Author Topic: [SOLVED] VPN config  (Read 8494 times)

snarf77

  • Zen Apprentice
  • *
  • Posts: 35
  • Karma: +0/-0
    • View Profile
[SOLVED] VPN config
« on: August 30, 2010, 11:41:46 am »
Hello everybody,

I'm starting configuring my Zentyal VPN server and I have (I guess) a totally beginner question.
I watched the tutorial "how to set up a vpn" but I'm stuck at the beginning. Actually, I don't understand the client configuration. In the video, for example, the ebox admin is never using the "Client" sub menu of the left banner  "VPN" menu. It only uses the "Download client bundle" from the server sub menu.

Does this replace any client config ? how to use the client certificate I issued.

When I try to add a client, Ebox tells me that my server config is not finished, but I don't know what to add....

Finally, from a ubuntu client (connected on eth0 of ebox server (external) (eth1 being my LAN I want to access remotely)) I install openvpn package and try the :
openvpn --config mygeneratedebundle.conf and I got the following terminal answer:

PS: I added a rule in the firewall to allow vpn service (I let the port by default during the server conf)

Here is the log:

Thanks in advance for your help and again congratulations for this great software

Mon Aug 30 11:07:49 2010 OpenVPN 2.1.0 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010
Mon Aug 30 11:07:49 2010 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Mon Aug 30 11:07:49 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Aug 30 11:07:49 2010 WARNING: file 'clientCAname.pem' is group or others accessible
Mon Aug 30 11:07:49 2010 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Mon Aug 30 11:07:49 2010 LZO compression initialized
Mon Aug 30 11:07:49 2010 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Aug 30 11:07:49 2010 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Mon Aug 30 11:07:49 2010 Local Options hash (VER=V4): 'd79ca330'
Mon Aug 30 11:07:49 2010 Expected Remote Options hash (VER=V4): 'f7df56b8'
Mon Aug 30 11:07:49 2010 Socket Buffers: R=[124928->131072] S=[124928->131072]
Mon Aug 30 11:07:49 2010 UDPv4 link local: [undef]
Mon Aug 30 11:07:49 2010 UDPv4 link remote: [AF_INET]192.168.1.200:1194
Mon Aug 30 11:07:49 2010 TLS: Initial packet from [AF_INET]192.168.1.200:1194, sid=1a6d7cf1 264c552c
Mon Aug 30 11:07:49 2010 VERIFY OK: depth=1, /C=FR/ST=Region/L=City/O=CompanyName/CN=Certification_Authority_Certificate
Mon Aug 30 11:07:49 2010 VERIFY X509NAME OK: /C=FR/ST=Region/L=City/O=CompanyName/CN=vpn-vpn.companyname.com
Mon Aug 30 11:07:49 2010 VERIFY OK: depth=0, /C=FR/ST=Region/L=City/O=CompanyName/CN=vpn-vpn.companyname.com
Mon Aug 30 11:07:49 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Aug 30 11:07:49 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Aug 30 11:07:49 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Aug 30 11:07:49 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Aug 30 11:07:49 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Aug 30 11:07:49 2010 [vpn-vpn.companyname.com] Peer Connection Initiated with [AF_INET]192.168.1.200:1194
Mon Aug 30 11:07:51 2010 SENT CONTROL [vpn-vpn.companyname.com]: 'PUSH_REQUEST' (status=1)
Mon Aug 30 11:07:51 2010 PUSH: Received control message: 'PUSH_REPLY,route 192.168.5.0 255.255.255.0,route-gateway 192.168.10.1,ping 10,ping-restart 120,ifconfig 192.168.10.2 255.255.255.0'
Mon Aug 30 11:07:51 2010 OPTIONS IMPORT: timers and/or timeouts modified
Mon Aug 30 11:07:51 2010 OPTIONS IMPORT: --ifconfig/up options modified
Mon Aug 30 11:07:51 2010 OPTIONS IMPORT: route options modified
Mon Aug 30 11:07:51 2010 OPTIONS IMPORT: route-related options modified
Mon Aug 30 11:07:51 2010 ROUTE default_gateway=192.168.1.1
Mon Aug 30 11:07:51 2010 Note: Cannot ioctl TUNSETIFF tap: Operation not permitted (errno=1)
Mon Aug 30 11:07:51 2010 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Mon Aug 30 11:07:51 2010 Cannot allocate TUN/TAP dev dynamically
Mon Aug 30 11:07:51 2010 Exiting
« Last Edit: September 01, 2010, 09:40:48 am by snarf77 »

Svein Wisnaes

  • Zen Samurai
  • ****
  • Posts: 325
  • Karma: +5/-0
  • A Norwegian living in Brazil
    • View Profile
    • Oceanwatcher Media | Svein Wisnaes
Re: VPN config
« Reply #1 on: August 30, 2010, 10:17:18 pm »
Hi,

Thank you for including the log. There are a few more things that would be good to have so that the great people in this forum will have a chance to help you. :-) Please take a look at the link in my signature to get a few tips.
Regards,

Oceanwatcher
Do NOT use PM for support. This is a community forum and support is not on a one-on-one basis.
READ BEFORE POSTING - How to make a good post - click here

snarf77

  • Zen Apprentice
  • *
  • Posts: 35
  • Karma: +0/-0
    • View Profile
Re: VPN config
« Reply #2 on: August 31, 2010, 09:40:54 am »
Hi OceanWatcher,

thanks for the reply and for the advice...

This machine named portal is dedicated to host a frontend server for a small business company including mail server, DNS, DHCP services for the LAN and a VPN to authorise road warrior to access another web server on the LAN.

It has two interfaces eth0 for the WAN and eht1 for the LAN.

