Line 5: |
Line 5: |
| [mailto:daniel@firewall-services.com][[User:VIP-ire|Daniel B.]] from [http://www.firewall-services.com Firewall Services] | | [mailto:daniel@firewall-services.com][[User:VIP-ire|Daniel B.]] from [http://www.firewall-services.com Firewall Services] |
| | | |
− | === Version === | + | ===Version=== |
| | | |
| {{#smeversion: smeserver-openvpn-bridge }} | | {{#smeversion: smeserver-openvpn-bridge }} |
Line 12: |
Line 12: |
| | | |
| | | |
− | | + | ===Description=== |
− | === Description === | |
| | | |
| [http://openvpn.net OpenVPN] is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, fail-over, and fine-grained access-controls. Starting with the fundamental premise that complexity is the enemy of security, OpenVPN offers a cost-effective, lightweight alternative to other VPN technologies that is well-targeted for the SME and enterprise markets. | | [http://openvpn.net OpenVPN] is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, fail-over, and fine-grained access-controls. Starting with the fundamental premise that complexity is the enemy of security, OpenVPN offers a cost-effective, lightweight alternative to other VPN technologies that is well-targeted for the SME and enterprise markets. |
Line 19: |
Line 18: |
| This contrib will help you configuring OpenVPN in bridge mode. With this mode, clients connecting to the VPN from the outside will get an IP in the local subnet, the VPN and the Internal Interface are bridged. There's no routing problem, no additional firewall rules. The downside is that you cannot limit which services VPN clients has access to, they are just treated as locally connected computers. | | This contrib will help you configuring OpenVPN in bridge mode. With this mode, clients connecting to the VPN from the outside will get an IP in the local subnet, the VPN and the Internal Interface are bridged. There's no routing problem, no additional firewall rules. The downside is that you cannot limit which services VPN clients has access to, they are just treated as locally connected computers. |
| | | |
− | === Requirements === | + | ===Requirements=== |
| + | |
| *You have to install and enable the [[BridgeInterface|bridge-interface]] contrib | | *You have to install and enable the [[BridgeInterface|bridge-interface]] contrib |
| *You may want to install [[PHPki]] to manage easily your certificates. | | *You may want to install [[PHPki]] to manage easily your certificates. |
| | | |
| | | |
− | === Installation === | + | ===Installation=== |
| + | <br /> |
| + | ==For SME 10== |
| + | /!\ new default cipher = AES-256-GCM , if you have issues check the configuration options |
| + | yum --enablerepo=smecontribs install smeserver-openvpn-bridge |
| | | |
− | ==== For SME 8 ====
| + | == For SME 9 == |
− | yum --enablerepo=smecontribs install smeserver-openvpn-bridge
| |
− | ==== For SME 9 ====
| |
| you have to enable the '''[[epel]]''' repository | | you have to enable the '''[[epel]]''' repository |
| + | yum --enablerepo=smecontribs,epel install smeserver-openvpn-bridge |
| | | |
− | yum --enablerepo=smecontribs,epel install smeserver-openvpn-bridge | + | ==For SME 8== |
| + | yum --enablerepo=smecontribs install smeserver-openvpn-bridge |
| <headertabs /> | | <headertabs /> |
| | | |
| | | |
− | ==== Configure the certificates ==== | + | ====Configure the certificates==== |
| {{Note box|If you use [[PHPki]] to manage the certificates, you can go [[OpenVPN_Bridge#Using_PHPki_to_manage_the_certificates|here]] for more details. | | {{Note box|If you use [[PHPki]] to manage the certificates, you can go [[OpenVPN_Bridge#Using_PHPki_to_manage_the_certificates|here]] for more details. |
| If you are updating a previous installation, you can go [[OpenVPN_Bridge#Migrate_previous.2Fexisting_OpenVPN_Server_certificates|here]]}} | | If you are updating a previous installation, you can go [[OpenVPN_Bridge#Migrate_previous.2Fexisting_OpenVPN_Server_certificates|here]]}} |
Line 45: |
Line 49: |
| *An URL where OpenVPN can update the CRL. If you use PHPki on the same server, you can let the default value. | | *An URL where OpenVPN can update the CRL. If you use PHPki on the same server, you can let the default value. |
