3,250
edits
Changes
Jump to navigation
Jump to search
Line 4:
Line 4: − + + + + + Line 21:
Line 25: + + + + + − ==== install the rpms ====+ + + + Line 29:
Line 41: − ==== Configure ====+ + + + − + + + + + + Line 41:
Line 61: − + − cp -a /etc/openvpn/bridge/{priv,pub} /etc/openvpn/routed/ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 56:
Line 121: − Line 175:
Line 239: + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
→Default key properties
===Maintainer===
===Maintainer===
[mailto:daniel@firewall-services.com[[User:VIP-ire|Daniel B.]]] from [http://www.firewall-services.com Firewall Services]
[mailto:daniel@firewall-services.com][[User:VIP-ire|Daniel B.]] from [http://www.firewall-services.com Firewall Services]
===Version===
{{#smeversion: smeserver-openvpn-routed }}
=== Description ===
=== Description ===
=== Installation ===
=== Installation ===
<tabs container><tab name="For SME 10">
/!\ new default cipher = AES-128-GCM and HMAC SHA256, if you have issues check the configuration options
yum install smeserver-openvpn-routed --enablerepo=smecontribs
if you have smeserver-openvpn-bridge installed and configured then all will work automaticly.
It will change its port to a different one, and it will copy certificates from the bridge openvpn
to know the new port
config getprop openvpn-routed UDPPort
</tab>
<tab name="For SME 9">
install fws repo, see : [[Fws]]
install fws repo, see : [[Fws]]
yum install smeserver-openvpn-routed --enablerepo=fws,smecontribs
yum install smeserver-openvpn-routed --enablerepo=fws,smecontribs
you will then have to configure by hand
If you already run the [[OpenVPN_Bridge]] contrib, you can just copy all the certificates:
cp -a /etc/openvpn/bridge/{priv,pub} /etc/openvpn/routed/
This contribs is really minimal and doesn't have a panel to configure everything. You have to configure all by hand.
</tab>
</tabs>
=== Configure ===
This contribs is really minimal and doesn't have a panel to configure everything. You have to configure all by hand. Except on SME10 if you already have smeserver-openvpn-bridge installed and configured.
here's the file the contrib expects to see before being started:
here's the file the contrib expects to see before being started:
* /etc/openvpn/routed/priv/takey.pem (an optional shared key)
* /etc/openvpn/routed/priv/takey.pem (an optional shared key)
If you already run the [[OpenVPN_Bridge]] contrib, you can just copy all the certificates:
and an available port to bind to.
==== Using PHPki ====
If you are using the PHPki contrib to manage your certificates you need to do the following :
Create a new certificate for your OpenVPN server - make sure it is a VPN server only certificate.
{{Note box|Make sure you don't protect the private key with a password}}
From PHPki get the following certificates :
From the main page of PHPki :
dh pub/dh.pem - Download the Diffie-Hellman parameters
ca pub/cacert.pem - Download the Root Certificate
If you need to, get a copy of the revocation list
crl-verify pub/cacrl.pem - Download the Certificate Revocation List
The Revocation certificate can be obtained automatically with a cronjob
db configuration setprop openvpn-routed CrlUrl 'https://your-phpki-box.domain.net/phpki/index.php?stage=dl_crl_pem'
From the Manage Certificates page of PHPki :
cert pub/cert.pem - use the PEM Certificate
key priv/key.pem - use the PEM Key
Copy them to the relevant directories as above
Make sure that the certs are set 0600
If you want your VPN clients to use the SME as default gateway for all traffic once connected :
db configuration setprop openvpn-routed RedirectGateway enabled
signal-event openvpn-routed-update
You can now add your Client certificates to your device.
Make sure you have a user on the server.
Make sure in your device that you choose Certificate + Password as an option.
Enter in your user name and password in addition to the certificates
==== Configure as running in parallel of bridge contrib ====
==== Configure as running in parallel of bridge contrib ====
Not needed for SME10, the contrib does it for you.
#install
#install
# signale event to regenerate all you need
# signale event to regenerate all you need
signal-event openvpn-routed-update
signal-event openvpn-routed-update
===Client configuration - iOS===
===Client configuration - iOS===
| || || || Verbose || 3 || [n] ||
| || || || Verbose || 3 || [n] ||
|-
| || || || Cipher || None || Various. AES-128-CBC || Default BF-CBC deprecated
|-
| || || || HMAC || None || Various. SHA256 || Default SHA1 deprecated
|-
| || || || CrlUrl ||None || http://url/phpki/index.php?stage=dl_crl_pem ||
|}
|}
you can also set the property PushRoute to disabled to any network in networks db to avoid the contrib to push the network to the client
===Workarounds and known issues===
if you migrate from SME8 to SME9 and are not able to connect after correctly migrating your certificates, this might be related to not secure enough algorithm. CentOS 6.9 release notes state that "Support for insecure cryptographic protocols and algorithms has been dropped. This affects usage of MD5, SHA0, RC4 and DH parameters shorter than 1024 bits." Of course real solution would be to migrate all your certs to better algorithm.
workaround :<syntaxhighlight lang="bash">
echo -e "LegacySigningMDs md2 md5\nMinimumDHBits 512\n" >> /etc/pki/tls/legacy-settings
service openvpn-routed restart
</syntaxhighlight>
===Bugs===
Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla]
and select the smeserver-openvpn-routed component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-openvpn-routed|title=this link}}
{{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-openvpn-routed|noresultsmessage="No open bugs found."}}
===Changelog===
Only versions released in smecontrib are listed here.
{{#smechangelog: smeserver-openvpn-routed}}
==Other articles in this category==
==Other articles in this category==