VPN howto

[balloooza]

I recently made a VPN server, and I figured out how to do it, after posting because I was clueless.

I wanted to tell you how to set up VPN on an ebox.

In my situation I had a home network, witch is a house (not an enterprise) I was using for my own plesure, and a proof of concept for the ebox as an install to accompany (or replace) a windows server at my church, witch I do audio for.

I will apply the setup to my house, here is a diagram of how I am using it NOW

INTERNET <<eth1>>[ebox 12.3]<<eth0>>-,---- [Windows machine with RDP]
                          (192.168.2.205)              |            (192.168.2.96)
                                                                    |------[iMac with many files i forget to email myself ]
                                                                    |                  (192.168.2.98)
                                                          (and more...)
system info
Compaq 800 MHz 256 MB memory
15 GB hard-drive
ebox 12.3 (latest at post)
ip 192.168.2.205
functioning as gateway, DHCP, dns, etc.

I will put the screenshots on dropbox (a file cloud site)
http://www.getdropbox.com/gallery/644494/1/Ebox%20VPN?h=329957

first, stuff I expect you to have...
-Two interfaces,  or NICs, You can use the one on the system, and on pci, I assume you have this set up(I just bought one at officemax for 15 bucks)
-A complete gatway setup, including that the dns is running, and the default on dhcp (ie. your -Default gatway is the ip of the ebox)
-An understanding of how to make sure everything is working, or a computer to try it with (when we are done)

VPN is amazing, I have only known how to use it for an hour, and it is awsome.
1. Make certificate authority (image 2) I call it borvpn, if you already have a certificate authority, skip to the next step. give it a 360 (or more) days till exparation.
2. make two certificates, I have made everything expire on the same day (I hope I remeber why it stops working then), I named one netbook, and one borgetti
3. go to vpn >> server make one that is not enabled, we will do that later, I named mine borgetti (see image 3)
4. configure it, by clicking that icon in its configure colum, refer to (image 4) for more info
in order the settings
tcp 1723
adress = 192.168.0.0
server certificate = one of the two
disabled
NAT = false
client to client = false (I don't know what this is)
tunnel = false
password = (don't put anything)
interfaces = all interfaces
hit "change"
Go to advertised services, add whatever the first three bytes of your ebox's ip adress are THIS MATTERS....
(1) if your ebox is 192.168.1.1 it is 192.168.1
(2) if your ebox is 192.168.2.205 it is 192.168.2
(3) if it is 182.168.200.4 it is 192.168.200
then put a zero in the last place, so if you are
if your ebox ip adress is 192.168.2.205 YOU PUT INTO THE ADVERTISED NETWORK: 192.168.2.0 (/24)
if your ebox ip adress is 192.168.1 YOU PUT INTO THE ADVERTISED NETWORK: 192.168.1.0 (/24)
This is the "lan", the local (your servers network) network (class c that is)
add that advertised network use /24, and continue (image 1)
then get the client bundle and use the image as a guide or these values from top to bottom
-Select your os
-Use the certificate YOU DID NOT use before (when making the vpn server)
-Enter the adress of your local network such as mylocaldomain.no-ip.org (you can get a dynamic ip adress hostname from no-ip for free)
-Then click change.
And when you download the config files, unzip (or tar)
-Put them all in the config directory of the openvpn on windows.
 or type
openvpn --config (and give the filename)
for linux

and you are done

I have had times when I needed to run openvpn as sudo on linux

-Repeat the adding of a client bundle for each client.

YAY, done, comment if you have any questions, changes, additions, or well comments.

Hope this helps you
EDIT: fixed it a little, added the image link

[JAK]

Hello

I would like to add that if the client computer has Windows Vista instead of Windows XP then a minor change has to be made:

1.) add two lines to the client side configuration file (with the extension .ovpn):
route-method exe
route-delay 2
2.) make sure OpenVPN GUI is started with administrator privileges.

More can be read from the next post:
http://www.ctunion.com/node/226

Best regards
Jüri Kirch

[balloooza]

LOL, months later, and I forgot how to do it, good thing I wrote this!

[ram]

Hehehe  Happened to me as well on a few occasions! Thats why documentation is always good!

[kid_english]

Followed your instructions exactly up until I go to Configure bundle. When I hit change I get....

Code: [Select]

An internal error has ocurred. This is most probably a bug, relevant information can be found in the logs.
But nothing is in the logs, most odd.

[J. A. Calvo]

Try to edit /etc/ebox/99ebox.conf and change "debug = no" to "debug = yes", then execute "/etc/init.d/ebox apache restart" and try to reproduce the error again to see if you get more information

Regards,

J. A. Calvo

[kid_english]

Ok, that gives this.... Thanks in advance for any help you can give me

Code: [Select]