| {{Note box|If a valid CRL file (in PEM format) is not found at this URL, you'll get an email every hour in the admin mailbox}} | | {{Note box|If a valid CRL file (in PEM format) is not found at this URL, you'll get an email every hour in the admin mailbox}} |
| + | |
| *A master Certificate (used to verify clients certificates) | | *A master Certificate (used to verify clients certificates) |
| *The server certificate (used by clients to verify the server) | | *The server certificate (used by clients to verify the server) |
Line 62: |
Line 67: |
| With "Certificates are ready" in green. If it's not the case, you have a problem with the certificates configuration. | | With "Certificates are ready" in green. If it's not the case, you have a problem with the certificates configuration. |
| | | |
− | ==== Configure the service ==== | + | ====Configure the service==== |
| The second step is to configure the service. In the main page of the panel, click on the "Service configuration" button. Here you can enable the service, choose the authentication mode you want, and configure the IP address range for the clients. Once you submit this form, the service should start. You can check everything is ok with this command: | | The second step is to configure the service. In the main page of the panel, click on the "Service configuration" button. Here you can enable the service, choose the authentication mode you want, and configure the IP address range for the clients. Once you submit this form, the service should start. You can check everything is ok with this command: |
| | | |
Line 68: |
Line 73: |
| | | |
| | | |
− | ==== Control the service ==== | + | ====Control the service==== |
| Starting with version 2.0, OpenVPN daemon is now supervised. | | Starting with version 2.0, OpenVPN daemon is now supervised. |
| You can control (start/stop/restart) the service from the server-manager, and you're advised to do so. But if you want to manually start/stop/restart the service, here are the corresponding commands: | | You can control (start/stop/restart) the service from the server-manager, and you're advised to do so. But if you want to manually start/stop/restart the service, here are the corresponding commands: |
| | | |
| *start | | *start |
| + | |
| sv u /service/openvpn-bridge | | sv u /service/openvpn-bridge |
| + | |
| *stop | | *stop |
| + | |
| sv d /service/openvpn-bridge | | sv d /service/openvpn-bridge |
| + | |
| *restart | | *restart |
| + | |
| sv t /service/openvpn-bridge | | sv t /service/openvpn-bridge |
| | | |
| {{Warning box|The script '''/etc/init.d/openvpn''' provided with OpenVPN rpm should not be used with SME. Do not try to use this script to control the service, it will not work due to SME templating system!!}} | | {{Warning box|The script '''/etc/init.d/openvpn''' provided with OpenVPN rpm should not be used with SME. Do not try to use this script to control the service, it will not work due to SME templating system!!}} |
| | | |
− | === Using PHPki to manage the certificates === | + | ===Using PHPki to manage the certificates=== |
| | | |
| With this new release, you can manage the certificates the way you want, but most of you will use [[PHPki]] for this. | | With this new release, you can manage the certificates the way you want, but most of you will use [[PHPki]] for this. |
| | | |
− | ==== Initialize your [http://en.wikipedia.org/wiki/Public_key_infrastructure PKI] ==== | + | ====Initialize your [http://en.wikipedia.org/wiki/Public_key_infrastructure PKI]==== |
| This should already be done as you have installed the contrib following this [[PHPki#Installation|how-to]]. | | This should already be done as you have installed the contrib following this [[PHPki#Installation|how-to]]. |
| | | |
− | ==== Create a certificate for the server ==== | + | ====Create a certificate for the server==== |
| | | |
| Now you need to create a certificate for OpenVPN on the server. For this, go in [[PHPki]] interface, then "create a new certificate". Here, you'll have to enter some informations about the certificate: | | Now you need to create a certificate for OpenVPN on the server. For this, go in [[PHPki]] interface, then "create a new certificate". Here, you'll have to enter some informations about the certificate: |
Line 105: |
Line 115: |
