Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
61
Installation and Upgrades / Re: Accessing OpenVPN Clients
« on: July 24, 2010, 07:00:17 am »
There's a few ways. I've had this problem myself actually. Are they Windows or Linux machines on the other side? I highly recommend doing a search in the forums because I've had this same issue many times. Here's a solution that might work.
// File Location
/usr/share/ebox/stubs/openvpn
// Local (Make sure you edit the IP addresses for DNS, WINS, and DOMAIN)
<%def advertisedNets>
<%args>
@nets
</%args>
% foreach my $net (@nets) {
% my ($net, $netmask) = @{ $net };
push "route <% $net %> <% $netmask %>"
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option WINS 192.168.1.1"
push "dhcp-option NBT 2"
push "dhcp-option DOMAIN local"
%}
</%def>
// Restart OpenVPN
/etc/init.d/ebox openvpn restart
// File Location
/usr/share/ebox/stubs/openvpn
// Local (Make sure you edit the IP addresses for DNS, WINS, and DOMAIN)
<%def advertisedNets>
<%args>
@nets
</%args>
% foreach my $net (@nets) {
% my ($net, $netmask) = @{ $net };
push "route <% $net %> <% $netmask %>"
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option WINS 192.168.1.1"
push "dhcp-option NBT 2"
push "dhcp-option DOMAIN local"
%}
</%def>
// Restart OpenVPN
/etc/init.d/ebox openvpn restart
62
Installation and Upgrades / eBox 1.5.7 - Upgrading to Lucid from Hardy & 1.4.8 module problems
« on: July 24, 2010, 06:55:00 am »
eBox 1.5.7
2.6.32-23-generic-pae
:: PROBLEM ::
The File Sharing module isn't starting up after the upgrade. I dunno what I should do about it. It's something related to LDAP for some reason. This is the LDAP Master and I used to be able to run File Sharing on this one too unlike what you guys have said :p.
Is it related to the firewall or something? What should I do? I can remake the users, but I'd really rather not bother with remaking all my Samba users all over again
.
:: INFORMATION ::
tail -n 40 /var/log/ebox/ebox.log
2.6.32-23-generic-pae
:: PROBLEM ::
The File Sharing module isn't starting up after the upgrade. I dunno what I should do about it. It's something related to LDAP for some reason. This is the LDAP Master and I used to be able to run File Sharing on this one too unlike what you guys have said :p.
Is it related to the firewall or something? What should I do? I can remake the users, but I'd really rather not bother with remaking all my Samba users all over again
.:: INFORMATION ::
tail -n 40 /var/log/ebox/ebox.log
Code: [Select]
2010/07/23 23:17:08 INFO> Service.pm:635 EBox::Module::Service::restartService - Restarting service for module: events
2010/07/23 23:17:16 ERROR> Ldap.pm:177 EBox::Ldap::anonymousLdapCon - Can't create ldapi connection
2010/07/23 23:20:08 ERROR> Ldap.pm:177 EBox::Ldap::anonymousLdapCon - Can't create ldapi connection
2010/07/23 23:25:08 ERROR> Ldap.pm:177 EBox::Ldap::anonymousLdapCon - Can't create ldapi connection
2010/07/23 23:30:09 ERROR> Ldap.pm:177 EBox::Ldap::anonymousLdapCon - Can't create ldapi connection
2010/07/23 23:32:05 INFO> Global.pm:470 EBox::Global::saveAllModules - Saving config and restarting services: network samba firewall
2010/07/23 23:32:06 INFO> Base.pm:152 EBox::Module::Base::save - Restarting service for module: network
2010/07/23 23:32:07 ERROR> Sudo.pm:216 EBox::Sudo::_rootError - root command /sbin/iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark failed.
Error output: iptables: Protocol wrong type for socket
Command output: .
