Nabilosat Image OpenVpn Howto & Infos" all about openvpn

**bacicciosat** · #1 (**permalink**) 03-24-2007

Here are some tutorials by "Piefav".

**bacicciosat** · #2 (**permalink**) 03-24-2007

OpenVPN with Nabilo 06 version p2p (2 alone DreamBoxes)

English: (translation by Joy_Fun_Man)

Installation Openvpn on Nabilo 06:

This is needed only for Nabilosat DM7000 image because Openvpn is fully included in Nabilosat DM7020 nfi Image:
Unload and install, from the panel download addons, the plugin Nabilosat OpenVPN plugin 01 for Nabilosat v. 06 Plus.

After to have installed, open the door of the router 1194 udp and join it to the IP of the dream.

Then, between the plugins (yellow yellow) you will find your plugin for the OpenVPN.

The plugin of the nabilo with the order start, do the START of the VPN with the configuration that reads in the folder /var/etc/openvpn/

N.B. to be able to work in this folder must be only one file with extension. conf

Configuration connection to 2 DreamBoxes p2p

The Dream that will do server, for example, must have only one file with extension conf, that will be called serverp2p.conf

While the Dream that will do client must have only one file with extension conf, that will be called client. conf

Generation of personal authentication key (in the folder you find yourselves already a file with authentication key that it is called test. key and is within the folder /var/etc/openvpn/key/)

To create an authentication key file from telnet, perform the order

/var/sbin/openvpn --genkey --secret /var/etc/openvpn/keys/xxxx.key

this command will create a new key called xxxx where xxxx will be the name that you want to give your key. The file xxx. key should be copied in secure manner also on the Dream client.

So a copy of the file generated (every time that I give the order, you will generate a new key from 1024 random) should reside in both the Dreams.

File config for serverp2p (serverp2p.conf)

Code:

# openvpn config per server p2p
# serverp2p.conf
#
# set the door of communication on the door 1194 
port 1194
# assign to server the ip 10.8.0.1 and to  client 10.8.0.2
ifconfig 10.8.0.1 10.8.0.2
# the type of detail of the log
verb 5
#assign tun like device for the vpn
dev tun0
# authentication file
secret /var/etc/openvpn/keys/prova.key
# creates a file of log    
log-append  /var/etc/openvpn/openvpn.log

prova.key should correspond to your file xxxx.key (as seen above).

If everything is set properly, we are able from remote control to give the order start choosing start from the combo and pressing the green key to perform the order.
in the Dream that it will do the client p2p, instead we should create a file of config type as this:

Configuration file clientp2p.conf

Code:

# openvpn config for client p2p
# clientp2p.conf
#
# address of the server
remote xxxx.no-ip.org
# set the door of communication on the door 1194
port 1194
# assign to client 10.8.0.2 and to server the ip 10.8.0.1 
ifconfig 10.8.0.2 10.8.0.1
#assign the type of detail of the log
verb 5
# assign tun like device for the vpn
dev tun0
# authentication file
secret /var/etc/openvpn/keys/prova.key
# creates a file of log
log-append /var/etc/openvpn/openvpn.log

Now, we are able to start, from remote control, also our VPN in the Dream client.
If all it works the Dream server will see the Dream client with ip 10.8.0.2,while the client will see the server like 10.8.0.1 and the vpn will have added a route for channel the requests to the ip 10.8.0.2 towards the device tun, in fact giving route and ping we will get the following result

Code:

root@dreambox:/var/etc/openvpn> route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
192.168.62.0    *               255.255.255.0   U     0      0        0 eth0
default         DSL302.Netservi 0.0.0.0         UG    0      0        0 eth0
root@dreambox:/var/etc/openvpn> ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2): 56 data bytes
64 bytes from 10.8.0.2: icmp_seq=0 ttl=64 time=95.8 ms
64 bytes from 10.8.0.2: icmp_seq=1 ttl=64 time=6.4 ms

--- 10.8.0.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 6.4/51.1/95.8 ms

Notes well: If you test a machine inside or outside FASTWEB, the server machine must be outside the FASTWEB