| [[File:Phpki_confirm_crt.png|768px|thumb|center|Confirm the creation of the new certificate]] | | [[File:Phpki_confirm_crt.png|768px|thumb|center|Confirm the creation of the new certificate]] |
| | | |
− | ==== Configure OpenVPN with the newly created certificates ==== | + | ====Configure OpenVPN with the newly created certificates==== |
| | | |
| {{Note box|If you update an existing smeserver-openvpn-bridge installation, you can skip this part, and go directly [[OpenVPN_Bridge#Upgrade_from_smeserver-openvpn-bridge-fws-1.1-2|here]]}} | | {{Note box|If you update an existing smeserver-openvpn-bridge installation, you can skip this part, and go directly [[OpenVPN_Bridge#Upgrade_from_smeserver-openvpn-bridge-fws-1.1-2|here]]}} |
Line 125: |
Line 135: |
| [[File:Ovpn_bridge_config_crt.png|768px|thumb|center|Copy the certificates and keys in OpenVPN Bridge panel]] | | [[File:Ovpn_bridge_config_crt.png|768px|thumb|center|Copy the certificates and keys in OpenVPN Bridge panel]] |
| | | |
− | === Upgrade from smeserver-openvpn-bridge-fws-1.1-2 === | + | ===Upgrade from smeserver-openvpn-bridge-fws-1.1-2=== |
| | | |
| If you was using the previous version of the contrib, follow this part. It will migrate the certificate configuration from the previous installation. | | If you was using the previous version of the contrib, follow this part. It will migrate the certificate configuration from the previous installation. |
| | | |
− | ==== Install the [[PHPki]] contrib ==== | + | ====Install the [[PHPki]] contrib==== |
| | | |
| First, you'll have to install [[PHPki]]. Be sure to follow the [[PHPki#Migrate_Certificates_from_previous_OpenVPN-Bridge_contrib_installations|migration step]] | | First, you'll have to install [[PHPki]]. Be sure to follow the [[PHPki#Migrate_Certificates_from_previous_OpenVPN-Bridge_contrib_installations|migration step]] |
| | | |
− | ==== Install the latest OpenVPN contrib ==== | + | ====Install the latest OpenVPN contrib==== |
| yum --enablerepo=smecontribs install smeserver-openvpn-bridge | | yum --enablerepo=smecontribs install smeserver-openvpn-bridge |
| | | |
| You can configure the bridge-interface contrib now. You can follow this [[BridgeInterface|how-to]] | | You can configure the bridge-interface contrib now. You can follow this [[BridgeInterface|how-to]] |
| | | |
− | ==== Migrate previous/existing OpenVPN Server certificates ==== | + | ====Migrate previous/existing OpenVPN Server certificates==== |
| Now, you should install the old certificates in the new location | | Now, you should install the old certificates in the new location |
| For this, you can use this script: | | For this, you can use this script: |
Line 198: |
Line 208: |
| Save this script and run it as root. | | Save this script and run it as root. |
| | | |
− | === Configuration rules === | + | ===Configuration rules=== |
| | | |
| The configuration rules is the new way to apply specific configuration to a client. As now the certificates are managed separately, you have to create rules separately. It's still quite simple, just add a new rule, enter the common name to match, a comment, choose an optional fixed IP, choose to enable/disable the gateway redirection, or even block a specific client. Then save, and you're done. | | The configuration rules is the new way to apply specific configuration to a client. As now the certificates are managed separately, you have to create rules separately. It's still quite simple, just add a new rule, enter the common name to match, a comment, choose an optional fixed IP, choose to enable/disable the gateway redirection, or even block a specific client. Then save, and you're done. |
| | | |
− | === Client Configuration === | + | ===Client Configuration=== |
| | | |
| OpenVPN runs on most platforms. | | OpenVPN runs on most platforms. |
| In any case, the first step will always be the same: you have to create a new certificate for the client. | | In any case, the first step will always be the same: you have to create a new certificate for the client. |
| | | |
− | ==== Create the certificate with PHPki ==== | + | ====Create the certificate with PHPki==== |
| | | |
| If you use your own PKI tool, you should be able to do it yourself ;) | | If you use your own PKI tool, you should be able to do it yourself ;) |
| If you use [[PHPki]], here are the steps to follow | | If you use [[PHPki]], here are the steps to follow |
