Alt-F-0.1RC1 OpenVPN

Showing 21-63 of 63 messages
Alt-F-0.1RC1 OpenVPN Cam1878 10/16/11 1:14 PM
Hi,

I'm trying to use the openvpn package that is included in the RC1
release. I have made the configuration files and keys on a linux VM
but I do not know how to start the vpn server on my DNS-323.

I can telnet and SSH to the box but I do not know which commands to
use to set up the openvpn server or load the .conf files (also where
to save them on my NAS).

I have tried looking on the forum but none of the threads are recent
and don't apply to the recent release.

Can anyone provide a step-by-step method of getting it to work?

Thanks
Re: Alt-F-0.1RC1 OpenVPN João Cardoso 10/17/11 7:14 AM
I can't help you with openvpn setup, as I never used it. I only made
the functional checks  recommended in the INSTALL file.
I would like to provide full openvpn configuration support on Alt-F,
with your help.
But we will do that on a second stage, if you agree.

First you have to make sure that your certificates and configuration
are working.

Start creating the place where certificates and configuration files
will be:

   mkdir /etc/openvpn

and copy the certificates and configuration file to there.

Load the kernel driver:

   modprobe tun

perhaps openvpn loads it for you, You have to figure out this latter.

Now start openvpn with the correct options. I don't know what to use,
you have to follow a tutorial.

   openvpn --config /etc/openvpn/yourconfigfile --other needed
options?

Test it's working, and when everything it fine, let's automate it's
Alt-F working. Do the following:

   ln -sf /usr/sbin/rcscript /sbin/rcopenvpn

and create a file /etc/init.d/S41openvpn with the following content

-----------------------------8<------------------------------------------
#!/bin/sh

DESC="openvpn daemon"
NAME=openvpn
TYPE=net

OPENVPN_OPTS="--config /etc/openvpn/yourconfigfile --other needed
options?"

. $(dirname $0)/common

case "$1" in
        start) start $NAME -- $OPENVPN_OPTS
        stop)   stop $NAME ;;
        status) status $NAME ;;
        reload) reload $NAME ;;  # can openvpn re-read configuration
file changes?
        restart) restart $NAME ;;
        *)  usage $0 "start|stop|status|restart|reload" ;;

-----------------------------
>8------------------------------------------

There are other initscripts in the /etc/init.d directory, you might
have to look at then.
What other service, if any, has to be running for openvpn to work?

And that's all (for now)

You can now use and verify the commands

   rcopenvpn start
   rcopenvpn stop
   rcopenvpn status
   rcopenvpn reload # after configuration file changes

also, in Services->Network an openvpn entry shall appear

Did it work?
Can you share the configuration and how it was created? Posting the
original and the modified files is important.

The samples and easy-rsa directory is located in /usr/share/openvpn/,
can it be used to create certificates in the box? How to use them?
(Start first with certificates created on another linux box, where
openvpn is known to work.)

Thanks,
Joao
Re: Alt-F-0.1RC1 OpenVPN Cam1878 10/17/11 8:58 AM
I followed the openvpn how-to found here:
http://openvpn.net/index.php/open-source/documentation/howto.html

(I'm not an expert on openvpn, I'm learning this as I go)

I used the DNS-323 to create the keys because it already contained the
easy-rsa folder and all of the files to do it. (I had done it using a
ubuntu VM on my PC, but they result in identical files)

I used the default server.conf file found in the sample folder since I
haven't modified it yet.

#modprobe tun

did not return any sort of error

#openvpn --config /etc/openvpn/server.conf

generated the following:

Mon Oct 17 10:30:07 2011 OpenVPN 2.2.1 arm-linux [SSL] [LZO2] [EPOLL]
[eurephia] built on Oct 12 2011
Mon Oct 17 10:30:07 2011 NOTE: your local LAN uses the extremely
common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this
might create routing conflicts if you connect to the VPN server from
public locations such as internet cafes that use the same subnet.
Mon Oct 17 10:30:07 2011 NOTE: OpenVPN 2.1 requires '--script-security
2' or higher to call user-defined scripts or executables
Mon Oct 17 10:30:07 2011 Diffie-Hellman initialized with 1024 bit key
Mon Oct 17 10:30:07 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0
ET:0 EL:0]
Mon Oct 17 10:30:07 2011 Socket Buffers: R=[108544->131072] S=[108544-
>131072]
Mon Oct 17 10:30:07 2011 ROUTE default_gateway=192.168.0.1
Mon Oct 17 10:30:07 2011 Note: Cannot open TUN/TAP dev /dev/net/tun:
No such file or directory (errno=2)
Mon Oct 17 10:30:07 2011 /sbin/ifconfig  10.8.0.1 pointopoint 10.8.0.2
mtu 1500 ifconfig: SIOCSIFADDR: No such device
Mon Oct 17 10:30:07 2011 Linux ifconfig failed: external program
exited with error status: 1
Mon Oct 17 10:30:07 2011 Exiting

