Zentyal Forum, Linux Small Business Server

Zentyal Server => Installation and Upgrades => Topic started by: rutri on May 13, 2009, 12:04:24 am

Title: Ebox Setup: Solved!
Post by: rutri on May 13, 2009, 12:04:24 am
Hello,

   I was wondering if anyone could point me to a tutorial I can use to configure and setup ebox.  What I really wanted was for ebox to provide a VPN connection to my internal network however it seems that this is ether extreamly complicated to implement or isn't passable at all.  My hardware configuration is as follows.


Both my router and ebox have connections to my local intranet and the Internet.

Internet
|
Hub
|____________
|            |
|         Router
|            |
Ubuntu ebox -|
             |
Computer 1 --|
             |
Computer 2 --|
             |
Computer 3 --|


If I need to I will ether set up the ebox as the DHCP server/Gateway however I need to know how.  But i would prefer to have my ebox behind the router if at all possible.  Ether way I want to have a functional VPN so i may access my network when away form home.

Title: Re: Ebox Setup
Post by: poundjd on May 13, 2009, 12:19:00 am
Rutri,
     I would recommend that you eliminate the hub and router from your configuration.  they are only adding complexity that is not needed.

A quick google search for HOWTO's showed this http://www.howtoforge.com/running-a-file-and-print-server-with-ebox-on-ubuntu8.04-server. There are also a couple here on this site, search for HOWTO.

If I can be of more help just PM me and I'll help where I can.... I'm still new to this so others may be able to help more.
-jeff
Title: Re: Ebox Setup
Post by: rutri on May 13, 2009, 01:06:01 am
I do still need some functionality of it to handle wireless connections.  Also do you have a link that would help me with setting up the DHCP in the ebox?
Title: Re: Ebox Setup
Post by: poundjd on May 13, 2009, 01:07:36 am
Rutri,
     Can the router be configured as an AP?  if so just place it behind the eBox and you are golden...
-jeff
Title: Re: Ebox Setup
Post by: rutri on May 13, 2009, 01:10:26 am
I am not sure, I know i can disable its DHCP.  The router is a WRT350N Linksys router.  Also do you have any tutorials on how to setup a DHCP in ebox?
Title: Re: Ebox Setup
Post by: poundjd on May 13, 2009, 01:21:46 am
Rutri,
     My linksys routers have been reloaded with DD-WRT firmward from www.DD-WRT.com.  It can do that if the origanial Linksys Firmware can't.  The DD-WRT firmware is much better than the Linksys's.

http://www.howtoforge.com/running-a-file-and-print-server-with-ebox-on-ubuntu8.04-server is an HOWTO I found with a google search for "HOWTO eBox".  Also on this site there are a few, Search for HOWTO.  One I like is at http://forum.ebox-platform.com/index.php?topic=896.0.
-jeff
Title: Re: Ebox Setup
Post by: SamK on May 13, 2009, 10:01:35 am
Hi Rutri,

I, like poundjd (Jeff) am exploring eBox and may be able to offer some (limited) help.

Jeff's suggestions are good advice as they are widely implemented by eBox users.  My requirements were quite close to those described in your opening post. By design, eBox is quite capable of accommodating different set-ups and provided a suitable answer to my needs.  In essence this was to use the router/switch as a gateway to the LAN and leave functions such as the firewall etc there also.

The alternative approach is shown here:
http://forum.ebox-platform.com/index.php?topic=1233.0
It is quite a long thread and deals with the following main ideas:
Also of interest might be the LAN topolgy diagram (post #48)

A broad outline is:
Module Status Section
Enable the eBox modules you require

Network Section-->Interfaces
Assign a static IP Address to the eBox NIC

Network Section-->Gateways
Create a gateway to the LAN IP Address of the router
Set as default

DHCP Section
Default Gateway=Configured Ones
Primary Nameserver=IP Address of router
Define a DHCP range to be allocated if you decide to use eBox as your DHCP server.