| | | |
− | * In [[PHPki]] administrative interface, click on the "Create a new certificate" link. | + | *In [[PHPki]] administrative interface, click on the "Create a new certificate" link. |
| + | |
| Here, you'll have to enter several informations. Most of them are up to you. Here's an example: | | Here, you'll have to enter several informations. Most of them are up to you. Here's an example: |
| [[File:Phpki_ovpn_bridge_create_client_crt.png|800px|thumb|center|Create a new certificate for the client]] | | [[File:Phpki_ovpn_bridge_create_client_crt.png|800px|thumb|center|Create a new certificate for the client]] |
Line 236: |
Line 247: |
| If you have configured and shared secret key on the server, you also need to download it. | | If you have configured and shared secret key on the server, you also need to download it. |
| | | |
− | ==== Windows ==== | + | ====Windows==== |
| For Windows systems, you should download the OpenVPN GUI stable release 2.4.4 from https://openvpn.net/index.php/download/community-downloads.html. OpenVPN includes the Windows GUI in the installer. | | For Windows systems, you should download the OpenVPN GUI stable release 2.4.4 from https://openvpn.net/index.php/download/community-downloads.html. OpenVPN includes the Windows GUI in the installer. |
| | | |
Line 246: |
Line 257: |
| Now your client should be able to connect with the OpenVPN GUI. | | Now your client should be able to connect with the OpenVPN GUI. |
| | | |
− | ==== Linux with Network Manager ==== | + | ====Linux with Network Manager==== |
| {{Incomplete}} | | {{Incomplete}} |
| | | |
− | ===== Ubuntu 12.10 64bit ===== | + | =====Ubuntu 12.10 64bit===== |
| (Not tested in 32bit but will most likely work) | | (Not tested in 32bit but will most likely work) |
| If possible follow the above windows tutorial first to test that you have configured openvpn correctly for server and client. | | If possible follow the above windows tutorial first to test that you have configured openvpn correctly for server and client. |
− | * '''Install openvpn for network manager''' | + | |
| + | *'''Install openvpn for network manager''' |
| + | |
| sudo apt-get install network-manager-openvpn | | sudo apt-get install network-manager-openvpn |
| Under Ubuntu 16.04 64bit, we also needed to install "network-manager-openvpn-gnome": | | Under Ubuntu 16.04 64bit, we also needed to install "network-manager-openvpn-gnome": |
| sudo apt-get install network-manager-openvpn-gnome | | sudo apt-get install network-manager-openvpn-gnome |
− | * Create folder called e.g. "openvpn" (can be anything) in your home directory (could be any directory).
| |
− | * Assuming that phpki is being used. In browser go to '''server-manager panel > certificate management''' and download the relevant client's "PCKS#12 Bundle" and place it in the "openvpn" folder.
| |
− | * Go to '''server-manager panel > openvpn-bridge''' click on "Display a functional client configuration file". Copy and paste this into a text editor and save with '''.ovpn''' extension into the "openvpn" folder. Make sure user.p12 is replaced with the name of the .p12 (PCKS#12 Bundle) client file downloaded previously. Also check that the '''remote''' (gateway) is the correct server url.
| |
− | * In ubuntu go to '''Network Manager > VPN Connections > Configure VPN'''. Click '''import''' then in the explorer navigate to the openvpn folder in the home directory and select the .ovpn file created previously. This should automatically load all settings into network manager.
| |
− | * Add username and password of client, then you have to give the path of the '''user.p12''' key of your user and set the Private key password (the password set during the certificate creation in phpky).
| |
− | * After that you have to select the 'advanced' panel and go to 'TLS authentication'. Enable the use of TLS authentication, give the path or your '''takey.pem''' and select the key direction to 1. (if needed)
| |
− | * As a note, when connected successfully to the vpn, browsing the internet may not work in tandem, therefore go to '''ipv4 settings''' tab when editing the vpn connection. Click on "Routes" and check "Use this connection only for resources on its network". Also try adding 8.8.4.4 to "Additional DNS Servers" (This is google's dns servers).