Exit value: 1
2010/07/23 23:32:07 ERROR> Sudo.pm:216 EBox::Sudo::_rootError - root command /usr/share/ebox-network/ebox-flush-fwmarks
/sbin/ip route flush table 101
/sbin/ip rule add fwmark 1 table 101
/sbin/ip rule add from 1.1.1.1 table 101
/sbin/ip route add default via 1.1.1.1 table 101
/sbin/ip rule add table main
/sbin/iptables -t mangle -A PREROUTING -m mark --mark 0/0xff -i eth0 -j MARK --set-mark 1
/sbin/iptables -t mangle -N EMARK
/sbin/iptables -t mangle -A PREROUTING -j EMARK
/sbin/iptables -t mangle -A OUTPUT -j EMARK
/sbin/iptables -t mangle -A EMARK -m mark --mark 0/0xff -j MARK --set-mark 1 failed.
Error output: iptables: Protocol wrong type for socket
iptables: Protocol wrong type for socket
Command output: .
Exit value: 1
2010/07/23 23:32:08 INFO> Base.pm:152 EBox::Module::Base::save - Restarting service for module: samba
2010/07/23 23:32:29 ERROR> Ldap.pm:177 EBox::Ldap::anonymousLdapCon - Can't create ldapi connection
2010/07/23 23:32:29 INFO> Base.pm:152 EBox::Module::Base::save - Restarting service for module: firewall
2010/07/23 23:32:34 INFO> Base.pm:798 EBox::Module::Base::_hook - Running hook: /etc/ebox/hooks/firewall.postservice 1
2010/07/23 23:32:35 ERROR> Global.pm:560 EBox::Global::saveAllModules - The following modules failed while saving their changes, their state is unknown: network samba
2010/07/23 23:35:08 ERROR> Ldap.pm:177 EBox::Ldap::anonymousLdapCon - Can't create ldapi connection
2010/07/23 23:40:08 ERROR> Ldap.pm:177 EBox::Ldap::anonymousLdapCon - Can't create ldapi connection
2010/07/23 23:45:07 ERROR> Ldap.pm:177 EBox::Ldap::anonymousLdapCon - Can't create ldapi connection
2010/07/23 23:48:03 INFO> Service.pm:635 EBox::Module::Service::restartService - Restarting service for module: samba
2010/07/23 23:48:23 ERROR> Ldap.pm:177 EBox::Ldap::anonymousLdapCon - Can't create ldapi connection
2010/07/23 23:48:23 ERROR> Service.pm:640 EBox::Module::Service::__ANON__ - Error restarting service: Can't create ldapi connection
2010/07/23 23:48:28 ERROR> Ldap.pm:177 EBox::Ldap::anonymousLdapCon - Can't create ldapi connection
63
Installation and Upgrades / Re: [BUG] eBox Store - Password length maxes out at 58 char, but no error tells me
« on: July 22, 2010, 01:22:03 pm »
Well when you do a "Dear Someone," you do terminate it with a comma, but when you start the line, you use a capital letter and treat it as if the "Dear Someone" statement was not even there. Without a capital letter, it looks really off. The next line is always supposed to be intended as well, but in most e-mails and because of the way we've changed things over the years, that indentation is only used for academic papers.
64
Installation and Upgrades / Re: [SOLVED] Connectivity - Weak Eth lines are causing eBox to disconnect clients
« on: July 22, 2010, 12:21:56 am »
:: SOLUTION ::
I had my main rig up with a VPN connection to this same network using the same certificate and apparently forgot to turn it off. I'm guessing this is why I didn't have the problem at the university and the problem w/ the Wi-Fi is probably just that, thick walls in a 100 yr old building probably severing the clarity of a Wi-Fi connection.
I had my main rig up with a VPN connection to this same network using the same certificate and apparently forgot to turn it off. I'm guessing this is why I didn't have the problem at the university and the problem w/ the Wi-Fi is probably just that, thick walls in a 100 yr old building probably severing the clarity of a Wi-Fi connection.