As far as VPN is concerned I cannot offer any suggestions as I have not explored eBox for this.  Other users on the forum may be able to assist with this, however they may be expecting eBox to be set up in the manner suggested by Jeff.
Title: Re: Ebox Setup
Post by: rutri on May 13, 2009, 03:34:44 pm
Sam,

   I will read over your post, my main concern is getting the VPN setup on the ebox, I knwo you can set it up behind a router however there is no documentation on how to set it up.  What Jeff suggests might not be to bad of an idea, especially since it looks like ebox may be able to handle load sharing across multiple internet connections.  And I if it gets to hard to set up this thing I may just go back to my windows server, it seems a lot easier to do this stuff in windows where I am more familiar.

Regards,

Richard
Title: Re: Ebox Setup
Post by: SamK on May 13, 2009, 04:16:16 pm
...my main concern is getting the VPN setup on the ebox, I knwo you can set it up behind a router however there is no documentation on how to set it up. 
A quick search of the forum turned up this HOWTO; it might help.  I have not tested it.
http://forum.ebox-platform.com/index.php?topic=1013.0
Title: Re: Ebox Setup
Post by: rutri on May 13, 2009, 06:59:17 pm
Yes i have read this one and had it setup according to this however i have little knowledge of how to do these items:
Quote
-A complete gatway setup, including that the dns is running, and the default on dhcp (ie. your -Default gatway is the ip of the ebox)
-An understanding of how to make sure everything is working, or a computer to try it with (when we are done)

I had the VPN setup and connected already however am unable to see my network, I looked at the gateway and could not see one on my client computer so I figure that I am missing something when it comes to setting up the gateway.  I tried to see if i could set up a gateway for the virtual router however I was successful at that.  As far as I can tell you need to have the DHCP and everything running but it seems that DHCP's and Gateways are common knowledge here and I am out of my league because I am unable to find any detailed tutorials on how to do this.
Title: Re: Ebox Setup
Post by: SamK on May 13, 2009, 07:49:11 pm
I am out of my league because I am unable to find any detailed tutorials on how to do this.
This is probably the most detailed guide on the forum to setting up an eBox and includes guidance on setting up a gateway and DHCP.  It follows the model Jeff has suggested.
http://forum.ebox-platform.com/index.php?topic=896.0
Title: Re: Ebox Setup
Post by: rutri on May 13, 2009, 08:18:15 pm
Thank you guys I will have a look at all of the information given to me when i get a chance later today.
Title: Re: Ebox Setup
Post by: rutri on May 14, 2009, 01:44:02 am
ok DHCP setup however it would seem that I need to setup a gateway however I did not see any reference to it in the http://forum.ebox-platform.com/index.php?topic=896.0 tutorial on how to setup a gateway if you IP address is given by a DHCP server.
Title: Re: Ebox Setup
Post by: Sam Graf on May 14, 2009, 03:14:30 am
An eBox with one interface assigned as external and one assigned as internal is able to function as a gateway. In that case, the DHCP service's default gateway would be the eBox itself.
Title: Re: Ebox Setup
Post by: rutri on May 14, 2009, 03:21:17 am
I have the following Network Configurations:

Eth0
Method: DHCP
External: Checked

Eth1
Method: Static
External: Not Checked
IP Address:192.168.198.1
Net Mask: 255.255.255.0

I currently have no gateways set up.
Title: Re: Ebox Setup
Post by: Sam Graf on May 14, 2009, 03:26:36 am
Nor do I in this scenario. eBox automagically takes care of the necessary routing between the external and internal interfaces.

That said, there is another key step to getting LAN access to the outside world. The firewall module has to be enabled and an "Allow" rule for the HTTP service (and any other required service) has to be set up. By default, eBox blocks all such traffic, if I'm not mistaken.
Title: Re: Ebox Setup
Post by: rutri on May 14, 2009, 03:35:43 am
Do you know what default ones are needed to get this thing going?  Also what did you set your Seach domain as?  My DHCP Configuration is as follows:

Default gateway: eBox
Search domain: None
Primary nameserver:75.154.132.68
Secondary nameserver:75.154.132.100

The name servers are telus (My ISP) name servers.