| |
| | | |
− | ===== Fedora 16 / 17 64bit ===== | + | *Create folder called e.g. "openvpn" (can be anything) in your home directory (could be any directory). |
| + | *Assuming that phpki is being used. In browser go to '''server-manager panel > certificate management''' and download the relevant client's "PCKS#12 Bundle" and place it in the "openvpn" folder. |
| + | *Go to '''server-manager panel > openvpn-bridge''' click on "Display a functional client configuration file". Copy and paste this into a text editor and save with '''.ovpn''' extension into the "openvpn" folder. Make sure user.p12 is replaced with the name of the .p12 (PCKS#12 Bundle) client file downloaded previously. Also check that the '''remote''' (gateway) is the correct server url. |
| + | *In ubuntu go to '''Network Manager > VPN Connections > Configure VPN'''. Click '''import''' then in the explorer navigate to the openvpn folder in the home directory and select the .ovpn file created previously. This should automatically load all settings into network manager. |
| + | *Add username and password of client, then you have to give the path of the '''user.p12''' key of your user and set the Private key password (the password set during the certificate creation in phpky). |
| + | *After that you have to select the 'advanced' panel and go to 'TLS authentication'. Enable the use of TLS authentication, give the path or your '''takey.pem''' and select the key direction to 1. (if needed) |
| + | *As a note, when connected successfully to the vpn, browsing the internet may not work in tandem, therefore go to '''ipv4 settings''' tab when editing the vpn connection. Click on "Routes" and check "Use this connection only for resources on its network". Also try adding 8.8.4.4 to "Additional DNS Servers" (This is google's dns servers). |
| + | |
| + | =====Fedora 16 / 17 64bit===== |
| (Not tested in 32bit but will most likely work) | | (Not tested in 32bit but will most likely work) |
| | | |
| Note: server set as user/pass + certificate | | Note: server set as user/pass + certificate |
| | | |
− | * '''Install openvpn for network manager''' | + | *'''Install openvpn for network manager''' |
| + | |
| yum install NetworkManager-openvpn | | yum install NetworkManager-openvpn |
| | | |
| | | |
| + | ======manual settings====== |
| | | |
− | ====== manual settings ======
| + | *Assuming that phpki is being used. In browser go to '''server-manger panel > certificate management''' and download the relevant client's "PCKS#12 Bundle" and place it into one convenient folder. |
− | * Assuming that phpki is being used. In browser go to '''server-manger panel > certificate management''' and download the relevant client's "PCKS#12 Bundle" and place it into one convenient folder. | + | *go to '''yournuserame > System Settings > Network''' click on little '''+''' sign on bottom left |
− | * go to '''yournuserame > System Settings > Network''' click on little '''+''' sign on bottom left | + | *in the new pop-up window select '''VPN''' then push Create |
− | * in the new pop-up window select '''VPN''' then push Create | + | *select '''OpenVPN''' and push Create |
− | * select '''OpenVPN''' and push Create | + | *select password with certificate (or any other method you set on server) |
− | * select password with certificate (or any other method you set on server) | + | *put credentials for user and private key password |
− | * put credentials for user and private key password | + | *set the gateway as your ''server.domain.tld '' |
− | * set the gateway as your ''server.domain.tld '' | + | *at advanced check ''Use LZO data compression'' |
− | * at advanced check ''Use LZO data compression'' | + | *at advanced check '' Use a TAP device'' |
− | * at advanced check '' Use a TAP device'' | + | *at TLS authentication, give the path of the takey.pem and enable it with the direction 1 (if needed) |
− | * at TLS authentication, give the path of the takey.pem and enable it with the direction 1 (if needed) | + | *click on the small folder near the first certificate and go to the bundle certificate downloaded into convenient folder - all certificates should be filled up |
− | * click on the small folder near the first certificate and go to the bundle certificate downloaded into convenient folder - all certificates should be filled up | + | *Note: I recommend to check also in '''IPv4 > route''' ''Use this connection only for resources on its network"'' |
− | * Note: I recommend to check also in '''IPv4 > route''' ''Use this connection only for resources on its network"'' | + | *save and test |
− | * save and test | |
| | | |