65
Installation and Upgrades / Re: [SOLVED] Cannot join windows computes to my PDC Domain Controller
« on: July 21, 2010, 10:27:26 pm »
I think the domain you're supposed to enter is like the hostname of the box, not the actual top-level domain it is a part of like .com, .local, etc.
For instance, I have .blah for my network (not really), so in the PDC domain area, I don't enter in machine.blah, I enter in only MACHINE.
For instance, I have .blah for my network (not really), so in the PDC domain area, I don't enter in machine.blah, I enter in only MACHINE.
66
Installation and Upgrades / eBox Store - Password length maxes out at 58 char, but no error tells me
« on: July 21, 2010, 10:18:22 pm »
:: BUG ::
I made a 63-character password for my eBox, and it took it just fine, but now I cannot login to my account because the account password is longer than 58 characters, the amount seeming supported on this page: https://www.ebox-controlcenter.com/login/.
I noticed the password also does not work in the eBox Control Center module in 1.4.8, but I got it to work in the eBox Store page. So even if you can login to the store, that's about all you can do with a lengthy password like that.
Well that's one possible bug, the other one seems to be that I recevied the e-mail before my subscription went from Pending to Active.
:: GRAMMAR ::
There's a strange grammer issue in the e-mail I received as well:
Hello Saturn.
Thank you for blah blah blah.
I've never seen a case where the first letter of any paragraph is not capitalized unless it is a name and that name specifically has a lowercase letter for the first letter of its name.
I made a 63-character password for my eBox, and it took it just fine, but now I cannot login to my account because the account password is longer than 58 characters, the amount seeming supported on this page: https://www.ebox-controlcenter.com/login/.
I noticed the password also does not work in the eBox Control Center module in 1.4.8, but I got it to work in the eBox Store page. So even if you can login to the store, that's about all you can do with a lengthy password like that.
Well that's one possible bug, the other one seems to be that I recevied the e-mail before my subscription went from Pending to Active.
:: GRAMMAR ::
There's a strange grammer issue in the e-mail I received as well:
Quote
Hello Saturn,Whereas it might be best to put that all on one line. If you're going with two lines, do this:
thank you for your interest in eBox Server Subscriptions.
Hello Saturn.
Thank you for blah blah blah.
I've never seen a case where the first letter of any paragraph is not capitalized unless it is a name and that name specifically has a lowercase letter for the first letter of its name.
67
Installation and Upgrades / [SOLVED] OpenVPN - Documentation contains syntax error in parsing English
« on: July 21, 2010, 12:18:04 pm »
There's a syntax error when parsing English through the Saturn2888 interpreter 
.
Source: http://doc.ebox-platform.com/en/vpn.html#virtual-private-network-vpn
"eBox vs OpenVPN as a server. eBox OpenVPN as a client"
Should be:
One eBox as an OpenVPN server, the other as an OpenVPN client.
"The goal is to connect the client on the LAN 1 with client 2 on the LAN 2, as if they were in the same local network. Therefore, you have to configure an OpenVPN server as done in Practical example B."
Should be:
The goal is to connect client 1 on LAN1 to client 2 on LAN2 as if they were on the same network; therefore, you first have to configure an OpenVPN server as shown in Practical Example B.
.Source: http://doc.ebox-platform.com/en/vpn.html#virtual-private-network-vpn
"eBox vs OpenVPN as a server. eBox OpenVPN as a client"
Should be:
One eBox as an OpenVPN server, the other as an OpenVPN client.
"The goal is to connect the client on the LAN 1 with client 2 on the LAN 2, as if they were in the same local network. Therefore, you have to configure an OpenVPN server as done in Practical example B."
Should be:
The goal is to connect client 1 on LAN1 to client 2 on LAN2 as if they were on the same network; therefore, you first have to configure an OpenVPN server as shown in Practical Example B.