To next tutorial with server for multi clients
Hello
PieFav
__________________

**************************************
French by Franjuve:

OpenVPN con Nabilo 06 versione p2p (2 macchine solo)

how to OpenVPN original in italian by PieFav

traduit en français par franzjuve Nabilosat-Team

OpenVPN avec Nabilo V0.6 p2p (2 machine seulement)

Installation OpenVPN sur Nabilo v0.6:
This is needed only for Nabilosat DM7000 image because Openvpn is fully included in Nabilosat DM7020 nfi Image:

Téléchargez et installez via le panel addons download , le Plugin Nabilosat OpenVPN 01 pour la Nabilosat v0.6.

aprés l'avoir installé , ouvrez la porte 1194 en UDP sur votre routeur et mettez-y l'IP de votre Dreambox.

a present , pressez 2x le bouton jaune pour voire apparaitre votre plugin OpenVPN parmis la liste des plugins.

pour demarrer le plugin Nabilo OpenVPN , pressez le bouton start , le VPN demarrera avec la configuration qui se trouve dans le repertoire /var/etc/openvpn/

N.B. Pour que le Plugin puisse fonctionner en utilisant ce repertoire , il devra toujours y avoir qu'un seul fichier avec extension .conf

Configuration connexion avec 2 machines P2P

La machine qui sera serveur aura par exemple l'unique fichier avec extension conf qui s'appellera serverp2p.conf

La machine client aura un fichier unique avec extension conf qui s'appellera client.conf

Generer une clé d'authentification personnelle ( dans le repertoire /var/etc/openvpn/key/ , vous trouverez déja un fichier nomer prova.key avec une clé d'authentification )

Pour créer un fichier clé d'authentification via telnet , tappez la commande suivante
/var/sbin/openvpn --genkey --secret /var/etc/openvpn/keys/xxxx.key

Cette commande créera une nouvelle clé appellée xxxx d'ou xxxx sera le nom que vous voulez donner a votre clé.
le fichier xxx.key devra etre copier de maniere sure aussi sur la machine cliente.

donc une copie du fichier générer ( chaque fois que je tappe la commande , il me genere une clé de 1024 random ) elle devra residée sur chaque machines

Fichier config pour serverp2p (serverp2p.conf)

Code:

# openvpn config per server p2p
# serverp2p.conf
#
# imposta la porta di comunicazione sulla porta 1194
port 1194
# assegna al server l'ip 10.8.0.1 e al client 10.8.0.2
ifconfig 10.8.0.1 10.8.0.2
#assegnamo il tipo di dettaglio della log
verb 5
#assegnamo tun come device per la vpn
dev tun0
# file si autenticazione
secret /var/etc/openvpn/keys/prova.key
#crea un file di log
log-append  /var/etc/openvpn/openvpn.log

prova.key devra correspondre a votre fichier xxxx.key (deja vu plus haut)

Quand tout est preparer , vous pouvez via la telecommande executer la commande start en selectionnant celle-ci et pressez le bouton vert pour demarrer la commande.

Sur la machine qui sera cliente p2p , vouz devrez crée un fichier config de ce type :

Fichier de configuration clientp2p.conf

Code:

# openvpn config per client p2p
# clientp2p.conf
#
# indirizzo del server da raggiungere
remote xxxx.no-ip.org
# imposta la porta di comunicazione sulla porta 1194
port 1194
# assegna al client 10.8.0.2 e al server l'ip 10.8.0.1
ifconfig 10.8.0.2 10.8.0.1
#assegnamo il tipo di dettaglio della log
verb 5
#assegnamo tun come device per la vpn
dev tun0
# file si autenticazione
secret /var/etc/openvpn/keys/prova.key
#crea un file di log
log-append /var/etc/openvpn/openvpn.log

prova.key devra correspondre a votre fichier xxxx.key (deja vu plus haut).

désormais vous pouvez aussi demarré via la telecommande votre machine VPN cliente.

