
=== Désinstallation ===
 +
Pour enlever la contribution, lancer seulement :
 +
yum remove smeserver-openvpn-bridge
 +
 +
Vous pouvez également vouloir retirer les autres dépendances si vous ne les utilisez plus :
 +
yum remove smeserver-phpki phpki smeserver-bridge-interface perl-Net-OpenVPN-Manage perl-Net-Telnet
 +
=== Notes ===
 +
==== OpenVPN and SME installed in virtual machine - VMWare promiscuous mode ====
 +
By default for all version of ESX(i) starting from 3.5 to 7.0 (current in february 2020) VMWare rejects packets in promiscuous mode on the vSwitch, which will cause trouble with OpenVPN in bridge mode. The main symptom is that after successful authentication from your remote client you can ping/reach only the OpenVPN server while any other ip address on the LAN can't be pinged/reached. To correct this in VMWare set:
 +
  Configuration > Networking > your vSwitch: Properties > Ports-tab > vSwitch > Edit > Security-tab > Promiscuous mode: accept
 +
For ESXI hypervisor still working with vSphere client:
 +
 +
[[File:Promiscuous_mode_-_Esxi.jpg|786x786px]]
 +
 +
For  ESXI greater than 6.5 using webui client:
 +
 +
[[File:Promiscuous mode - Webui.jpg|border|frameless|784x784px]]
 +
 +
==== OpenVPN and SME installed in virtual machine - Virtualbox promiscuous mode ====
 +
 +
There is the same thing in virtualbox, you need to give the argument "allow all" in the network tab configuration.
 +
 +
virtual machine > configuration > network > adapter 1
 +
 +
choose adapter type "intel pro 1000....."
 +
 +
then put attached to on "bridged adapter" on your default NIC
 +
 +
click on advanced
 +
 +
then put promiscuous mode on "allow all"
 +
 +
[[Image:virtualbox-Sme8-Settings.png]]<br />
 +
 +
==== OpenVPN and SME installed in virtual machine - Other hypervisors ====
 +
It's documented that you can experience such problems in other hypervisors like OVirt, Proxmox, XEN or others. Keep in mind to search for equivalent settings concerning "promiscuous mode" of vSwitch.
 +
 +
==== Transparent proxy settings ====
 +
{{Note box|Keep in mind you need to disabled your transparent proxy else your host can no longer browse the http protocol.}}
 +
 +
go to the server-manager>Proxy services and disabled http and smtp proxy
 +
 +
 +
[[Image:proxy-setting.png|width|800px]]<br />
    
== Solutions de contournement et problèmes connus ==
 
== Solutions de contournement et problèmes connus ==
3,070

edits

Navigation menu