Your guess is as good as mine when it comes to which files are
missing.

From a bit of googling SIOCSIFADDR, it is to do with a network
interface being missing in the ifconfig file, I assume this is because
the TUN interface was not initialized because the TAP/TUN files are
missing.
There is a similar problem here: http://openvpn.net/archive/openvpn-users/2007-05/msg00304.html
The TAP/TUN was not run due to a permission error then that error
showed up.

I would like to have a TAP (bridging) VPN, but I'll try to get the
default working first, then I'll change the .conf file.
Re: Alt-F-0.1RC1 OpenVPN Cam1878 10/17/11 9:14 AM
I followed the solution here: http://wiki.vpslink.com/TUN/TAP_device_with_OpenVPN_or_Hamachi
To create the TUN files.

I re-ran the openvpn --config and had a new error. I currently have
the dh1024.pem file in the same directory as the server.conf file and
the server keys. I'll post again if I figure out what is wrong.

# openvpn --config /etc/openvpn/server.conf
Mon Oct 17 11:08:41 2011 OpenVPN 2.2.1 arm-linux [SSL] [LZO2] [EPOLL]
[eurephia] built on Oct 12 2011
Mon Oct 17 11:08:41 2011 NOTE: your local LAN uses the extremely
common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this
might create routing conflicts if you connect to the VPN server from
public locations such as internet cafes that use the same subnet.
Mon Oct 17 11:08:41 2011 NOTE: OpenVPN 2.1 requires '--script-security
2' or higher to call user-defined scripts or executables
Mon Oct 17 11:08:42 2011 Cannot open dh1024.pem for DH parameters:
error:02001002:system library:fopen:No such file or directory: error:
2006D080:BIO routines:BIO_new_file:no such file
Mon Oct 17 11:08:42 2011 Exiting
Re: [Alt-F] Re: Alt-F-0.1RC1 OpenVPN João Cardoso 10/17/11 9:25 AM
On Monday, October 17, 2011 16:58:33 Cam1878 wrote:
> Cannot open TUN/TAP dev /dev/net/tun:
> No such file or directory (errno=2)

but /dev/tun exists

> Mon Oct 17 10:30:07 2011 /sbin/ifconfig  10.8.0.1 pointopoint 10.8.0.2
> mtu 1500 ifconfig: SIOCSIFADDR: No such device

this must be because of the missing /dev/net/tun

perhaps you should use  "-dev-node node"?
              Explicitly  set the device node rather than using /dev/net/tun,
/dev/tun, /dev/tap,
              etc.  If OpenVPN cannot figure out whether node is a TUN or TAP
device based on the
              name, you should also specify --dev-type tun or --dev-type tap.

I notice just now that "--help" is not available on the shipped binary, I will
see if I can fix it.

Re: Alt-F-0.1RC1 OpenVPN Cam1878 10/17/11 10:02 AM
I managed to solve the TUN problem in my earlier post. I think I may
have figured out the DH parameter problem but I'm no longer at my
computer. I'll try to keep working later today on it.

Once I followed the 4 commands on this page:
http://wiki.vpslink.com/TUN/TAP_device_with_OpenVPN_or_Hamachi
The error for opening TUN/TAP and the SIOCIFADDR was solved.
You are correct though, /dev/net/tun was missing.

The server.conf file sets whether the vpn is TUN or TAP. I have it set
to TUN currently

I am sure if it was set to TAP, it would have gotten the same error
looking in /dev/net/tap, so it is also probably missing.
Re: [Alt-F] Re: Alt-F-0.1RC1 OpenVPN João Cardoso 10/17/11 10:53 AM
On Monday, October 17, 2011 17:14:13 Cam1878 wrote:
>I currently have the dh1024.pem file in the same directory as the server.conf
>file andthe server keys.