− | ====== import settings ====== | + | ======import settings====== |
| | | |
− | * Create folder called e.g. ".openVPN" (can be anything) in your home directory (could be any directory). | + | *Create folder called e.g. ".openVPN" (can be anything) in your home directory (could be any directory). |
− | * Assuming that phpki is being used. In browser go to '''server-manger panel > certificate management''' and download the relevant client's "PCKS#12 Bundle" and place it in the ".openVPN" folder. | + | *Assuming that phpki is being used. In browser go to '''server-manger panel > certificate management''' and download the relevant client's "PCKS#12 Bundle" and place it in the ".openVPN" folder. |
− | * Go to '''server-manager panel > openvpn-bridge''' click on "Display a functional client configuration file". Copy and paste this into a text editor and save with '''.ovpn''' extension into the "openVPN" folder (the name of the file will be the visible name in network manager to select VPN connection). Make sure user.p12 is replaced with the name of the .p12 (PCKS#12 Bundle) client file downloaded previously. Also check that the '''remote''' (gateway) is the correct server url. | + | *Go to '''server-manager panel > openvpn-bridge''' click on "Display a functional client configuration file". Copy and paste this into a text editor and save with '''.ovpn''' extension into the "openVPN" folder (the name of the file will be the visible name in network manager to select VPN connection). Make sure user.p12 is replaced with the name of the .p12 (PCKS#12 Bundle) client file downloaded previously. Also check that the '''remote''' (gateway) is the correct server url. |
− | * In fedora ALT+F2 enter ''nm-connection-editor'' and ENTER | + | *In fedora ALT+F2 enter ''nm-connection-editor'' and ENTER |
− | * go to '''Network Connections > VPN '''. Click '''Import''' then in the explorer navigate to the openvpn folder in the home directory and select the .ovpn file created previously. This should automatically load all settings into network manager. | + | *go to '''Network Connections > VPN '''. Click '''Import''' then in the explorer navigate to the openvpn folder in the home directory and select the .ovpn file created previously. This should automatically load all settings into network manager. |
− | * Add username and password of client. Private key password which could differ from the user pass (and will not change if user/admin will change user password in ''server-manager'' or ''server-user''. it is the password set during the certificate creation). Now give also the path of certificate '''user.p12''' | + | *Add username and password of client. Private key password which could differ from the user pass (and will not change if user/admin will change user password in ''server-manager'' or ''server-user''. it is the password set during the certificate creation). Now give also the path of certificate '''user.p12''' |
− | * at Advanced/TLS authentication, give the path of the takey.pem and enable it with the direction 1 (if needed) | + | *at Advanced/TLS authentication, give the path of the takey.pem and enable it with the direction 1 (if needed) |
− | * Note: I recommend to check also in '''IPv4 > route''' ''Use this connection only for resources on its network'' (unless you use the "Redirect Gateway" functionality) | + | *Note: I recommend to check also in '''IPv4 > route''' ''Use this connection only for resources on its network'' (unless you use the "Redirect Gateway" functionality) |
− | * save and test | + | *save and test |
| | | |
− | ===== Fedora 19 64bit ===== | + | =====Fedora 19 64bit===== |
| (Not tested in 32bit but will most likely work) | | (Not tested in 32bit but will most likely work) |
| | | |
Line 310: |
Line 325: |
| you'll need to | | you'll need to |
| | | |
− | * Assuming that phpki is being used. In browser go to '''server-manager panel > certificate management''' and download the relevant client's cacert.pem user.pem user-key.pem and place them into one convenient place. | + | *Assuming that phpki is being used. In browser go to '''server-manager panel > certificate management''' and download the relevant client's cacert.pem user.pem user-key.pem and place them into one convenient place. |
− | * go to '''yournuserame > System Settings > Network''' click on little '''+''' sign on bottom left | + | *go to '''yournuserame > System Settings > Network''' click on little '''+''' sign on bottom left |
− | * in the new pop-up window select '''VPN''' then push Create | + | *in the new pop-up window select '''VPN''' then push Create |
− | * select '''OpenVPN''' and push Create | + | *select '''OpenVPN''' and push Create |