DHCP ranges

Interface IP address:    192.168.198.1
Subnet:    192.168.198.0/24
Available range:    192.168.198.1 - 192.168.198.254
Title: Re: Ebox Setup
Post by: Sam Graf on May 14, 2009, 03:46:57 am
The basics would be HTTP and mail, I think. In the case of mail I use the "Mail system" service. For testing purposes, to see if things are working at all, you can temporarily use the "any" service. So you'd have Decision: Accept, Source: Any, Destination: Any, and Service: any. If things are working, then substitute "any" with at least "http" and "Mail system." Another one likely to be necessary but not already set up as eBox services is IM, where the port(s) will be determined by the IM sefvice you use.
Title: Re: Ebox Setup
Post by: rutri on May 14, 2009, 03:49:58 am
The problem is nothing goes out, I am currently allowing everything and I still can't ping or anything, I even tried to ping www.google.ca but that did not work ether.  Maybe I am missing something?
Title: Re: Ebox Setup
Post by: Sam Graf on May 14, 2009, 04:01:16 am
Sorry, I missed the edit.

It looks to me like the common options are set correctly. By "correctly" I mean that these should work. eBox can, of course, be correctly configured differently.

Are computers on your LAN assigned static IP addresses in the 192.168.198.1 - 192.168.198.254 range? If not, and if you want eBox to dynamically assign addresses to them, you'll have to define some portion (or all, if you wish) of the available address space (the "available range") as a DHCP range under "Ranges."

For example, the eBox I'm behind right now has an available range of 192.168.2.1 - 192.168.2.254. Under "Ranges" I have a range named "Workstations," and that range extends from 192.168.2.100 - 192.168.2.124, for 25 DHCP addresses. The DHCP service assigns dynamic addresses out of that range only.

Are you trying to ping out of eBox itself or from a machine on the LAN?
Title: Re: Ebox Setup
Post by: rutri on May 14, 2009, 04:23:57 am
I couldn't even ping google from and ssh terminal to the ebox.  That must mean that Ebox is having issues other then the DHCP.  Also I use a combination of static and dynamic IP addresses in my network.  I am pretty sure the configuration i have for the DHCP server is correct, I mimicked what i could from the linksys router.
Title: Re: Ebox Setup
Post by: rutri on May 14, 2009, 05:25:01 am
Ok new update.  I started from scratch and got the DHCP server up and running.  right now I have the firewall fully open until i get this thing working then I will lock her down tighter then Fort Knox.  However from my laptop I get an IP assigned and everything fine but i cannot serf the internet.   However I am able to ping www.google.ca so i am a bit confused as to why i can surf.  Can any of oyu help me on this?
Title: Re: Ebox Setup
Post by: poundjd on May 14, 2009, 05:32:46 am
Rutri,  sounds like a firewall issue.  Have you set the external check box and connected a system behind eBox?  does it get the proper DHCP setup configurations?  If the IP's look right then it again points to the firewall issue.  you need rules to allow traffic from the eth1 and eth2 into the eBox, you also need rules to allow rule to allow trafic from the ebox out the eth0 to the internet. If you could ping from the console then the rule that allows ebox out eth0 out is good, look for the other rules.   Also the inbound path needs the same types of rules.

Hope this helps. 
-jeff
PS going to bed I have to get up for work in 4 hours.
-jeff
Title: Re: Ebox Setup
Post by: rutri on May 14, 2009, 08:18:26 am
Well, I got the DHCP server up and running fine now.  So i went and added the openVPN package and went to set it up however the screen will not display the configuration options for openVPN.  Nothing really has changed form what I did before except I accidentally added the beta repos to my list rather then the stable ones.  But this should make things better not worse.  I am not sure what is wrong with this install, I used sudo apt-get install ebox-openvpn just as i did before.
Title: Re: Ebox Setup
Post by: Sam Graf on May 14, 2009, 02:03:44 pm
My experience with the eBox OpenVPN module is limited to the stock 1.0 release, so I can't offer a lot of guidance. Sorry. (If you might be into the 1.2 alphas, though, things may be broken.)
Title: Re: Ebox Setup
Post by: rutri on May 14, 2009, 03:09:58 pm
Yes, that is what is so confusing about it, i am running version 1.0 and its seems to be buggy.
Title: Re: Ebox Setup
Post by: Sam Graf on May 14, 2009, 03:24:28 pm
All I can say is that that's not the case in my experience. I have more experience (as in more hours of use) with eBox-to-eBox VPN than the road warrior side, but all my experience so far has been positive (getting the Windows client working is a little tricky, but once set up correctly, it seems solid).