68
Installation and Upgrades / Re: problem browsing workgroup from lan/vpn
« on: July 21, 2010, 11:43:31 am »
:: VPN ::
There are many solutions. For one, the VPN one is in another thread. Do a search on the forums, and you should see some I've posted in previously with instructions on how to edit the openvpn.conf.mas file. That fixes NetBIOS over VPN. It's also best to manually set the Gateway (only the Gateway) in the TAP adapter to ensure things work like they should. It doesn't send Internet packets through to your house this way so you're safe.
:: Local ::
It is very possible it's not browsing. What workgroup did you setup in eBox? Do you have ebox-dns enabled? What version of eBox are you using? It's a problem with it not broadcasting the hostname. I don't know how your network is setup, but mine always show up and everything's on the same workgroup.
A possible solution is to enable the DNS module and enable Dynamic DNS in your DHCP server. Don't take my word on this though, it's just a suggestion.
There are many solutions. For one, the VPN one is in another thread. Do a search on the forums, and you should see some I've posted in previously with instructions on how to edit the openvpn.conf.mas file. That fixes NetBIOS over VPN. It's also best to manually set the Gateway (only the Gateway) in the TAP adapter to ensure things work like they should. It doesn't send Internet packets through to your house this way so you're safe.
:: Local ::
It is very possible it's not browsing. What workgroup did you setup in eBox? Do you have ebox-dns enabled? What version of eBox are you using? It's a problem with it not broadcasting the hostname. I don't know how your network is setup, but mine always show up and everything's on the same workgroup.
A possible solution is to enable the DNS module and enable Dynamic DNS in your DHCP server. Don't take my word on this though, it's just a suggestion.
69
Installation and Upgrades / [SOLVED] Connectivity - Weak Eth lines are causing eBox to disconnect clients
« on: July 21, 2010, 11:35:47 am »
eBox 1.5.7
Ubuntu Lucid 10.04
BackupPC 3.1.0
:: BACKGROUND ::
I had tried this both in the office and outside via VPN on both slow and fast links (home vs university). In the office I used close and far connections over Wi-Fi and during this period I was running a ping to the eBox.
:: PROBLEM ::
While running a ping, I notice for the first time that I was losing SSH connection or that it was slow to type. There wasn't anything really different with the server at all. I moved in many different locations and noticed the ping stop dropping once I got in the room w/ the Wireless router. I was able to do everything I needed and figured it was just the Wi-Fi.
Later, I went to a university to continue what I was doing and utilized their connection speed for a VPN. I didn't do too much, but I didn't notice the same problems I had experienced earlier in the day. In fact, it felt as though I was on the local LAN.
Come to now, I'm at home and the VPN is becoming a huge issue. I have to keep hitting the "Reconnect" button in OpenVPN, or I'll drop out of SSH, HTTP, HTTPS, and remote desktop sessions. I assumed it was a VPN problem but remember the issues I was having with Wi-Fi earlier in the day.
My conclusion is that it is possible the weak links are causing the problems. The university connection over VPN is faster than even me being right up next to the wireless access point, but at home, my connection is about as fast as where I was in the building when I noticed the problems. As I'm sitting here right now, I made 87 consistent pings and then now it's not working anymore. OpenVPN still shows green.
:: TROUBLESHOOTING ::
I have it setup with DynDNS but didn't notice the IP changing at all in the logs so that's not the problem.
The last thing I did to verify it was not the router malfunctioning or losing connectivity was to run a "ping google.com" in a screen so when I lost connection, I could return to see if it continued without me. I got 0% packet loss so I figure the problem isn't with the Internet Connection on that side. It could still be that it is my home network causing the problems. If so, then it is a Traffic Shaping module issue. After disabling Traffic Shaping, I noticed no fix.
There is still a chance the Wi-Fi and VPN issues are unrelated. There's also a chance AT&T is cutting the VPN because it feels like it. And there's still a chance I just didn't notice any issues because I was being quick while at the university; but I highly doubt that as I know I was doing quite a bit and had a consistent connection for at least 40 minutes whereas I don't even know if I get 5 minutes right now.