− | * select password with certificate (or any other method you set on server) | + | *select password with certificate (or any other method you set on server) |
− | * put credentials for user and private key password | + | *put credentials for user and private key password |
− | * set the gateway as your ''server.domain.tld '' | + | *set the gateway as your ''server.domain.tld '' |
− | * at advanced check ''Use LZO data compression'' | + | *at advanced check ''Use LZO data compression'' |
− | * at advanced check '' Use a TAP device'' | + | *at advanced check '' Use a TAP device'' |
− | * click on the small folder near the first certificate and go to the user.pem certificate downloaded into convenient folder | + | *click on the small folder near the first certificate and go to the user.pem certificate downloaded into convenient folder |
− | * click on the small folder near the second certificate and go to the cacert.pem certificate downloaded into convenient folder | + | *click on the small folder near the second certificate and go to the cacert.pem certificate downloaded into convenient folder |
− | * click on the small folder near the third certificate and go to the user-key.pem certificate downloaded into convenient folder | + | *click on the small folder near the third certificate and go to the user-key.pem certificate downloaded into convenient folder |
− | ** Note: I recommend to check also in '''IPv4 > route''' ''Use this connection only for resources on its network"'' | + | **Note: I recommend to check also in '''IPv4 > route''' ''Use this connection only for resources on its network"'' |
− | * save and test | + | *save and test |
| | | |
− | ==== Linux ==== | + | ====Linux==== |
| {{Incomplete}} | | {{Incomplete}} |
− | ==== Mac OS X ==== | + | ====Mac OS X==== |
| {{Incomplete}} | | {{Incomplete}} |
| OpenVPN works great with [http://code.google.com/p/tunnelblick/ Tunnelblick]. | | OpenVPN works great with [http://code.google.com/p/tunnelblick/ Tunnelblick]. |
Line 362: |
Line 377: |
| https://wiki.contribs.org/OpenVPN_Routed | | https://wiki.contribs.org/OpenVPN_Routed |
| | | |
− | === Advanced configuration === | + | ===Advanced configuration=== |
| | | |
| Some advanced options are not presented in the panel. The goal was to keep the panel as simple as possible as most installations won't need to change advanced settings. But advanced options are still available with some DB keys: | | Some advanced options are not presented in the panel. The goal was to keep the panel as simple as possible as most installations won't need to change advanced settings. But advanced options are still available with some DB keys: |
Line 374: |
Line 389: |
| *'''access''': (private|public) you should let this to public as running a VPN server just for the local network make no sens | | *'''access''': (private|public) you should let this to public as running a VPN server just for the local network make no sens |
| | | |
− | *'''cipher''': (valid cipher name) You can force the cipher to use. If you put auto, or delete this key, client and server will negotiate the stronger cipher both side support. To have the list of the supported cipher, issue the command | + | *'''cipher''': (valid cipher name) You can force the cipher to use. Starting SME 10, default is AES-256-GCM . If you put auto ( or delete this key, for SME9 and before ) the default will be the current of openvpn wich is as per 2.4 :BF-CBC. Also when both client and server are at least version 2.4, they will negotiate the stronger cipher both side support. SME10 enforce the following authorized ciphers: --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC . To have the list of the supported cipher, issue the command |
| + | |
| openvpn --show-ciphers | | openvpn --show-ciphers |
| | | |
Line 398: |
Line 414: |
| signal-event openvpn-bridge-update | | signal-event openvpn-bridge-update |
| | | |
− | === Uninstall === | + | ===Uninstall=== |
| To remove the contrib, just run: | | To remove the contrib, just run: |
| yum remove smeserver-openvpn-bridge | | yum remove smeserver-openvpn-bridge |
Line 405: |
Line 421: |
| yum remove smeserver-phpki phpki smeserver-bridge-interface perl-Net-OpenVPN-Manage perl-Net-Telnet | | yum remove smeserver-phpki phpki smeserver-bridge-interface perl-Net-OpenVPN-Manage perl-Net-Telnet |
| | | |
− | === Notes === | + | ===Notes=== |
− | ==== OpenVPN and SME installed in virtual machine - VMWare promiscuous mode ==== | + | ====OpenVPN and SME installed in virtual machine - VMWare promiscuous mode==== |