Si tout fonctionne , la machine serveur vera la machine cliente avec l'IP 10.8.0.2 , et la cliente vera le serveur avec l'IP 10.8.0.1 et le VPN aura ajouté une route pour cannaliser les demandes de l'IP 10.8.0.2
vers les device tun, en effet en donnant route et ping nous obtiendrons le suivant résultat

Code:

root@dreambox:/var/etc/openvpn> route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
192.168.62.0    *               255.255.255.0   U     0      0        0 eth0
default         DSL302.Netservi 0.0.0.0         UG    0      0        0 eth0
root@dreambox:/var/etc/openvpn> ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2): 56 data bytes
64 bytes from 10.8.0.2: icmp_seq=0 ttl=64 time=95.8 ms
64 bytes from 10.8.0.2: icmp_seq=1 ttl=64 time=6.4 ms

--- 10.8.0.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 6.4/51.1/95.8 ms

__________________

**************************************
Italian Original by Piefav:

Configurazione connessione a 2 macchie p2p

La macchina che farà da server per esempio avrà l'unico file con estensione conf che si chiamerà serverp2p.conf

Mentre la macchina che farà da client avrà un unico file con estensione conf che si chiamerà client.conf

Generazione kiave di autenticazione personale ( nella cartella vi trovate già un file con chiave di autenticazione che si chiama prova.key ed è dentro la cartella /var/etc/openvpn/key/)

Per creare un file di autenticazione personale da telnet eseguite il comando
/var/sbin/openvpn --genkey --secret /var/etc/openvpn/keys/xxxx.key

questo comando creerà una chiave nuova chiata xxxx dove xxxx sarà il nome che volete dare alla vostra chiave.
Il file xxx.key dovrà essere copiato in maniera sicura anche sulla macchina client.

Perciò una copia del file generato (ogni volta che dò il comando mi viene generata una chiave da 1024 random) dovrà risiedere in entrambe le macchine.

File config per serverp2p (serverp2p.conf)

Code:

# openvpn config per server p2p
# serverp2p.conf
#
# imposta la porta di comunicazione sulla porta 1194
port 1194
# assegna al server l'ip 10.8.0.1 e al client 10.8.0.2
ifconfig 10.8.0.1 10.8.0.2
#assegnamo il tipo di dettaglio della log
verb 5
#assegnamo tun come device per la vpn
dev tun0
# file si autenticazione
secret /var/etc/openvpn/keys/prova.key
#crea un file di log
log-append  /var/etc/openvpn/openvpn.log

prova.key dovrà corrispondere al vosto file xxxx.key visto sopra.

Preparato tutto possiamo da telecomado dare il comando start esezionando start dalla combo e premendo il tasto verde per eseguire il comando.

nella macchina che farà da client p2p dovremmo invece creare un file di config tipo questo

File di configurazione clientp2p.conf

Quote:

# openvpn config per client p2p
# clientp2p.conf
#
# indirizzo del server da raggiungere
remote xxxx.no-ip.org
# imposta la porta di comunicazione sulla porta 1194
port 1194
# assegna al client 10.8.0.2 e al server l'ip 10.8.0.1
ifconfig 10.8.0.2 10.8.0.1
#assegnamo il tipo di dettaglio della log
verb 5
#assegnamo tun come device per la vpn
dev tun0
# file si autenticazione
secret /var/etc/openvpn/keys/prova.key
#crea un file di log
log-append /var/etc/openvpn/openvpn.log

prova.key dovrà corrispondere al vosto file xxxx.key visto sopra.

A questo punto possiamo startare da telecomando anche la nosta VPN nella macchina client.

Se tutto funziona la macchina server vedrà la macchina client con ip 10.8.0.2,mentre il client vedrà il server come 10.8.0.1
e la vpn avrà aggiunto una route per incanalare le richieste all'ip 10.8.0.2
verso il device tun, infatti dando route e ping otterremo il seguente risultato

Code:

root@dreambox:/var/etc/openvpn> route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
192.168.62.0    *               255.255.255.0   U     0      0        0 eth0
default         DSL302.Netservi 0.0.0.0         UG    0      0        0 eth0
root@dreambox:/var/etc/openvpn> ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2): 56 data bytes
64 bytes from 10.8.0.2: icmp_seq=0 ttl=64 time=95.8 ms
64 bytes from 10.8.0.2: icmp_seq=1 ttl=64 time=6.4 ms