Ubuntu Lucid 10.04
BackupPC 3.1.0
Code: [Select]
root:~# dpkg -l | grep "ebox-"
ii ebox-ca 1.5.2-0ubuntu1~ppa1~lucid1 eBox - Certification Authority
ii ebox-firewall 1.5.3-0ubuntu1~ppa1~lucid1 eBox - Firewall
ii ebox-ftp 1.5.1-0ubuntu1~ppa1~lucid1 eBox - FTP
ii ebox-monitor 1.5.3-0ubuntu1~ppa1~lucid1 eBox - Monitor
ii ebox-network 1.5.5-0ubuntu1~ppa1~lucid1 eBox - Network Configuration
ii ebox-objects 1.5.1-0ubuntu1~ppa1~lucid1 eBox - Network Objects
ii ebox-openvpn 1.5.3-1ubuntu1~ppa1~lucid1 eBox - VPN Service
ii ebox-remoteservices 1.5.3-0ubuntu1~ppa1~lucid1 eBox - Control Center Client
ii ebox-samba 1.5.6-0ubuntu1~ppa1~lucid1 eBox - File Sharing
ii ebox-services 1.5.3-0ubuntu1~ppa1~lucid1 eBox - Network Services
ii ebox-software 1.5.1-0ubuntu1~ppa1~lucid1 eBox - Software Management
ii ebox-usersandgroups 1.5.3-0ubuntu1~ppa1~lucid1 eBox - Users and Groups
ii ebox-webserver 1.5.3-0ubuntu1~ppa1~lucid1 eBox - Web Server
Additional Logs: http://badmarkup.com/ebox/timeouts/:: BACKGROUND ::
I had tried this both in the office and outside via VPN on both slow and fast links (home vs university). In the office I used close and far connections over Wi-Fi and during this period I was running a ping to the eBox.
:: PROBLEM ::
While running a ping, I notice for the first time that I was losing SSH connection or that it was slow to type. There wasn't anything really different with the server at all. I moved in many different locations and noticed the ping stop dropping once I got in the room w/ the Wireless router. I was able to do everything I needed and figured it was just the Wi-Fi.
Later, I went to a university to continue what I was doing and utilized their connection speed for a VPN. I didn't do too much, but I didn't notice the same problems I had experienced earlier in the day. In fact, it felt as though I was on the local LAN.
Come to now, I'm at home and the VPN is becoming a huge issue. I have to keep hitting the "Reconnect" button in OpenVPN, or I'll drop out of SSH, HTTP, HTTPS, and remote desktop sessions. I assumed it was a VPN problem but remember the issues I was having with Wi-Fi earlier in the day.
My conclusion is that it is possible the weak links are causing the problems. The university connection over VPN is faster than even me being right up next to the wireless access point, but at home, my connection is about as fast as where I was in the building when I noticed the problems. As I'm sitting here right now, I made 87 consistent pings and then now it's not working anymore. OpenVPN still shows green.
:: TROUBLESHOOTING ::
I have it setup with DynDNS but didn't notice the IP changing at all in the logs so that's not the problem.
The last thing I did to verify it was not the router malfunctioning or losing connectivity was to run a "ping google.com" in a screen so when I lost connection, I could return to see if it continued without me. I got 0% packet loss so I figure the problem isn't with the Internet Connection on that side. It could still be that it is my home network causing the problems. If so, then it is a Traffic Shaping module issue. After disabling Traffic Shaping, I noticed no fix.
There is still a chance the Wi-Fi and VPN issues are unrelated. There's also a chance AT&T is cutting the VPN because it feels like it. And there's still a chance I just didn't notice any issues because I was being quick while at the university; but I highly doubt that as I know I was doing quite a bit and had a consistent connection for at least 40 minutes whereas I don't even know if I get 5 minutes right now.
