Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Paulxx

Pages: [1]
1
Like this:

First, on web panel, setup a Client VPN.

mkdir -p /etc/zentyal/stubs/openvpn
cp /usr/share/zentyal/stubs/openvpn/openvpn-client.conf.mas /etc/zentyal/stubs/openvpn

Replace the  "openvpn-client.conf.mas"  content with your existing client  "vpn.conf" content (from pfsense)
Maybe leave zentyal specific log entries etc.
Make sure there is an  "auth-user-pass /etc/openvpn/password.txt" reference in there.
"/etc/openvpn/password.txt" should have username on 1st line, password on second.
Also copy over and reference certs/keys etc or make them "inline" (inside the vpn.conf/ovpn file)
Enable Client VPN and save/restart.

2
Installation and Upgrades / Re: Open VPN User authentication
« on: March 09, 2014, 09:22:24 pm »
For username/password:

mkdir -p /etc/zentyal/stubs/openvpn
cp /usr/share/zentyal/stubs/openvpn/openvpn.conf.mas /etc/zentyal/stubs/openvpn

echo 'plugin /usr/lib/openvpn/openvpn-auth-pam.so login
cipher AES-256-CBC        # optional
fragment 1300           # necessary for remote home/road clients
username-as-common-name     # allows multiple users, same certs' >> /etc/zentyal/stubs/openvpn/openvpn.conf.mas

cp /usr/share/zentyal/stubs/openvpn/noebox-openvpn-client.conf.mas /etc/zentyal/stubs/openvpn

echo 'auth-user-pass userpass.txt     # omit 'userpass.txt' to prompt client for password
script-security 3 system
cipher AES-256-CBC        # optional
redirect-gateway def1
persist-remote-ip
fragment 1300           # necessary for remote home/road clients
mssfix              # necessary for remote home/road clients
float
reneg-sec 86400
;route-method exe
;up /etc/openvpn/update-resolv-conf     # optional script to run after vpn connection up
route-delay 2
inactive 604800
ping 10
ping-restart 120
replay-window 512 60
mute-replay-warnings' >> /etc/zentyal/stubs/openvpn/noebox-openvpn-client.conf.mas


Zentyal:     Create a new VPN server/edit config.
   Users> LDAP Settings> "Enable PAM"> Change> Save       (New users will be added as PAM system/vpn users)

echo 'AllowUsers root adminxx ***userxx***' >> /etc/ssh/sshd_config            (*** select allowed users *** - stops other/VPN users accessing ssh shell)

Download Linux or Windows VPN certificates/config from Zentyal web interface.
   - remove explicit-exit-notify..... entry in config, if present
   - can reuse the same config/certs/keys for each user
   - for each user: create local 'userpass.txt' file with username on line 1, password line 2 - or omit filename in config to prompt
   - converting certs/keys to "inline" format within a single config file simplifies deployment - see openvpn docs


Notes:    An ongoing bug means that if using redirected local dns, run 'service zentyal dns restart' from shell after first vpn client is established
   Consider the impact of config changes on any other vpn server instances.
   Erase /etc/zentyal/stubs/openvpn files and restart openvpn to reset server.

3
Well I did what you suggested half-life. Hours of learning and implementing asterisk with freepbx/elastix. It all works fine on a server outside the zentyal one. I managed to get Zentyal L2TP working too - why on earth does it not just create its own network like PPTP and Openvpn?

Though everything is working, the only thing I like that zentyal voip did not have is the simple elastix call rates and billing report. A2billing is overkill, in fact, the whole thing is massive overkill, counter intuitive and lacking in sensible defaults. It is designed for big call centres with full time staff not small business needs.

I miss Zentyal voip and since zentyal asterisk was relatively lightweight on resources, prefered the inbuilt security of everything in one server - even though I use VPN now. I am probably going to try and get freepbx on the zentyal server next, but I have used it through elastix and it is even worse.The only thing I would miss is that quick elastix per user call cost report but could probably get that using excel.

Zentyal-voip was basically the only option available to anyone who did not have the time, inclination or need to learn asterisk in depth and just wanted something clean and simple that works out of the box... ie. most small businesses.

4
I totally agree with jgould and actually the asterisk implementation is by far the best, simplest and the reason I came to zentyal in the first place.

I have tried and would like to upgrade to 3.2 when L2TP is fixed (so far it has internal network setup problems...)  but cannot without voip.

Even if asterisk had a separate user/password system like L2TP or PPTP that would be OK.


Pages: [1]