Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: snarf77 on August 30, 2010, 11:41:46 am
-
Hello everybody,
I'm starting configuring my Zentyal VPN server and I have (I guess) a totally beginner question.
I watched the tutorial "how to set up a vpn" but I'm stuck at the beginning. Actually, I don't understand the client configuration. In the video, for example, the ebox admin is never using the "Client" sub menu of the left banner "VPN" menu. It only uses the "Download client bundle" from the server sub menu.
Does this replace any client config ? how to use the client certificate I issued.
When I try to add a client, Ebox tells me that my server config is not finished, but I don't know what to add....
Finally, from a ubuntu client (connected on eth0 of ebox server (external) (eth1 being my LAN I want to access remotely)) I install openvpn package and try the :
openvpn --config mygeneratedebundle.conf and I got the following terminal answer:
PS: I added a rule in the firewall to allow vpn service (I let the port by default during the server conf)
Here is the log:
Thanks in advance for your help and again congratulations for this great software
Mon Aug 30 11:07:49 2010 OpenVPN 2.1.0 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010
Mon Aug 30 11:07:49 2010 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Mon Aug 30 11:07:49 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Aug 30 11:07:49 2010 WARNING: file 'clientCAname.pem' is group or others accessible
Mon Aug 30 11:07:49 2010 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Mon Aug 30 11:07:49 2010 LZO compression initialized
Mon Aug 30 11:07:49 2010 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Aug 30 11:07:49 2010 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Mon Aug 30 11:07:49 2010 Local Options hash (VER=V4): 'd79ca330'
Mon Aug 30 11:07:49 2010 Expected Remote Options hash (VER=V4): 'f7df56b8'
Mon Aug 30 11:07:49 2010 Socket Buffers: R=[124928->131072] S=[124928->131072]
Mon Aug 30 11:07:49 2010 UDPv4 link local: [undef]
Mon Aug 30 11:07:49 2010 UDPv4 link remote: [AF_INET]192.168.1.200:1194
Mon Aug 30 11:07:49 2010 TLS: Initial packet from [AF_INET]192.168.1.200:1194, sid=1a6d7cf1 264c552c
Mon Aug 30 11:07:49 2010 VERIFY OK: depth=1, /C=FR/ST=Region/L=City/O=CompanyName/CN=Certification_Authority_Certificate
Mon Aug 30 11:07:49 2010 VERIFY X509NAME OK: /C=FR/ST=Region/L=City/O=CompanyName/CN=vpn-vpn.companyname.com
Mon Aug 30 11:07:49 2010 VERIFY OK: depth=0, /C=FR/ST=Region/L=City/O=CompanyName/CN=vpn-vpn.companyname.com
Mon Aug 30 11:07:49 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Aug 30 11:07:49 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Aug 30 11:07:49 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Aug 30 11:07:49 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Aug 30 11:07:49 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Aug 30 11:07:49 2010 [vpn-vpn.companyname.com] Peer Connection Initiated with [AF_INET]192.168.1.200:1194
Mon Aug 30 11:07:51 2010 SENT CONTROL [vpn-vpn.companyname.com]: 'PUSH_REQUEST' (status=1)
Mon Aug 30 11:07:51 2010 PUSH: Received control message: 'PUSH_REPLY,route 192.168.5.0 255.255.255.0,route-gateway 192.168.10.1,ping 10,ping-restart 120,ifconfig 192.168.10.2 255.255.255.0'
Mon Aug 30 11:07:51 2010 OPTIONS IMPORT: timers and/or timeouts modified
Mon Aug 30 11:07:51 2010 OPTIONS IMPORT: --ifconfig/up options modified
Mon Aug 30 11:07:51 2010 OPTIONS IMPORT: route options modified
Mon Aug 30 11:07:51 2010 OPTIONS IMPORT: route-related options modified
Mon Aug 30 11:07:51 2010 ROUTE default_gateway=192.168.1.1
Mon Aug 30 11:07:51 2010 Note: Cannot ioctl TUNSETIFF tap: Operation not permitted (errno=1)
Mon Aug 30 11:07:51 2010 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Mon Aug 30 11:07:51 2010 Cannot allocate TUN/TAP dev dynamically
Mon Aug 30 11:07:51 2010 Exiting
-
Hi,
Thank you for including the log. There are a few more things that would be good to have so that the great people in this forum will have a chance to help you. :-) Please take a look at the link in my signature to get a few tips.
-
Hi OceanWatcher,
thanks for the reply and for the advice...
This machine named portal is dedicated to host a frontend server for a small business company including mail server, DNS, DHCP services for the LAN and a VPN to authorise road warrior to access another web server on the LAN.
It has two interfaces eth0 for the WAN and eht1 for the LAN.