--- 10.8.0.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 6.4/51.1/95.8 ms

Nota bene: se lo testate con macchine dentro e fuori FastWeb la macchina server deve essere quella fuori dalla rete FW

Alla prossima con server per multi client
Ciao
PieFav

**bacicciosat** · #3 (**permalink**) 03-24-2007

OpenVPN with Nabilo 06 version server multi client
__________________________________________________

Configuration Openvpn with one server and more client
English: (translation by Joy_Fun_Man)

For how much it pertains the unicity of the file with extension conf in /var/etc/openvpn, the generation of the authentication key, the door UDP to open, I return yourselves to my thread on the configuration P2P

Contrary of the configuration p2p (2 alone DreamBoxes), for configuration of type server multi client is obligatory to use the certificates.

For the creation of the certificates I used my ubuntu, on that I have installed openvpn, together with the packet comes installed also easy-rsa, that you can find in
/usr/share/doc/openvpn/examples/easy-rsa, for convenience I have copied the folder in /etc/openvpn

I have changed the file vars to set the variable D, that contains the path for the creation of the folder keys, where there are our certificates.

In my case I planned it so:
export D=/etc/openvpn

if necessary always inside vars, we could personalize themselves the current certificates to vary

export KEY_COUNTRY=KG
export KEY_PROVINCE=NA
export KEY_CITY=BISHKEK
export KEY_ORG="OpenVPN-TEST"
export KEY_EMAIL="me@myhost.mydomain"

File vars

Code:

# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export D=/etc/openvpn/

# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=$D/openssl.cnf

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR=$D/keys

# Issue rm -rf warning
echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY=KG
export KEY_PROVINCE=NA
export KEY_CITY=BISHKEK
export KEY_ORG="OpenVPN-TEST"
export KEY_EMAIL="me@myhost.mydomain"

saved the file I givened the command

. ./vars
./clean-all
./build-ca

Now the system wonder to introduce us the information for your certificates, very answered proposals will come yourselves already, taking the data that you introduced in vars
the only parameter that obligatory we should introduce will be Common Name, in which we should insert the identity of the VPN ex. VPN-Nabilo (in the certificates that you find in the file that I cited, you will find VPN-Gigi)

after this operation we pass to the creation of the certificates and the keys giving the order

./build-key-server server

there they will come still asked the parameters and in this case like Common Name we should give server and to confirm with y the successive requests, so we have obtained the certificates and the keys for the server.

now we pass to the client
with the command

./build-key client1

We will create the certificates for the client1 and so on for all of the client than we want to be able to connect the server. The Common Name, in this case, must have to be unique for every client. With not much fantasy, I called them client1, client2, client3.

We go now to finish the current certificates to create the parameters Diffie Hellman, with the command

./build-dh

Now in the sub-folder keys, we will find ourselves all the keys and the certificates. We should move them in /var/etc/openvpn/keys of our DreamBox.

In our server we should move these files in /var/etc/openvpn/keys

ca.crt # unique for the server and for all clients
server.crt
server.key
prova.key # unique for the server and for all clients
dh1024.pem

While, in every client, we should put always in /var/etc/openvpn/keys these

ca.crt # unique for the server and for all clients
clientx.crt
clientx.key
prova.key # unique for the server and for all clients

where clientx will be the name of the certificate and key personalized for every client

After that, I paste the file of configuration for start openvpn server, the certificates and the keys, how said above, I expect that be in the folder /var/etc/openvpn/keys

Code:

#################################################
# Sample OpenVPN 2.0 config file for            #
# multi-client server.                          #
#                                               #
# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
#                                               #
# OpenVPN also supports                         #
# single-machine <-> single-machine             #
# configurations (See the Examples page         #
# on the web site for more info).               #
#                                               #
# This config should work on Windows            #
# or Linux/BSD systems.  Remember on            #
# Windows to quote pathnames and use            #
# double backslashes, e.g.:                     #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
#                                               #
# Comments are preceded with '#' or ';'         #
#################################################

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one.  You will need to
# open up this port on your firewall.
port 1194

# TCP or UDP server?
;proto tcp
proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap" if you are ethernet bridging.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /var/etc/openvpn/keys/ca.crt
cert /var/etc/openvpn/keys/server.crt
key /var/etc/openvpn/keys/server.key  # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /var/etc/openvpn/keys/dh1024.pem

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address
# associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist /var/etc/openvpn/ipp.txt

# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.62.0 255.255.255.0"

# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).

# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir /etc/openvpn/ccd

#;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
#   iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN.  This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.

# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
#   ifconfig-push 10.9.0.1 10.9.0.2

# Suppose that you want to enable different
# firewall access policies for different groups
# of clients.  There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
#     group, and firewall the TUN/TAP interface
#     for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
#     modify the firewall in response to access
#     from different clients.  See man
#     page for more info on learn-address script.
;learn-address ./script

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client

# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names.  This is recommended
# only for testing purposes.  For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
;keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
#   openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth /var/etc/openvpn/keys/prova.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

# The maximum number of concurrently connected
# clients we want to allow.
max-clients 100

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/etc/openvpn/openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.  Use one
# or the other (but not both).
log         /var/etc/openvpn/openvpn.log
;log-append  /var/etc/openvpn/openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 5

# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20

Now, with the plugin of our Nabilo, we should give the order Start to start the VPN

and after the start we can monitor the log to see if the server left moderate. If all it went well the log should finish so

Quote:

Fri Mar 16 01:12:01 2007 us=120049 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Mar 16 01:12:01 2007 us=120844 TLS-Auth MTU parms [ L:1541 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Mar 16 01:12:01 2007 us=261116 TUN/TAP device tun0 opened
Fri Mar 16 01:12:01 2007 us=262334 TUN/TAP TX queue length set to 100
Fri Mar 16 01:12:01 2007 us=268801 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Fri Mar 16 01:12:01 2007 us=337210 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Fri Mar 16 01:12:01 2007 us=375118 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Fri Mar 16 01:12:01 2007 us=381348 Socket Buffers: R=[104448->131072] S=[104448->131072]
Fri Mar 16 01:12:01 2007 us=382921 UDPv4 link local (bound): [undef]:1194
Fri Mar 16 01:12:01 2007 us=383394 UDPv4 link remote: [undef]
Fri Mar 16 01:12:01 2007 us=384349 MULTI: multi_init called, r=256 v=256
Fri Mar 16 01:12:01 2007 us=385933 IFCONFIG POOL: base=10.8.0.4 size=62
Fri Mar 16 01:12:01 2007 us=402237 IFCONFIG POOL LIST
Fri Mar 16 01:12:01 2007 us=403917 client1,10.8.0.4
Fri Mar 16 01:12:01 2007 us=404464 client2,10.8.0.8
Fri Mar 16 01:12:01 2007 us=405610 client3,10.8.0.12
Fri Mar 16 01:12:01 2007 us=406803 Initialization Sequence Completed

to be continued in the next post

**bacicciosat** · #4 (**permalink**) 03-24-2007

this instead will be the configuration for the first client

Code:

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote xxxxxx.dyndns.info 1194

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca /var/etc/openvpn/keys/ca.crt
cert /var/etc/openvpn/keys/client1.crt
key /var/etc/openvpn/keys/client1.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth /var/etc/openvpn/keys/prova.key 1

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.  Use one
# or the other (but not both).
log         /var/etc/openvpn/openvpn.log
;log-append  /var/etc/openvpn/openvpn.log


# Set log file verbosity.
verb 5

# Silence repeating messages
;mute 20

Naturally xxxxxx.dyndns.info it should be replaced with the host of the server
between the config of a client and the other the only things that will vary, they will be the names of the certificates and keys (emphasized in red)

We are able now to pass at the DreamBox and from remote control to start the VPN

IP Management

The server will be seen from all of the client with IP 10.8.0.1
Questo comes decided on the line
server 10.8.0.0 255.255.255.0
of the configuration of the server, naturally you will be able to change the sub-net to your pleasure, but it doesn't correspond to that of the card et0 of the DreamBoxes, so if your dream has the ip 192.168.1.x will be able to use all the sub-nets, with the exception of the sub-net 192.168.1.x

To every client that it is united to the server, will be assigned an Ip of the sub-net of the server.