70
Installation and Upgrades / Re: New experimental improvement in logs (testing wanted)
« on: July 21, 2010, 11:04:43 am »
Apparently one of the machines I'm administering has been testing it as I notice it's on eBox 1.5.7, and I restarted the entire machine this afternoon. What are you looking for exactly? I took a look at htop for a while, and it was using very little CPU. Didn't seem like anything was really going all the time constantly. Is the logger associated with collectd? I normally notice collectd kinda taking over in 1.4 and earlier eBox versions, but I haven't noticed it in 1.5 at all; and I only just installed htop today so my data might be insufficient.
71
Installation and Upgrades / Re: eBox with FTP Server
« on: July 21, 2010, 10:39:51 am »Done
http://forum.eboxplatform.com/index.php?topic=441.0
Are there plans to include this in future releases?
Done
http://forum.ebox-platform.com/index.php?topic=3927
72
News and Announcements / Re: First version of the new FTP module released!
« on: July 21, 2010, 10:32:13 am »
@ Everyone here
One of the big things all the community members, myself included, wanted from the eBox devs for the 2.0 release was solidifying the current working set of features. We had all had our problems with eBox through betas and supported versions, especially the LDAP feature, and many people, while most wanting something like Zimbra, said that the best thing for eBox is for it to be better at what it advertises.
Keeping this in mind, I'm not the least bit let down by knowing there's hardly anything new in 2.0 because I've already seen the benefits of upgrading to Lucid from Hardy. I also notice a lot of neat changes to the Dashboard which make it a bit more dynamic both visually and in how it updates. It's like tuning a computer, you do all of these little changes like clean out the fans, get better graphics card heatsinks, and other things, but in most cases, your case is closed, there is no window, and all of that goes unseen. There were no new features, nothing, you just have a better-running system, and this is what eBox 2.0 is. I'm surprised there are new features at all. Also, the 1.4 release had some features added along the way like adapter bridging and RADIUS (hopefully I'm assuming right here).
What might not be a current feature but might come along in 2.0 is the ability to bridge the OpenVPN virtual adapter. That is not a huge new feature or module, but it will add on to the current one. The same goes for HTTPS in Web Server (I needed this for 2 years) and the Jabber and Mail modules. It's all little things that come together. Yet another little one is userspace l7protos so you can traffic shape on the packet-level without having to use an ebox-custom kernel that might be a version or two behind the newest kernel release. So many nice neat features. Think of it like upgrading from Windows Vista to Windows 7; it's practically the same operating system, but a lot of little things were changed.
One of the big things all the community members, myself included, wanted from the eBox devs for the 2.0 release was solidifying the current working set of features. We had all had our problems with eBox through betas and supported versions, especially the LDAP feature, and many people, while most wanting something like Zimbra, said that the best thing for eBox is for it to be better at what it advertises.
Keeping this in mind, I'm not the least bit let down by knowing there's hardly anything new in 2.0 because I've already seen the benefits of upgrading to Lucid from Hardy. I also notice a lot of neat changes to the Dashboard which make it a bit more dynamic both visually and in how it updates. It's like tuning a computer, you do all of these little changes like clean out the fans, get better graphics card heatsinks, and other things, but in most cases, your case is closed, there is no window, and all of that goes unseen. There were no new features, nothing, you just have a better-running system, and this is what eBox 2.0 is. I'm surprised there are new features at all. Also, the 1.4 release had some features added along the way like adapter bridging and RADIUS (hopefully I'm assuming right here).
What might not be a current feature but might come along in 2.0 is the ability to bridge the OpenVPN virtual adapter. That is not a huge new feature or module, but it will add on to the current one. The same goes for HTTPS in Web Server (I needed this for 2 years) and the Jabber and Mail modules. It's all little things that come together. Yet another little one is userspace l7protos so you can traffic shape on the packet-level without having to use an ebox-custom kernel that might be a version or two behind the newest kernel release. So many nice neat features. Think of it like upgrading from Windows Vista to Windows 7; it's practically the same operating system, but a lot of little things were changed.