I don't recall ever having trouble seeing the VPN setup options, for example. The please-meet-the-certificate-requirements notice is the thing first seen, of course, if no certificates have been issued via the eBox CA tools. But once beyond that step, I've not had trouble configuring VPN.

You mentioned installing the module. I'm curious about that since the module should be installed during eBox setup. The module only needs enabling, as far as I can recall, in a normal eBox installation.
Title: Re: Ebox Setup
Post by: rutri on May 14, 2009, 04:18:41 pm
ok here is antoher thing that may be contributing to my issue:

Code: [Select]
Reading package lists... Done
W: GPG error: http://ppa.launchpad.net hardy Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5F99A088342D17AC
W: You may want to run apt-get update to correct these problems

I have tried everything on this http://forum.ebox-platform.com/index.php?topic=1068.0 site and still no luck.  Here is what I get when I try the things posted on this link:

Code: [Select]
sysadmin@UbuntuServer:~$ GPGKEY= hkp://subkeys.pgp.net
-bash: hkp://subkeys.pgp.net: No such file or directory
sysadmin@UbuntuServer:~$
sysadmin@UbuntuServer:~$ gpg --keyserver hkp://subkeys.pgp.net --recv-keys 5F99A088342D17AC
gpg: requesting key 342D17AC from hkp server subkeys.pgp.net
gpg: keyserver timed out
gpg: keyserver receive failed: keyserver error
sysadmin@UbuntuServer:~$ gpg --export --armor 5F99A088342D17AC | sudo apt-key add -
gpg: WARNING: nothing exported
gpg: no valid OpenPGP data found.
sysadmin@UbuntuServer:~$ ping hkp://subkeys.pgp.net
ping: unknown host hkp://subkeys.pgp.net
sysadmin@UbuntuServer:~$
Title: Re: Ebox Setup
Post by: Sam Graf on May 14, 2009, 04:30:51 pm
I suggest using Launchpad's own solution (https://help.launchpad.net/Packaging/PPA#Adding%20a%20PPA%20to%20your%20Ubuntu%20repositories). You may have to scroll down a bit to see "Adding the keys in the terminal." That's the only method I use to add keys on fresh installs and it's worked without problem so far.

(I'll add, for the sake of completenes, that if the eBox you're working on is behind another eBox, you'll need to open that eBox's firewall to retrieve keys. There is here somewhere a reference to the exact port, but in the absence of that information temporarily accepting traffic on the "any" service works as well.)
Title: Re: Ebox Setup
Post by: rutri on May 15, 2009, 03:35:50 am
ok got that working but still having problems seeing everything on the openVPN configuration tab.
Title: Re: Ebox Setup
Post by: rutri on May 16, 2009, 06:47:39 am
Ok got everything up and running, however when I VPN in i cannot see my LAN computers.  One thing I did notice is that my VPN connection does not have a gateway.  Is this normal, or did i miss something n the configuration?
Title: Re: Ebox Setup
Post by: sixstone on May 18, 2009, 09:58:21 am
Have you advertised the LAN in your VPN server settings?

Afterwards, make sure that eBox is the default gateway for your LAN clients or set NAT option in VPN server settings.

Best rutri,
Title: Re: Ebox Setup
Post by: rutri on May 23, 2009, 05:16:42 pm
Thank you everyone for your support on this, I just had time to finish it.  found the problem to be with the fire wall initially, the fire wall was blocking the port by default.  Once I fixed that issue I also learned that the VPN can not be in the same sub net that you are in, IE: If you are 192.168.1.X and your VPN is 192.168.1.X then it will not work properly.  For this reason i chose my internal network to be 192.168.198.X, I figured that there are very few people on that sub net if any at all.  Any way I have it up now and its working just fine, in fact I am using it as we speak to get files from my server.