| By default for all version of ESX(i) starting from 3.5 to 7.0 (current in february 2020) VMWare rejects packets in promiscuous mode on the vSwitch, which will cause trouble with OpenVPN in bridge mode. The main symptom is that after successful authentication from your remote client you can ping/reach only the OpenVPN server while any other ip address on the LAN can't be pinged/reached. To correct this in VMWare set: | | By default for all version of ESX(i) starting from 3.5 to 7.0 (current in february 2020) VMWare rejects packets in promiscuous mode on the vSwitch, which will cause trouble with OpenVPN in bridge mode. The main symptom is that after successful authentication from your remote client you can ping/reach only the OpenVPN server while any other ip address on the LAN can't be pinged/reached. To correct this in VMWare set: |
| Configuration > Networking > your vSwitch: Properties > Ports-tab > vSwitch > Edit > Security-tab > Promiscuous mode: accept | | Configuration > Networking > your vSwitch: Properties > Ports-tab > vSwitch > Edit > Security-tab > Promiscuous mode: accept |
Line 417: |
Line 433: |
| [[File:Promiscuous mode - Webui.jpg|border|frameless|784x784px]] | | [[File:Promiscuous mode - Webui.jpg|border|frameless|784x784px]] |
| | | |
− | ==== OpenVPN and SME installed in virtual machine - Virtualbox promiscuous mode ==== | + | ====OpenVPN and SME installed in virtual machine - Virtualbox promiscuous mode==== |
| | | |
| There is the same thing in virtualbox, you need to give the argument "allow all" in the network tab configuration. | | There is the same thing in virtualbox, you need to give the argument "allow all" in the network tab configuration. |
Line 433: |
Line 449: |
| [[Image:virtualbox-Sme8-Settings.png]]<br /> | | [[Image:virtualbox-Sme8-Settings.png]]<br /> |
| | | |
− | ==== OpenVPN and SME installed in virtual machine - Other hypervisors ==== | + | ====OpenVPN and SME installed in virtual machine - Other hypervisors==== |
| It's documented that you can experience such problems in other hypervisors like OVirt, Proxmox, XEN or others. Keep in mind to search for equivalent settings concerning "promiscuous mode" of vSwitch. | | It's documented that you can experience such problems in other hypervisors like OVirt, Proxmox, XEN or others. Keep in mind to search for equivalent settings concerning "promiscuous mode" of vSwitch. |
| | | |
− | ==== Transparent proxy settings ==== | + | ====Transparent proxy settings==== |
| {{Note box|Keep in mind you need to disabled your transparent proxy else your host can no longer browse the http protocol.}} | | {{Note box|Keep in mind you need to disabled your transparent proxy else your host can no longer browse the http protocol.}} |
| | | |
Line 444: |
Line 460: |
| [[Image:proxy-setting.png|width|800px]]<br /> | | [[Image:proxy-setting.png|width|800px]]<br /> |
| | | |
− | === Workarounds and known issues === | + | ===Workarounds and known issues=== |
| if you migrate from SME8 to SME9 and are not able to connect after correctly migrating your certificates, this might be related to not secure enough algorithm. CentOS 6.9 release notes state that "Support for insecure cryptographic protocols and algorithms has been dropped. This affects usage of MD5, SHA0, RC4 and DH parameters shorter than 1024 bits." Of course real solution would be to migrate all your certs to better algorithm. | | if you migrate from SME8 to SME9 and are not able to connect after correctly migrating your certificates, this might be related to not secure enough algorithm. CentOS 6.9 release notes state that "Support for insecure cryptographic protocols and algorithms has been dropped. This affects usage of MD5, SHA0, RC4 and DH parameters shorter than 1024 bits." Of course real solution would be to migrate all your certs to better algorithm. |
| | | |
Line 452: |
Line 468: |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | |
− | === Bugs === | + | ===Bugs=== |
| Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla] | | Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla] |
| and select the smeserver-openvpn-bridge component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-openvpn-bridge|title=this link}} | | and select the smeserver-openvpn-bridge component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-openvpn-bridge|title=this link}} |
− |
| |
| | | |
| | | |
Line 462: |
Line 477: |
| Only versions released in smecontrib are listed here. | | Only versions released in smecontrib are listed here. |
| | | |
− | {{ #smechangelog: smeserver-openvpn-bridge}} | + | {{#smechangelog: smeserver-openvpn-bridge}} |
| | | |
| ==Other articles in this category== | | ==Other articles in this category== |