For this purpose, I installed Zentyal (i don't know which version but installed on august 27th so probably the last one available) and the following modules:
Quote
ii  ebox-antivirus                  1.5.2-0ubuntu1~ppa1~lucid1           eBox - Antivirus
ii  ebox-ca                         1.5.4-0ubuntu1~ppa1~lucid1           Zentyal - Certification Authority
ii  ebox-dhcp                       1.5.4-0ubuntu1~ppa1~lucid1           Zentyal - DHCP Service
ii  ebox-dns                        1.5.1-1ubuntu1~ppa1~lucid1           eBox - DNS Service
ii  ebox-ebackup                    1.5.3-0ubuntu1~ppa1~lucid1           Zentyal - Backup
ii  ebox-egroupware                 1.5.1-0ubuntu1~ppa1~lucid1           eBox - Groupware
ii  ebox-firewall                   1.5.6-0ubuntu1~ppa1~lucid1           Zentyal - Firewall
ii  ebox-ftp                        1.5.2-0ubuntu1~ppa1~lucid1           Zentyal - FTP
ii  ebox-ids                        1.5.2-0ubuntu1~ppa1~lucid1           eBox - Intrusion Detection System
ii  ebox-mail                       1.5.4-0ubuntu1~ppa1~lucid1           Zentyal - Mail Service
ii  ebox-mailfilter                 1.5.3-0ubuntu1~ppa1~lucid1           Zentyal - Mail Filter
ii  ebox-monitor                    1.5.5-0ubuntu1~ppa1~lucid1           Zentyal - Monitor
ii  ebox-network                    1.5.7-0ubuntu1~ppa1~lucid1           Zentyal - Network Configuration
ii  ebox-ntp                        1.5.2-0ubuntu1~ppa1~lucid1           Zentyal - NTP Service
ii  ebox-objects                    1.5.1-0ubuntu1~ppa1~lucid1           eBox - Network Objects
ii  ebox-openvpn                    1.5.4-0ubuntu1~ppa1~lucid1           Zentyal - VPN Service
ii  ebox-printers                   1.5.2-0ubuntu1~ppa1~lucid1           Zentyal - Printer Sharing
ii  ebox-remoteservices             1.5.7-0ubuntu1~ppa1~lucid1           Zentyal - Control Center Client
ii  ebox-samba                      1.5.8-0ubuntu1~ppa1~lucid1           Zentyal - File Sharing
ii  ebox-services                   1.5.4-0ubuntu1~ppa1~lucid1           Zentyal - Network Services
ii  ebox-software                   1.5.5-0ubuntu1~ppa1~lucid1           Zentyal - Software Management
ii  ebox-usersandgroups             1.5.8-0ubuntu1~ppa1~lucid1           Zentyal - Users and Groups
ii  ebox-webserver                  1.5.5-0ubuntu1~ppa1~lucid1           Zentyal - Web Server

Concerning the ebox here is what I get when trying to add a client:
Quote
2010/08/30 10:38:03 INFO> Base.pm:153 EBox::Module::Base::save - Restarting service for module: logs
2010/08/30 10:40:06 DEBUG> Clients.pm:143 EBox::OpenVPN::Model::Clients::_validateService - Cannot activate the client because is not fully configured; please edit the$
2010/08/30 11:02:50 INFO> Global.pm:473 EBox::Global::saveAllModules - Saving config and restarting services: services firewall
2010/08/30 11:02:50 INFO> Base.pm:153 EBox::Module::Base::save - Restarting service for module: services
2010/08/30 11:02:51 INFO> Base.pm:153 EBox::Module::Base::save - Restarting service for module: firewall
2010/08/30 11:02:53 INFO> Base.pm:799 EBox::Module::Base::_hook - Running hook: /etc/ebox/hooks/firewall.postservice 1
2010/08/30 11:06:05 DEBUG> DataTable.pm:3324 EBox::Model::DataTable::_checkFieldIsUnique - Service name vpn already exists.
2010/08/30 11:06:56 INFO> Global.pm:473 EBox::Global::saveAllModules - Saving config and restarting services: firewall mailfilter logs
2010/08/30 11:06:56 INFO> Base.pm:153 EBox::Module::Base::save - Restarting service for module: firewall
2010/08/30 11:06:58 INFO> Base.pm:799 EBox::Module::Base::_hook - Running hook: /etc/ebox/hooks/firewall.postservice 1
2010/08/30 11:06:58 INFO> Base.pm:153 EBox::Module::Base::save - Restarting service for module: mailfilter
2010/08/30 11:07:00 ERROR> Sudo.pm:216 EBox::Sudo::_rootError - root command /usr/bin/test -e '/var/run/p3scan/p3scan.pid' failed.

nothing more as I can see..

If anybody needs something else ... don't hesitate to ask..

thanks

Snarf77

Plecebo

  • Zen Apprentice
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Re: VPN config
« Reply #3 on: August 31, 2010, 08:31:28 pm »
I install openvpn package and try the :
openvpn --config mygeneratedebundle.conf and I got the following terminal answer:=

Try this command with root permissions.

Code: [Select]
sudo openvpn --config mygeneratedebundle.conf
It has been my experience that this message "Cannot allocate TUN/TAP dev dynamically" is openvpn telling you that it doesn't have permission to create the tun/tap device, probably because it requires root permissions.


snarf77

  • Zen Apprentice
  • *
  • Posts: 35
  • Karma: +0/-0
    • View Profile
Re: VPN config
« Reply #4 on: September 01, 2010, 09:40:24 am »
Thanks a lot Placebo,

You guess right... only a question a permission. Everything working now.

Thanks

Snarf77