You might then want to use "--cd /etc/openvpn", because files are there?

> Cannot open dh1024.pem for DH parameters:
> error:02001002:system library:fopen:No such file or directory: error

       --cd dir
              Change directory to dir prior to reading any files such as
configuration files, key
              files, scripts, etc.  dir should be an absolute path, with a
leading "/", and with-
              out any references to the current directory such as "." or "..".

              This option is useful when you are running OpenVPN in --daemon
mode, and  you  want
              to consolidate all of your OpenVPN control files in one
location.

Re: [Alt-F] Re: Alt-F-0.1RC1 OpenVPN João Cardoso 10/17/11 11:02 AM
On Monday, October 17, 2011 17:14:13 Cam1878 wrote:
> I followed the solution here:
> http://wiki.vpslink.com/TUN/TAP_device_with_OpenVPN_or_Hamachi To create
> the TUN files.

That's OK as long as you remember it latter :)

But you should refrain from changing things that can be configured using
configuration files. Latter you will have to verify how to use the default
/dev/tun device.

I know, I'm picky ;-)

Re: Alt-F-0.1RC1 OpenVPN Cam1878 10/17/11 2:06 PM
I modified server.conf to solve the DH parameter problem.

I editted "dh dh1024.pem" to "dh /etc/openvpn/dh1024.pem" to include
the filepath to where I had already saved the files.

Once I ran openvpn --config it returned this:

Mon Oct 17 14:46:55 2011 OpenVPN 2.2.1 arm-linux [SSL] [LZO2] [EPOLL]
[eurephia] built on Oct 12 2011
Mon Oct 17 14:46:55 2011 NOTE: your local LAN uses the extremely
common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this
might create routing conflicts if you connect to the VPN server from
public locations such as internet cafes that use the same subnet.
Mon Oct 17 14:46:55 2011 NOTE: OpenVPN 2.1 requires '--script-security
2' or higher to call user-defined scripts or executables
Mon Oct 17 14:46:56 2011 Diffie-Hellman initialized with 1024 bit key
Mon Oct 17 14:46:56 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0
ET:0 EL:0 ]
Mon Oct 17 14:46:56 2011 Socket Buffers: R=[108544->131072] S=[108544-
>131072]
Mon Oct 17 14:46:56 2011 ROUTE default_gateway=192.168.0.1
Mon Oct 17 14:46:56 2011 TUN/TAP device tun0 opened
Mon Oct 17 14:46:56 2011 TUN/TAP TX queue length set to 100
Mon Oct 17 14:46:56 2011 /sbin/ifconfig tun0 10.8.0.1 pointopoint
10.8.0.2 mtu 1500
Mon Oct 17 14:46:56 2011 /sbin/route add -net 10.8.0.0 netmask
255.255.255.0 gw 10.8.0.2
Mon Oct 17 14:46:56 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42
EB:135 ET:0 EL:0 AF:3/1 ]
Mon Oct 17 14:46:56 2011 UDPv4 link local (bound): [undef]:1194
Mon Oct 17 14:46:56 2011 UDPv4 link remote: [undef]
Mon Oct 17 14:46:56 2011 MULTI: multi_init called, r=256 v=256
Mon Oct 17 14:46:56 2011 IFCONFIG POOL: base=10.8.0.4 size=62
Mon Oct 17 14:46:56 2011 IFCONFIG POOL LIST
Mon Oct 17 14:46:56 2011 Initialization Sequence Completed

So it seems to have initialized, I have yet to try to connect anything
yet.
Re: Alt-F-0.1RC1 OpenVPN Cam1878 10/18/11 12:05 PM
After a bit of configuring on the client side of things, I managed to
connect to it perfectly.

It assigned me an IP and I was able to ping the server as well as
telnet to the device.

I'm going to try to change things around to set up network discovery
so I can use it as a network server as if it were on the same subnet.

Once it says initialization sequence completed you can just close the
SSH or telnet client and the vpn is running. I haven't set it up as a
daemon yet though.
Re: Alt-F-0.1RC1 OpenVPN Cam1878 10/18/11 12:29 PM
I just looked in the files and noticed that /dev/tun or /dev/tap does
not exist.