For this purpose, I installed Zentyal (i don't know which version but installed on august 27th so probably the last one available) and the following modules:
ii ebox-antivirus 1.5.2-0ubuntu1~ppa1~lucid1 eBox - Antivirus
ii ebox-ca 1.5.4-0ubuntu1~ppa1~lucid1 Zentyal - Certification Authority
ii ebox-dhcp 1.5.4-0ubuntu1~ppa1~lucid1 Zentyal - DHCP Service
ii ebox-dns 1.5.1-1ubuntu1~ppa1~lucid1 eBox - DNS Service
ii ebox-ebackup 1.5.3-0ubuntu1~ppa1~lucid1 Zentyal - Backup
ii ebox-egroupware 1.5.1-0ubuntu1~ppa1~lucid1 eBox - Groupware
ii ebox-firewall 1.5.6-0ubuntu1~ppa1~lucid1 Zentyal - Firewall
ii ebox-ftp 1.5.2-0ubuntu1~ppa1~lucid1 Zentyal - FTP
ii ebox-ids 1.5.2-0ubuntu1~ppa1~lucid1 eBox - Intrusion Detection System
ii ebox-mail 1.5.4-0ubuntu1~ppa1~lucid1 Zentyal - Mail Service
ii ebox-mailfilter 1.5.3-0ubuntu1~ppa1~lucid1 Zentyal - Mail Filter
ii ebox-monitor 1.5.5-0ubuntu1~ppa1~lucid1 Zentyal - Monitor
ii ebox-network 1.5.7-0ubuntu1~ppa1~lucid1 Zentyal - Network Configuration
ii ebox-ntp 1.5.2-0ubuntu1~ppa1~lucid1 Zentyal - NTP Service
ii ebox-objects 1.5.1-0ubuntu1~ppa1~lucid1 eBox - Network Objects
ii ebox-openvpn 1.5.4-0ubuntu1~ppa1~lucid1 Zentyal - VPN Service
ii ebox-printers 1.5.2-0ubuntu1~ppa1~lucid1 Zentyal - Printer Sharing
ii ebox-remoteservices 1.5.7-0ubuntu1~ppa1~lucid1 Zentyal - Control Center Client
ii ebox-samba 1.5.8-0ubuntu1~ppa1~lucid1 Zentyal - File Sharing
ii ebox-services 1.5.4-0ubuntu1~ppa1~lucid1 Zentyal - Network Services
ii ebox-software 1.5.5-0ubuntu1~ppa1~lucid1 Zentyal - Software Management
ii ebox-usersandgroups 1.5.8-0ubuntu1~ppa1~lucid1 Zentyal - Users and Groups
ii ebox-webserver 1.5.5-0ubuntu1~ppa1~lucid1 Zentyal - Web Server
Concerning the ebox here is what I get when trying to add a client:
2010/08/30 10:38:03 INFO> Base.pm:153 EBox::Module::Base::save - Restarting service for module: logs
2010/08/30 10:40:06 DEBUG> Clients.pm:143 EBox::OpenVPN::Model::Clients::_validateService - Cannot activate the client because is not fully configured; please edit the$
2010/08/30 11:02:50 INFO> Global.pm:473 EBox::Global::saveAllModules - Saving config and restarting services: services firewall
2010/08/30 11:02:50 INFO> Base.pm:153 EBox::Module::Base::save - Restarting service for module: services
2010/08/30 11:02:51 INFO> Base.pm:153 EBox::Module::Base::save - Restarting service for module: firewall
2010/08/30 11:02:53 INFO> Base.pm:799 EBox::Module::Base::_hook - Running hook: /etc/ebox/hooks/firewall.postservice 1
2010/08/30 11:06:05 DEBUG> DataTable.pm:3324 EBox::Model::DataTable::_checkFieldIsUnique - Service name vpn already exists.
2010/08/30 11:06:56 INFO> Global.pm:473 EBox::Global::saveAllModules - Saving config and restarting services: firewall mailfilter logs
2010/08/30 11:06:56 INFO> Base.pm:153 EBox::Module::Base::save - Restarting service for module: firewall
2010/08/30 11:06:58 INFO> Base.pm:799 EBox::Module::Base::_hook - Running hook: /etc/ebox/hooks/firewall.postservice 1
2010/08/30 11:06:58 INFO> Base.pm:153 EBox::Module::Base::save - Restarting service for module: mailfilter
2010/08/30 11:07:00 ERROR> Sudo.pm:216 EBox::Sudo::_rootError - root command /usr/bin/test -e '/var/run/p3scan/p3scan.pid' failed.
nothing more as I can see..
If anybody needs something else ... don't hesitate to ask..
thanks
Snarf77
-
I install openvpn package and try the :
openvpn --config mygeneratedebundle.conf and I got the following terminal answer:=
Try this command with root permissions.
sudo openvpn --config mygeneratedebundle.conf
It has been my experience that this message "Cannot allocate TUN/TAP dev dynamically" is openvpn telling you that it doesn't have permission to create the tun/tap device, probably because it requires root permissions.
-
Thanks a lot Placebo,
You guess right... only a question a permission. Everything working now.
Thanks
Snarf77