73
Installation and Upgrades / OpenVPN - ZIP file config structure not allowing multiple VPNs
« on: July 21, 2010, 10:12:27 am »
eBox 1.4.8
Ubuntu Hardy 8.04.4
2.6.24-27-ebox
:: DOCUMENTATION ::
Something that would be good to include in the OpenVPN documentation is how to setup an OpenVPN client with connections to multiple VPNs either through the client GUI or the client service. If you need, I can assist you because I've done my own experiments with it. I believe Linux handles all of this itself in the VPN network managers, but in Windows it's a different story. I would be willing to assist you in creating these pages if needed.
:: BACKGROUND ::
Because of my experiences with more than one *.ovpn config file, I think you guys need to change how you put the config file and certs in the ZIP file when downloaded from the VPN page. For instance, the way the OpenVPN GUI works is it pulls config files recursively while the OpenVPN Service pulls only those config files that are in the top openvpn/config directory. This is good if you wanna have only certain VPNs start with the OpenVPN Service and others controlled through the GUI. Now, it seems the OpenVPN Service starts each config file in alphabetical order so that could screw things up if you customized some entries (like Gateway) in your TAP adapters. I've not done enough tests on this yet to say for sure what causes what issues I was experiencing.
:: eBox OpenVPN LIMITATION ::
In connecting to multiple VPNs, you need multiple TAP adapters. Normally you could suffice w/ alias adapters, but in Windows, this is the limitation. The reason for opening this thread is because of the way the ZIP file structures the files.
To boot from multiple config files using the OpenVPN Service they all need to be in openvpn/config. This is a problem since the certs and everything else are, by default, in one folder requiring you to go into the config file to edit things. The way I set it up is to have a folder with the same name as the config file containing the certs in the openvpn/config folder and the *.ovpn file also in the openvpn/config folder so it looks like this:
C:\Program Files (x86)\OpenVPN>dir config
ebox-client.ovpn
ebox-client/ (certs in here)
This way, if you wanted to hide the config file from the OpenVPN Service, you just simply put it a parent folder so the non-recursive lookup won't find it, but if you want to trigger multiple config files to load, now you just place them in openvpn/config because the *.ovpn file will be sitting there only with other *.ovpn files. It's simple and easy and allows you to utilize both the GUI and the Service. I don't think making this change at this point in the development of eBox will harm anything since it's a dynamic change, and it more-easily allows for connecting to multiple VPNs without having to manually edit a bunch of config files which I had to do manually
.
All the change will do is increase compatibility, usability, and require far less manual labor. There are no downsides to this that I can think of, not one except maybe if someone copy/pastes over their old config file and doesn't copy the new child folder containing the certs; although, that's extremely easy to fix. If you change it now, it will wind up being a better decision in the future when more people like me appear who have to service multiple locations and do so through eBox OpenVPNs.
:: MISC ::
I think you should remove the -client from the config file names because it's redundant. It's better to connect to Workplace1 and Workplace2 instead of Workplace1-client and Workplace2-client. When you have 10 places to connect to, it gets really repetitive. I want to say "yes, I know, it's a client connection". And if you only have one, putting the -client seems unneeded. This is a very minor issue.
Ubuntu Hardy 8.04.4
2.6.24-27-ebox
:: DOCUMENTATION ::
Something that would be good to include in the OpenVPN documentation is how to setup an OpenVPN client with connections to multiple VPNs either through the client GUI or the client service. If you need, I can assist you because I've done my own experiments with it. I believe Linux handles all of this itself in the VPN network managers, but in Windows it's a different story. I would be willing to assist you in creating these pages if needed.