I'm going to have to include the commands from here:
http://wiki.vpslink.com/TUN/TAP_device_with_OpenVPN_or_Hamachi in the
startup script.
Re: [Alt-F] Re: Alt-F-0.1RC1 OpenVPN Joao Cardoso 10/18/11 1:22 PM

They will be created as soon as you 'modprobe tun'. /dev/tun will be created by the tun kernel module, that is a tap/tun driver.

If it is absolutely necessary (i.e., the default can't be used throught the conf file) we can create /dev/net/tun and /dev/net/tap by using /etc/mdev.conf. I will take care of it, after you submit your initscript.

On Oct 18, 2011 8:29 PM, "Cam1878" <cameron...@gmail.com> wrote:

I just looked in the files and noticed that /dev/tun or /dev/tap does
not exist.

I'm going to have to include the commands from here:
http://wiki.vpslink.com/TUN/TAP_device_with_OpenVPN_or_Hamachi in the
startup script.

On Oct 17, 12:25 pm, Joao Cardoso <whoami.jc...@gmail.com> wrote: > On Monday, October 17, 2011 16:...

-- You received this message because you are subscribed to the Google Groups "Alt-F" group. To post...

Re: [Alt-F] Re: Alt-F-0.1RC1 OpenVPN Joao Cardoso 10/18/11 1:26 PM

To have the box dhcp server to be used, or other dhcp server in the box network, and be able to smb/nfs browse the box network,  the simplest is to use vpn in bridged mode.

Is that what you are doing now?

On Oct 18, 2011 8:05 PM, "Cam1878" <cameron...@gmail.com> wrote:

After a bit of configuring on the client side of things, I managed to
connect to it perfectly.

It assigned me an IP and I was able to ping the server as well as
telnet to the device.

I'm going to try to change things around to set up network discovery
so I can use it as a network server as if it were on the same subnet.

Once it says initialization sequence completed you can just close the
SSH or telnet client and the vpn is running. I haven't set it up as a
daemon yet though.

On Oct 17, 5:06 pm, Cam1878 <cameron.tetf...@gmail.com> wrote: > I modified server.conf to solve th...

Re: Alt-F-0.1RC1 OpenVPN Cam1878 10/18/11 4:04 PM
Here is a step-by-step of what I did and the contents for server.conf
and S41openvpn

It is somewhat of a crude method of avoiding the tun & tap error,
you'll see it in the modified S41openvpn file. I'm sure you can modify
things to make it more polished and efficient.

1. Follow OpenVPN How-to: "Setting up your own Certificate Authority
(CA) and generating certificates and keys for an OpenVPN server and
multiple clients"

/Alt-F/usr/share/openvpn/easy-rsa/2.0 #Directory for creating keys

By now you should have:
ca.crt
ca.key
server.crt
server.key
dh1024.pem
clientX.crt
clientX.key

2. mkdir /Alt-F/openvpn         #Directory for .conf, .key, and .crt files

3. Copy .crt and .key files and sample server.conf to /Alt-F/openvpn:
/Alt-F/usr/share/openvpn/sample-config-files         #server.conf is found
here
/Alt-F/usr/share/openvpn/easy-rsa/2.0                 #ca.crt and server.key is
found here
(Copy all client files to clients as needed - see How-to "Key Files"
chart for details)

4. Modify server.conf to (most are default values):
######    server.conf    #######
local 192.168.0.XXX         #Whichever IP the router is forwarding to
port 1194
proto udp
dev tap         #Or "dev tun" depending on mode you want
ca /Alt-F/openvpn/ca.crt        #IMPORTANT: direct to location of your .crt
and .key files
cert /Alt-F/openvpn/server.cert         #SAME AS ABOVE
key /Alt-F/openvpn/server.key        #SAME AS ABOVE
dh /Alt-F/openvpn/dh1024.pem        #SAME AS ABOVE
server 10.8.0.0 255.255.255.0
ifconfig-poo-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
############################