With the configuration that I cited, to the first client that it will be united will be assigned the ip 10.8.0.6, to the second 10.8.0.10, to the third one 10.8.0.14 and so on. For every client the VPN will use by varied purposes that I do not be here 4 ip to explain.

With the line
ifconfig-pool-persist /var/etc/openvpn/ipp.txt

We have the possibility to set our server in manner that it will note within the file ipp.txt the ip that was assigned to every client, so during successive access comes assigned him the same ip; initially compiling this file we can choose whichever ip to assign the varied client.

Notes well:
In the file ipp. txt will be marked a different ip from that with whose we will ping our client and precisely the prior of 4 reserved to every client, so for the client you can ping to the 10.8.0.6 (client1) in the file ipp.txt will be reserved the ip 10.8.0.4.

File ipp.txt

Quote:

client1,10.8.0.4
client2,10.8.0.8
client3,10.8.0.12

For this evening seems me that I have created you, a bit of confusion.
In future, we will see how to use all a series of parameters that for the moment I left set as comment with the symbol #.

To next tutorial

Hello
PieFav
__________________

:thumb:

Many Thanks

**bacicciosat** · #5 (**permalink**) 03-24-2007

Original Italian Version By: Piefav

OpenVPN with Nabilo 06 version server multi client
__________________________________________________

Configurazione Openvpn con Server e più client

Per quanto riguarda l'unicità del file con estensione conf in /var/etc/openvpn, per la generazione della chiave di autenticazione e la porta UDP da aprire sul router almeno lato server, vi rimando al mio post sulla configurazione P2P

A differenza della configurazione p2p per questo tipo di configurazione è obbligatorio usare i certificati.

Per la creazione dei certificati ho usato la mia ubuntu su cui ho installato openvpn, assieme al pacchetto viene installato anche easy-rsa che potete trovarlo in /usr/share/doc/openvpn/examples/easy-rsa, per comodità mi sono copiato la cartella in /etc/openvpv

mi sono modificato il file vars andando ad impostare la variabile D che contiene il percorso per la creazione della cartella keys che conterrà i nostri certificati.
Nel mio caso la ho impostata così export D=/etc/openvpn
eventualmente sempre dentro vars potremmo personalizzarsi i certificati andando a variare
export KEY_COUNTRY=KG
export KEY_PROVINCE=NA
export KEY_CITY=BISHKEK
export KEY_ORG="OpenVPN-TEST"
export KEY_EMAIL="me@myhost.mydomain"

File vars

Code:

# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export D=/etc/openvpn/

# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=$D/openssl.cnf

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR=$D/keys

# Issue rm -rf warning
echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY=KG
export KEY_PROVINCE=NA
export KEY_CITY=BISHKEK
export KEY_ORG="OpenVPN-TEST"
export KEY_EMAIL="me@myhost.mydomain"

salvato il file ho dato il comando

. ./vars
./clean-all
./build-ca

Ora il sistema ci chiederà di inserire le informazioni per i vostri certificati, molte risposte vi verranno già proposte prendendo i dati che avete inserito in vars
l'unico parametro che dovremmo obbligatoriamente inserire sarà Common Name in cui dovremmo inserire l'identificativo della VPN es. VPN-Nabilo (nei certificati che trovate nel file che ho allegato troverete VPN-Gigi)

dopo questa operazione passiamo alla creazione dei certificati e le chiavi dando il comando

./build-key-server server

ci verranno ancora chiesti i parametri e in questo caso come Common Name dovremmo dare server e confermare con y le richieste successive, con questo abbiamo ottenuto i certificati e le chiavi per il server.

ora passiamo ai client

con il comando

./build-key client1

creeremo i certificati per il client1 e così via per tutti i client che vorremmo poter collegare al server. Il Common Name in questo caso dovrà essere univoco per ogni client. Nei miei con una botta di fantasia li ho chiamati client1, client2, client3.