:: BACKGROUND ::
Because of my experiences with more than one *.ovpn config file, I think you guys need to change how you put the config file and certs in the ZIP file when downloaded from the VPN page. For instance, the way the OpenVPN GUI works is it pulls config files recursively while the OpenVPN Service pulls only those config files that are in the top openvpn/config directory. This is good if you wanna have only certain VPNs start with the OpenVPN Service and others controlled through the GUI. Now, it seems the OpenVPN Service starts each config file in alphabetical order so that could screw things up if you customized some entries (like Gateway) in your TAP adapters. I've not done enough tests on this yet to say for sure what causes what issues I was experiencing.
:: eBox OpenVPN LIMITATION ::
In connecting to multiple VPNs, you need multiple TAP adapters. Normally you could suffice w/ alias adapters, but in Windows, this is the limitation. The reason for opening this thread is because of the way the ZIP file structures the files.
To boot from multiple config files using the OpenVPN Service they all need to be in openvpn/config. This is a problem since the certs and everything else are, by default, in one folder requiring you to go into the config file to edit things. The way I set it up is to have a folder with the same name as the config file containing the certs in the openvpn/config folder and the *.ovpn file also in the openvpn/config folder so it looks like this:
C:\Program Files (x86)\OpenVPN>dir config
ebox-client.ovpn
ebox-client/ (certs in here)
This way, if you wanted to hide the config file from the OpenVPN Service, you just simply put it a parent folder so the non-recursive lookup won't find it, but if you want to trigger multiple config files to load, now you just place them in openvpn/config because the *.ovpn file will be sitting there only with other *.ovpn files. It's simple and easy and allows you to utilize both the GUI and the Service. I don't think making this change at this point in the development of eBox will harm anything since it's a dynamic change, and it more-easily allows for connecting to multiple VPNs without having to manually edit a bunch of config files which I had to do manually
.All the change will do is increase compatibility, usability, and require far less manual labor. There are no downsides to this that I can think of, not one except maybe if someone copy/pastes over their old config file and doesn't copy the new child folder containing the certs; although, that's extremely easy to fix. If you change it now, it will wind up being a better decision in the future when more people like me appear who have to service multiple locations and do so through eBox OpenVPNs.
:: MISC ::
I think you should remove the -client from the config file names because it's redundant. It's better to connect to Workplace1 and Workplace2 instead of Workplace1-client and Workplace2-client. When you have 10 places to connect to, it gets really repetitive. I want to say "yes, I know, it's a client connection". And if you only have one, putting the -client seems unneeded. This is a very minor issue.
74
Installation and Upgrades / Re: PPTP VPN server with Ebox PDC authentication
« on: July 21, 2010, 09:51:57 am »Hey Francesco,
Thanks a lot for this how to. We will probably include a small module ebox-pptp to automatize this as it's pretty simple.
Thanks!!!1
I'm assuming this was never made, but it still seems like a good idea to include since it would probably be pretty simple to setup. I mean, it's even more simplistic than OpenVPN, it gives people more choice and a lot more flexibility, and it's a fantastic way to compete with the big name small- and medium-sized business servers which rely on the simplistic Microsoft and Apple VPN services. It's also easy enough to setup in a Linux Live; especially on Ubuntu Desktop and variants like Linux Mint.
Just a thought, butCode: [Select]ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"Could easily be changed toCode: [Select]ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of=pptp"To restrict PPTP VPN usage to certain people easily.
This looks extremely useful. How would the session get hijacked anyway? Dictionary attacks? Isn't EAP-TLS supposed to be really secure for PPTP? If you guys leave way to better security options and permissions for a PPTP connection, I think you'll hit the jackpot. It would be nice to say "let this computer into the network, but all it gets access to is RDP" so port 3389. That's all some people use VPN for anyway.
75
Installation and Upgrades / Re: Cannot join windows computes to my PDC Domain Controller
« on: July 21, 2010, 03:59:19 am »
I don't know. Make sure your firewall is letting things pass and that you have that PDC checkbox checked. Are you running 1.4 or 1.2?