5. Copy S41openvpn file to /etc/init.d        (contents shown below)
######    S41openvpn     #######
#!/bin/sh
initTunAndTap() {
        mkdir -p /dev/net
        mknod /dev/net/tun c 10 200
        mknod /dev/net/tap c 10 200
        chmod 600 /dev/net/tun
        chmod 600 /dev/net/tap
}
DESC="openvpn daemon"
NAME=openvpn
TYPE=net
OPENVPN_OPTS="--config /Alt-F/openvpn/server.conf"
. $(dirname $0)/common
case "$1" in
        start) initTunAndTap; start $NAME -- $OPENVPN_OPTS ;;
        stop) stop $NAME ;;
        status) status $NAME ;;
        reload) reload $NAME ;;
        restart) restart $NAME ;;
esac
############################

6. rcopenvpn start        #Should result in something similar to below

Sun Feb  6 20:46:38 2005 OpenVPN 2.0_rc12 i686-suse-linux [SSL] [LZO]
[EPOLL] built on Feb  5 2005
Sun Feb  6 20:46:38 2005 Diffie-Hellman initialized with 1024 bit key
Sun Feb  6 20:46:38 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0
ET:0 EL:0 ]
Sun Feb  6 20:46:38 2005 TUN/TAP device tun1 opened
Sun Feb  6 20:46:38 2005 /sbin/ifconfig tun1 10.8.0.1 pointopoint
10.8.0.2 mtu 1500
Sun Feb  6 20:46:38 2005 /sbin/route add -net 10.8.0.0 netmask
255.255.255.0 gw 10.8.0.2
Sun Feb  6 20:46:38 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42
EB:23 ET:0 EL:0 AF:3/1 ]
Sun Feb  6 20:46:38 2005 UDPv4 link local (bound): [undef]:1194
Sun Feb  6 20:46:38 2005 UDPv4 link remote: [undef]
Sun Feb  6 20:46:38 2005 MULTI: multi_init called, r=256 v=256
Sun Feb  6 20:46:38 2005 IFCONFIG POOL: base=10.8.0.4 size=62
Sun Feb  6 20:46:38 2005 IFCONFIG POOL LIST
Sun Feb  6 20:46:38 2005 Initialization Sequence Completed
Re: Alt-F-0.1RC1 OpenVPN Cam1878 10/18/11 4:10 PM
Also, openvpn shows up in the services -> network list now.

I tested starting it from the browser and it works, mine now starts on
boot.
Re: [Alt-F] Re: Alt-F-0.1RC1 OpenVPN Joao Cardoso 10/18/11 4:50 PM

Good work.

I'm certain that I will need your help to create a GUI.

There are however some problems with your approach. You should not use the /Alt-F path in any circunstance.
I can't give more details by now.

Thanks.

-- You received this message because you are subscribed to the Google Groups "Alt-F" group. To pos...

Re: Alt-F-0.1RC1 OpenVPN Cam1878 10/18/11 4:55 PM
I had actually just finished moving everything to /etc/openvpn as I
read the message. Everything is located there now.

On Oct 18, 7:50 pm, Joao Cardoso <joao.fs.card...@gmail.com> wrote:
> Good work.
>
> I'm certain that I will need your help to create a GUI.
>
> There are however some problems with your approach. You should not use the
> /Alt-F path in any circunstance.
> I can't give more details by now.
>
> Thanks.
>
Re: Alt-F-0.1RC1 OpenVPN Cam1878 10/18/11 6:34 PM
I modified the server.conf file to use

server-bridge 192.168.0.1 255.255.255.0 192.168.0.XXX 192.168.0.YYY

instead of

server 10.8.0.0 255.255.255.0

Now the connected clients have IP's in the same subnet as my network.
It must be noted that the IP pool between XXX and YYY must be out of
the range of the DHCP server's IP pool.

I have yet to create an actual bridge between tap0 and eth0 though.
Once that is made the clients should be able to see the other side of
the VPN.
Re: Alt-F-0.1RC1 OpenVPN Cam1878 10/18/11 6:48 PM
Is the package "bridge-utils" included in Alt-F?

I found the download link from linuxfoundation.org and it redirected
to here:

http://sourceforge.net/projects/bridge/files/bridge/

I don't know how to compile package files to install them on the
DNS-323.

It's needed by the bridge-start script mentioned on this page:

http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html

From what it seems like, that script will need to be run at
initialization each time the NAS boots or the first time openvpn
starts.
Re: Alt-F-0.1RC1 OpenVPN João Cardoso 10/19/11 7:23 AM


On Oct 19, 2:48 am, Cam1878 <cameron.tetf...@gmail.com> wrote:
> Is the package "bridge-utils" included in Alt-F?