Andiamo ora a terminare i certificati andando a creare i parametri Diffie Hellman, con il comando

./build-dh

a questo punto nella sottocartella keys ci troveremo tutte le chiavi e i certificati. questi dovremmo spostarli in /var/etc/openvpn/keys del nostro dream.

Nel nostro server dovremmo spostre questi files in /var/etc/openvpn/keys
ca.crt #uguale per server e per tutti i client
server.crt
server.key
prova.key #uguale per server e per tutti i client
dh1024.pem

Mentre nei vari client dovremmo mettere sempre in /var/etc/openvpn/keys questi
ca.crt #uguale per server e per tutti i client
clienx.crt
clientx.key
prova.key #uguale per server e per tutti i client

dove clientx sarà il nome del certificato e chiave personalizzato per ogni client

Di seguito vi incollo il file di configurazione per lanciare openvpn lato server, i certificati e le chiavi, come detto sopra, prevedo che siano nella cartella /var/etc/openvpn/keys

Code:

#################################################
# Sample OpenVPN 2.0 config file for            #
# multi-client server.                          #
#                                               #
# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
#                                               #
# OpenVPN also supports                         #
# single-machine <-> single-machine             #
# configurations (See the Examples page         #
# on the web site for more info).               #
#                                               #
# This config should work on Windows            #
# or Linux/BSD systems.  Remember on            #
# Windows to quote pathnames and use            #
# double backslashes, e.g.:                     #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
#                                               #
# Comments are preceded with '#' or ';'         #
#################################################

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one.  You will need to
# open up this port on your firewall.
port 1194

# TCP or UDP server?
;proto tcp
proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap" if you are ethernet bridging.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /var/etc/openvpn/keys/ca.crt
cert /var/etc/openvpn/keys/server.crt
key /var/etc/openvpn/keys/server.key  # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /var/etc/openvpn/keys/dh1024.pem

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address
# associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist /var/etc/openvpn/ipp.txt

# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.62.0 255.255.255.0"

# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).

# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir /etc/openvpn/ccd

#;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
#   iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN.  This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.

# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
#   ifconfig-push 10.9.0.1 10.9.0.2

# Suppose that you want to enable different
# firewall access policies for different groups
# of clients.  There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
#     group, and firewall the TUN/TAP interface
#     for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
#     modify the firewall in response to access
#     from different clients.  See man
#     page for more info on learn-address script.
;learn-address ./script

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client

# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names.  This is recommended
# only for testing purposes.  For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
;keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
#   openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth /var/etc/openvpn/keys/prova.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

# The maximum number of concurrently connected
# clients we want to allow.
max-clients 100

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/etc/openvpn/openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.  Use one
# or the other (but not both).
log         /var/etc/openvpn/openvpn.log
;log-append  /var/etc/openvpn/openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 5

# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20

A questo punto sfruttando il plugin della nostra Nabilo andremmo a dare il comando Start per avviare la VPN

e dopo l'avvio possiamo controllare la log per vedere se il server è partito regolarmente. Se tutto è andato bene la log dovrebbe terminare così

Quote:

Fri Mar 16 01:12:01 2007 us=120049 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Mar 16 01:12:01 2007 us=120844 TLS-Auth MTU parms [ L:1541 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Mar 16 01:12:01 2007 us=261116 TUN/TAP device tun0 opened
Fri Mar 16 01:12:01 2007 us=262334 TUN/TAP TX queue length set to 100
Fri Mar 16 01:12:01 2007 us=268801 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Fri Mar 16 01:12:01 2007 us=337210 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Fri Mar 16 01:12:01 2007 us=375118 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Fri Mar 16 01:12:01 2007 us=381348 Socket Buffers: R=[104448->131072] S=[104448->131072]
Fri Mar 16 01:12:01 2007 us=382921 UDPv4 link local (bound): [undef]:1194
Fri Mar 16 01:12:01 2007 us=383394 UDPv4 link remote: [undef]
Fri Mar 16 01:12:01 2007 us=384349 MULTI: multi_init called, r=256 v=256
Fri Mar 16 01:12:01 2007 us=385933 IFCONFIG POOL: base=10.8.0.4 size=62
Fri Mar 16 01:12:01 2007 us=402237 IFCONFIG POOL LIST
Fri Mar 16 01:12:01 2007 us=403917 client1,10.8.0.4
Fri Mar 16 01:12:01 2007 us=404464 client2,10.8.0.8
Fri Mar 16 01:12:01 2007 us=405610 client3,10.8.0.12
Fri Mar 16 01:12:01 2007 us=406803 Initialization Sequence Completed