\n$VAR1 = bless( {
                 '-stacktrace' => 'No CA certificate at /usr/share/perl5/EBox/OpenVPN/Server.pm line 152
EBox::OpenVPN::Server::caCertificatePath(\'EBox::OpenVPN::Server=HASH(0xbbf023e0)\') called at /usr/share/perl5/EBox/OpenVPN/Server/ClientBundleGenerator.pm line 169
EBox::OpenVPN::Server::ClientBundleGenerator::_clientCertificatesPaths(\'EBox::OpenVPN::Server::ClientBundleGenerator::Windows\', \'EBox::OpenVPN::Server=HASH(0xbbf023e0)\', \'edge-vpn2\') called at /usr/share/perl5/EBox/OpenVPN/Server/ClientBundleGenerator.pm line 225
EBox::OpenVPN::Server::ClientBundleGenerator::_createBundleContents(\'EBox::OpenVPN::Server::ClientBundleGenerator::Windows\', \'EBox::OpenVPN::Server=HASH(0xbbf023e0)\', \'/var/lib/ebox/tmp/edge-client.tmp\', \'installer\', \'on\', \'addresses\', \'ARRAY(0xbbb1b410)\', \'clientCertificate\', \'edge-vpn2\', ...) called at /usr/share/perl5/EBox/OpenVPN/Server/ClientBundleGenerator.pm line 207
EBox::OpenVPN::Server::ClientBundleGenerator::clientBundle(\'EBox::OpenVPN::Server::ClientBundleGenerator::Windows\', \'installer\', \'on\', \'addresses\', \'ARRAY(0xbbb1b410)\', \'clientCertificate\', \'edge-vpn2\', \'server\', \'EBox::OpenVPN::Server=HASH(0xbbf023e0)\', ...) called at /usr/share/perl5/EBox/OpenVPN/Server.pm line 516
EBox::OpenVPN::Server::clientBundle(\'EBox::OpenVPN::Server=HASH(0xbbf023e0)\', \'clientType\', \'windows\', \'clientCertificate\', \'edge-vpn2\', \'addresses\', \'ARRAY(0xbbb1b410)\', \'installer\', \'on\', ...) called at /usr/share/perl5/EBox/OpenVPN/Model/DownloadClientBundle.pm line 275
EBox::OpenVPN::Model::DownloadClientBundle::formSubmitted(\'EBox::OpenVPN::Model::DownloadClientBundle=HASH(0xbbb2cfd8)\', \'EBox::Model::Row=HASH(0xbbeb7050)\', undef) called at /usr/share/perl5/EBox/Model/DataForm.pm line 562
EBox::Model::DataForm::updatedRowNotify(\'EBox::OpenVPN::Model::DownloadClientBundle=HASH(0xbbb2cfd8)\', \'EBox::Model::Row=HASH(0xbbeb7050)\', undef) called at /usr/share/perl5/EBox/Model/DataForm/Action.pm line 108
EBox::Model::DataForm::Action::setTypedRow(\'EBox::OpenVPN::Model::DownloadClientBundle=HASH(0xbbb2cfd8)\', \'\', \'HASH(0xbbe92578)\', \'force\', undef, \'readOnly\', undef) called at /usr/share/perl5/EBox/Model/DataForm.pm line 330
EBox::Model::DataForm::setRow(\'EBox::OpenVPN::Model::DownloadClientBundle=HASH(0xbbb2cfd8)\', undef, \'addr2\', 192.168.1.0, \'installer\', \'on\', \'addr3\', undef, \'certificate\', ...) called at /usr/share/perl5/EBox/CGI/Controller/DataTable.pm line 121
EBox::CGI::Controller::DataTable::editField(\'EBox::CGI::Controller::DataTable=HASH(0xbbe8a2e8)\') called at /usr/share/perl5/EBox/CGI/Controller/DataTable.pm line 196
EBox::CGI::Controller::DataTable::_process(\'EBox::CGI::Controller::DataTable=HASH(0xbbe8a2e8)\') called at /usr/share/perl5/EBox/CGI/ClientRawBase.pm line 166
EBox::CGI::ClientRawBase::run(\'EBox::CGI::Controller::DataTable=HASH(0xbbe8a2e8)\') called at /usr/share/perl5/EBox/CGI/Run.pm line 86
EBox::CGI::Run::run(\'EBox::CGI::Run\', \'OpenVPN/Controller/DownloadClientBundle\') called at /usr/share/ebox/cgi/ebox.cgi line 19
ModPerl::ROOT::ModPerl::Registry::usr_share_ebox_cgi_ebox_2ecgi::handler(\'Apache2::RequestRec=SCALAR(0xbaa03fb0)\') called at /usr/lib/perl5/ModPerl/RegistryCooker.pm line 204
eval {...} called at /usr/lib/perl5/ModPerl/RegistryCooker.pm line 204
ModPerl::RegistryCooker::run(\'ModPerl::Registry=HASH(0xbaa040a0)\') called at /usr/lib/perl5/ModPerl/RegistryCooker.pm line 170
ModPerl::RegistryCooker::default_handler(\'ModPerl::Registry=HASH(0xbaa040a0)\') called at /usr/lib/perl5/ModPerl/Registry.pm line 31
ModPerl::Registry::handler(\'ModPerl::Registry\', \'Apache2::RequestRec=SCALAR(0xbaa03fb0)\') called at -e line 0
eval {...} called at -e line 0
',
                 '-file' => '/usr/share/perl5/EBox/OpenVPN/Server.pm',
                 '-text' => 'No CA certificate',
                 '-line' => 152,
                 '-package' => 'EBox::OpenVPN::Server'
               }, 'EBox::Exceptions::Internal' );

\n
\n
So no certificate I assume? But, I have these:

Certification Authority Certificate       Valid       2010-09-17 10:14:04
edge-vpn    Valid    2010-09-16 10:14:52
edge-vpn2    Valid    2010-09-16 11:02:14

[kid_english]

Looks like an error on my part setting it up.

did this:

Code: [Select]

sudo rm -rf /var/lib/ebox/CA and recreated the certificates and it's worked fine.

But now of course I can't connect. Assuming it's something to do with the firewall, even though I've enabled a rule for that port etc etc. Hm

EDIT: I forgot to enable the vpn, oops! Just need to figure out how to browse files over it now.

[kid_english]

repost because I'm an idiot. oops