Not at the time you wrote :-)

I have now compiled and tested it (but it is not yet available at the
feed).

The problem is the 'bridge' kernel module, needed by the bridge-utils
package.
I compiled the kernel module and updated the kernel-modules package
(not yet available at the feed), but the RC1 kernel refuses to load
it.

I have to see what is happening, but initial tests show that the RC1
kernel will not be able to use it, I will have to release RC2.

Keep tuned.
For now you will have to use the routed mode.

There is one think that I would like to have, user/pass only
authentication. From the HOWTO it seems to be possible, and I think it
is convenient, as you might not always have the client certificate
with you.

I was thinking to have three authentication methods: certificate only
(one certificate per client), certificate and user/pass (one
certificate for all clients), and user/pass only. What do you think
about this?

> I found the download link from linuxfoundation.org and it redirected
> to here:
>
> http://sourceforge.net/projects/bridge/files/bridge/
>
> I don't know how to compile package files to install them on the
> DNS-323.
>
> It's needed by the bridge-start script mentioned on this page:
>
> http://openvpn.net/index.php/open-source/documentation/miscellaneous/...
>
> From what it seems like, that script will need to be run at
> initialization each time the NAS boots or the first time openvpn
> starts.

That's pretty simple, I only hope that 'iptables' is not needed.
Re: Alt-F-0.1RC1 OpenVPN Cam1878 10/19/11 9:08 AM

> I was thinking to have three authentication methods: certificate only
> (one certificate per client), certificate and user/pass (one
> certificate for all clients), and user/pass only. What do you think
> about this?

1. Certificate and key only will work as that is what I'm using
currently.

2. Certificate and user/pass is possible according to the how-to, it
doesn't seem too hard to set up

3. It is possible to use only user/pass, but according to the how to,
ca.crt will still be needed because the client needs to authenticate
the server when it connects.

From the How-to: "Note that client-cert-not-required will not obviate
the need for a server certificate, so a client connecting to a server
which uses client-cert-not-required may remove the cert and key
directives from the client configuration file, but not the ca
directive, because it is necessary for the client to verify the server
certificate."

If you want you can enable this option, but you will still need a
specific file to connect.

I haven't found a way to disable the dual-authentication (client
authenticates server as well) feature.
Re: [Alt-F] Re: Alt-F-0.1RC1 OpenVPN João Cardoso 10/19/11 9:49 AM
On Wednesday, October 19, 2011 17:08:05 Cam1878 wrote:
> > I was thinking to have three authentication methods: certificate only
> > (one certificate per client), certificate and user/pass (one
> > certificate for all clients), and user/pass only. What do you think
> > about this?
>
> 1. Certificate and key only will work as that is what I'm using
> currently.
>
> 2. Certificate and user/pass is possible according to the how-to, it
> doesn't seem too hard to set up
>
> 3. It is possible to use only user/pass, but according to the how to,
> ca.crt will still be needed because the client needs to authenticate
> the server when it connects.
>
> From the How-to: "Note that client-cert-not-required will not obviate
> the need for a server certificate, so a client connecting to a server
> which uses client-cert-not-required may remove the cert and key
> directives from the client configuration file, but not the ca
> directive, because it is necessary for the client to verify the server
> certificate."

hmm, ok.
Perhaps big organizations can sign their certificates using a well-know CA, so
that clients can automatically verify its authenticity?
Or just make ca.crt public? In a web page? Clients wouldn't be able to verify
that the server they are connecting to is indeed the one they desire? No,
because the in-the-midle-server miss the correct ca.key, right?
 
Oh well, I need to make a workshop on certificates and security :-

Have you tried to use a commercial VPN client to connect? Being limited to the  
openVPN client is a severe restriction.

You see, I might be using a friend's laptop, with MS-W on it :-(

Thanks

> If you want you can enable this option, but you will still need a
> specific file to connect.
>
> I haven't found a way to disable the dual-authentication (client
> authenticates server as well) feature.

Re: Alt-F-0.1RC1 OpenVPN Cam1878 10/19/11 10:20 AM
I'm not sure if you're able to use other clients, you'd have to google
it to find out.

If you want something more generic I know there were some threads on
the forum about trying to get a PPTP vpn server running.