Continua nel prossimo post

**bacicciosat** · #6 (**permalink**) 03-24-2007

questa invece sarà la configurazione per il primo client

Code:

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote xxxxxx.dyndns.info 1194

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca /var/etc/openvpn/keys/ca.crt
cert /var/etc/openvpn/keys/client1.crt
key /var/etc/openvpn/keys/client1.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth /var/etc/openvpn/keys/prova.key 1

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.  Use one
# or the other (but not both).
log         /var/etc/openvpn/openvpn.log
;log-append  /var/etc/openvpn/openvpn.log


# Set log file verbosity.
verb 5

# Silence repeating messages
;mute 20

naturalmente xxxxxx.dyndns.info dovrà essere sostituito con l'host del server
tra la config di un client e l'altro le uniche cose che varieranno saranno i nomi dei certificati e chiavi (evidenziate in rosso)

Possiamo ora passare al dream e da telecomando avviare la VPN
Gestiome degli ip

Il server sarà visto da tutti i client con IP 10.8.0.1
Questo viene deciso sulla riga server 10.8.0.0 255.255.255.0 della configurazione del server, naturalmente potrete cambiare la sottorete a vostro piacimento l'importante che non corrisponda a quella della scheda et0 dei dream perciò se il vostro dream ha l'IP 192.168.1.x potrete usare tutte le sottoreti ad eccezione della sottorete 192.168.1.x

Ad ogni client che si unisce al server gli verrà assegnato un Ip della sottorete del server.
Con la configurazione che ho allegato al primo client che si unirà gli verrà assegnato l'ip 10.8.0.6 al secondo 10.8.0.10 al terzo 10.8.0.14 e così via. Per ogni client la VPN userà per vari scopi che non sto qui a spiegare 4 ip.
Con la riga
ifconfig-pool-persist /var/etc/openvpn/ipp.txt
abbiamo la possibilità di dire al nostro server che si annoti dentro il file ipp.txt l'ip che è stato assegnato ad ogni client in maniera tale che al successivo accesso gli venga assegnato lo stesso ip, compilando a priori questo file abbiamo la possibilità di scegliere noi che ip assegnare ai vari client.
N.B. nel file ipp.txt verrà segnato un ip diverso da quello con cui pingheremo il nostro client ed esattamente il primo dei 4 riservari ad ogni client perciò per il client pingabile al 10.8.0.6 (client1) nel file ipp.txt verrà riservato l'ip 10.8.0.4.
File ipp.txt

Code:

 client1,10.8.0.4
 client2,10.8.0.8
 client3,10.8.0.12

Per questa sera mi sembra di avervi incasinato la vita a sufficenza.
Più avanti vedremo come usare tutta una serie di parametri che per il momento ho lasciato remmati.

Ciao
Alla prossima
PieFav

Alias1 · #7 (**permalink**) 03-24-2007

Nice one m8 thanks for the info

NmX · #8 (**permalink**) 03-24-2007

awesome

thanks !

tushi · #9 (**permalink**) 10-02-2007

Could somebody please post a script to autostart OVPN on startup, thanks.

oli.kahn · #10 (**permalink**) 02-23-2008

hi
i install nabilosat v0.8 in dreambox 7020 but i can not run openvpn.
please explain step by step what must i do to run a openvpn server with many client.
i install ubuntu in my pc and copied easy-rsa from /usr/share/doc/openvpn/examples/easy-rsa to /usr/openvpn
but i dont know what must i do after that.
please help me.
regards