Thank you all. I shall maybe try IPSec, in that case. Final question until I break something again: presumably there are no problems with an Astlinux box as an IPSec server (static VPNs) and OpenVPN server (road warriors) at once?
Thanks again, all Tom -----Original Message----- From: Lonnie Abelbeck [mailto:li...@lonnie.abelbeck.com] Sent: 30 March 2012 20:23 To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] OpenVPN config Hi James and Tom, First, I can't say I ever disagreed with James, but I guess there is always a first time. :-) I'd use UDP as the transport Protocol, not TCP. TCP over TCP can lead to jitter problems. So unless there is some upstream restrictions, I'd suggest using Protocol: UDP No need to define... -- persist-key persist-tun -- since they are set by default. I'm not sure about setting link-mtu 1560, I'd leave that out. Tom, if your goal is to connect box A, B, C ... local subnets with each other's subnets, and each box has a static IP address, I'd suggest using "IPsec Peers" VPN type using a strong Preshared Key. Use the web interface, use your *existing* local subnets and define the associations via the public IP address of the boxes. Each tunnel/association on one box is the mirror of the tunnel/association on the other box. If you have 4 boxes, you would define 3 tunnel/associations on each box. The routes will be automatically created. Use the default options as a start, keep them all the same for all the boxes. Of course try to just get two talking at first. Use a Local-Host of either 0.0.0.0 or it's external IP address. My 2 cents. Lonnie On Mar 30, 2012, at 11:13 AM, James Babiak wrote: > Well, since the server is bricked, it sounds like you won't be able to do anything until Monday. > > But once you get access back to it, if you want to proceed through the GUI, you can try using the settings I pasted earlier- under OpenVPN Server configuration. > > In summary: > (Tunnel Options) > Protocol: TCP (This is preferable to UDP) > Port: 1194 (The default, but could be changed if you want to - just > make sure it's the same on clients too) > Compression: Yes (Optional, but suggested) > Cipher: AES-128-CBC (You can set this to whatever you want, but make sure it's all consistent. The higher the encryption, the more taxing it will be). > Device: tun0 (What the interface will be created for this tunnel on > the server) Raw Commands: ifconfig-pool-linear > > (Server Mode) > Network: ***This is the network you want to be running over the > TUNNEL. Make sure you chose something not being used by any other > network interface. This might have been what caused the bricking > earlier, if you set it the same as the WAN interface. It should be in > the format of X.X.X.X Y.Y.Y.Y, with X as the network address and Y as > the subnet mask (ie: 172.21.0.0 255.255.255.0)*** > Push: This is where you will put in any options you want pushed to the remote clients. If you want to route two networks behind the server, specify them here. for example: > > route 172.20.0.0 255.255.255.0 > route 172.30.0.0 255.255.255.0 > dhcp-option domain abc.com > dhcp-option DNS 172.20.0.1 > > The above should be self explanatory, but you are basically pushing the routes to those networks down, as well as the dhcp options. Customize as necessary. > > The route commands above will handle routing traffic FROM clients TO networks behind the server. If you need to support routing traffic FROM networks behind the server TO networks behind the client, you will need to add the following lines as well: > > client-to-client > client-config-dir /mnt/kd/openvpn/ccd > > You will then need to make the client-config-dir directory, and add per-client files (using the client name specified below) in that directory, with the networks that those clients have. Such as this: > > ccd # cat client1 > iroute 192.168.10.0 255.255.255.0 > > Again, that part is only necessary if you need that functionality. > > Save all of that, and then make sure to generate a server certificate and key. > > Once that is done, you can generate client certs/keys, and setup the client side configuration. You can use those certs/keys on a computer to test out openvpn connectivity first, just to make sure the settings are all correct. This way, if you run into problems on the client side, you know the problem is with the client side. > > The client side settings should mimic the server settings. The "Device" option can be whatever you want to use on the client though, it doesn't need to match. My raw commands are: > > link-mtu 1560 > persist-key > persist-tun > > Remote server is the hostname/IP of the VPN server. Remote network should be the network you chose on the Server side above. > > You will need to upload (through the GUI) the client CA/Cert/Key you created for each client under the server side client generator. These need to be unique for each client. > > On the Server Network Configuration GUI page, you will need to go to the Firewall Configuration and enable OpenVPN access to whatever LAN interfaces you need to allow them to access. > > Good luck, and let us know if you run into any problems. > > -James > > On Fri, Mar 30, 2012 at 11:37 AM, Tom Chadwin <nnpait.servi...@googlemail.com> wrote: > > Are you trying to just create an encrypted tunnel between the two > > Astlinux > boxes for inter-server communication, or are you trying to route > traffic across it as well? Are there certain networks you do/don't > want to route traffic across? > > Connect two (well, four) subnets. We have a head office and three > satellite offices, so this solution would allow clients at the remote > sites to access central services and allow the central site to back up to the remote sites. > > > I have set this up in the past, and it is fairly simple and > straightforward. It's actually easier in some ways to do it manually (ie: > not through the GUI). It's been a while since I did it though, so I > don't remember the precise "step-by-step" instructions. > > This is what I need - step-by-step. > > > I thought there was a How-To guide on the docs.astlinux.com site, > > but I > couldn't find it when I just briefly looked. > > Ditto. I've found an old thread on this list, but it is far from an > idiot's guide. Given my performance so far, an idiot's guide is plainly what I need. > > > How did you brick the server? That shouldn't have happened. > > I wish I knew. At the server end, I created cert/key and saved some > initial (largely default) settings. Hit save, and the box disappeared. > I will have to hook up a serial cable on Monday when I am back in the office. > > Tom > > > On Fri, Mar 30, 2012 at 10:18 AM, Tom Chadwin > <nnpait.servi...@googlemail.com> wrote: > Hello all > > Would it be too much to ask for someone to give the full steps, from > start to finish, to set up a VPN between two Astlinux boxes? I'd > prefer OpenVPN. I need to know what to do (with no shorthand) on both server and client ends. > While I have some knowledge of VPN (IPSEC, L2TP, and OpenVPN), it's > very amateur, and gleaned from GUI front ends to systems. > > I've had a go at starting to config the server end with no prior > knowledge, and have bricked a remote box in the process. Hence this request. > > Thanks > > Tom > > > ---------------------------------------------------------------------- > ------ > -- > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > > > ---------------------------------------------------------------------- > -------- > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. > > ---------------------------------------------------------------------- > -------- > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure_____________________________________ > __________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ---------------------------------------------------------------------------- -- This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
