Line 13: |
Line 13: |
| === Description === | | === Description === |
| | | |
− | smeserver-openvpn-s2s lets you inter-connect several SME servers, and their local networks with secure VPN. It uses OpenVPN as backend. | + | smeserver-openvpn-s2s lets you inter-connect several SME servers, and their local networks with secure VPN. It uses OpenVPN as backend, using either the simple shared secret method, or the stronger, but more complex TLS mechanism. |
− | | |
− | === Requirements ===
| |
− | *SME Server 7.X / 8.X
| |
| | | |
| === Installation === | | === Installation === |
Line 23: |
Line 20: |
| | | |
| yum --enablerepo=smecontribs install smeserver-openvpn-s2s | | yum --enablerepo=smecontribs install smeserver-openvpn-s2s |
| + | |
| + | This contrib has been tested on SME 7.5.1 and SME 8b6 |
| | | |
| | | |
Line 75: |
Line 74: |
| {{Note box|You don't really need to remember the virtual IP, as once the connection is established, you'll use the internal IP to access the remote server through the VPN. You just need to choose two IP address which won't clash with any other local networks, then, just forget about it}} | | {{Note box|You don't really need to remember the virtual IP, as once the connection is established, you'll use the internal IP to access the remote server through the VPN. You just need to choose two IP address which won't clash with any other local networks, then, just forget about it}} |
| * '''Remote Networks''': Enter in this field the networks reachable through the other end point. For example, on SME1, you'll enter the local networks of SME2: 192.168.11.0/255.255.255.0, on SME2, you'll enter the local network of SME1: 192.168.9.0/255.255.255.0 | | * '''Remote Networks''': Enter in this field the networks reachable through the other end point. For example, on SME1, you'll enter the local networks of SME2: 192.168.11.0/255.255.255.0, on SME2, you'll enter the local network of SME1: 192.168.9.0/255.255.255.0 |
− |
| |
− | === Features ===
| |
| | | |
| | | |
Line 82: |
Line 79: |
| | | |
| Some advanced settings are not available on the panel, but only with db commands: | | Some advanced settings are not available on the panel, but only with db commands: |
| + | * '''LogLevel''': if you want to increase the verbosity of a daemon (either client or server), you set the LogLevel property. Valid LogLevel value are numbers between 0 (no output except fatal errors) to 11 (really verbose) |
| + | * '''Protocol''': can be tcp or udp. The default is to use udp. You shouldn't change this setting unless you have good reason to do so. This setting should match the other endpoint. |
| + | * '''Cipher''': The cipher used. The default is to use the BlowFish algorithm. This setting should match on both the server and the client. You can get a list of available ciphers using this command: |
| + | openvpn --show-ciphers | egrep '^[A-Z]{2}' | awk {'print $1'} |
| + | * '''Compression''': can be enabled or disabled. Toggle the internal compression used by OpenVPN. The default is enabled. This setting should match on both the server and the client |
| + | |
| + | If you use TLS as authentication mechanism, you can set some other properties: |
| + | * '''RemoteCommonName''': The connection will be accepted only if the remote endpoint has a valid certificate, with this common name |
| + | * '''CheckCertificateUsage''': can be enabled or disabled (default is disabled). If enabled, a server daemon will only accept the connection if the remote endpoint present a client certificate, and a client daemon will only accept the connection if the remote endpoint present a server certificate. |
| + | |
| + | example: |
| + | db openvpn-s2s setprop sme1 LogLevel 5 Cipher AES-256-CBC Compression disabled |
| + | signal-event openvpn-s2s-update |
| | | |
− | === More customization ===
| + | Templates for all the daemon (client and server) are in /etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/ |
| + | You can create custom templates in /etc/e-smith/templates-custom/etc/openvpn/s2s/openvpn-s2s.conf/, the change will affect all the daemons. |
| + | If you want to add special options only for one particular daemon, you can create a special file. For example, you want to add special OpenVPN options for a daemon called myvpn (daemon ID), and these options are not available with DB properties. Just create a file /etc/openvpn/s2s/myvpn.conf.custom, and add your options here. It'll be automatically loaded on templates expansion. |
| + | example: |
| + | echo "no-replay" > /etc/openvpn/s2s/myvpn.conf.custom |
| + | echo "reneg-sec 900" >> /etc/openvpn/s2s/myvpn.conf.custom |
| + | signal-event openvpn-s2s-update |
| | | |
| === Backup and Restore === | | === Backup and Restore === |
− | You should backup the directories /etc/openvpn/s2s/priv and /etc/openvpn/s2s/pub keys and certificates used by this contrib are stored there. | + | You should backup the directories /etc/openvpn/s2s/priv and /etc/openvpn/s2s/pub keys and certificates used by this contrib are stored there. |
| | | |
| === Uninstall === | | === Uninstall === |