This is the one they were trying to use: http://poptop.sourceforge.net/
It's an open source linux pptp server.

With that it would just be user/pass, and then you could use the built-
in windows or any other pptp client to connect. I know android devices
have integrated clients as well.
Re: Alt-F-0.1RC1 OpenVPN Cam1878 10/19/11 10:36 AM
The easiest solution would be to use something like this:

http://sourceforge.net/projects/ovpnp/

And run the openvpn client off of a USB drive.

I would advise to use certificate and user/pass otherwise if anyone
managed to get a hold of your drive, they could log in to your network.
Re: Alt-F-0.1RC1 OpenVPN João Cardoso 10/20/11 11:53 AM


On Oct 19, 3:23 pm, Joao Cardoso <whoami.jc...@gmail.com> wrote:
> On Oct 19, 2:48 am, Cam1878 <cameron.tetf...@gmail.com> wrote:
>
> > Is the package "bridge-utils" included in Alt-F?
>
> Not at the time you wrote :-)
>
> I have now compiled and tested it (but it is not yet available at the
> feed).
>
> The problem is the 'bridge' kernel module, needed by the bridge-utils
> package.
> I compiled the kernel module and updated the kernel-modules package
> (not yet available at the feed), but the RC1 kernel refuses to load
> it.

Problem solved. Well, hacked...

Meanwhile I start looking for possible performance issues.
Everybody knows that ssh file transfer is slow, because of the SSL
encryption used by ssh.
What not everybody knows is that our little box has a hardware crypto
engine on it. Unused!

For the cryptsetup package, that encrypts physical partitions, I was
able to use the hw crypto engine, with a not so-so significative
performance improvement, "only" twice faster (but still 3-4 times
slower than a non-encrypted partition)

So, why not to use the hw crypto with SSL, benefiting both ssh and
openvpn?
Well, it is working, with some 23X performance improvement (on certain
circumstances)

No hardware acceleration:
       type             16 bytes     64 bytes    256 bytes   1024
bytes   8192 bytes
aes-256 cbc       3058.84k     3380.65k     3508.31k     3550.09k
3530.75k
aes-128-cbc       3281.25k     4232.38k     4645.72k     4772.39k
4786.86k

With hardware acceleration:
        type             16 bytes     64 bytes    256 bytes   1024
bytes   8192 bytes
aes-256 cbc       2973.93k     3384.96k     3510.27k     3538.26k
3522.56k
aes-128-cbc      12210.67k    28837.12k    25379.35k    49702.84k
110829.83k

The hw does not accelerate aes-256, but for aes-128 we have a 23 fold
speed improvement! Even for small block sizes, the improvement is
almost 4 times.

The next challenge is to see if I can fit this in the available flash
memory space. I doubt.

> I have to see what is happening, but initial tests show that the RC1
> kernel will not be able to use it, I will have to release RC2.

Or "release" a snapshoot meanwhile, if you want to keep exploring
(helping me with) openvpn

Re: Alt-F-0.1RC1 OpenVPN Cam1878 10/20/11 3:08 PM
Do you think there is any chance of including the pptp server in it as
well as an alternative to openvpn?

I've got a galaxy tab 10.1 that I am trying to connect but I can't get
openvpn to work on it (i'm getting the tun/tap error but the fix I had
doesn't work on android).
I was able to make a pptp connection to my laptop though.

If both openvpn and pptp were running it would allow a user/pass only
connection as well. I would say its one of the most common types of
vpns, it would probably be worthwhile.

However we should keep trying to get openvpn working first before
another task is added on.

Also as a side question,

Do you know an alternate way of avoiding the tun/tap error? I'd really
like to try to fix it on my android

On Oct 20, 2:53 pm, Joao Cardoso <whoami.jc...@gmail.com> wrote:
> On Oct 19, 3:23 pm, Joao Cardoso <whoami.jc...@gmail.com> wrote:
>
> > On Oct 19, 2:48 am, Cam1878 <cameron.tetf...@gmail.com> wrote:
>
> > > Is the package "bridge-utils" included in Alt-F?
>
> > Not at the time you wrote :-)
>
> > I have now compiled and tested it (but it is not yet available at the
> > feed).
>
> > The problem is the 'bridge' kernel module, needed by the bridge-utils
> > package.
> > I compiled the kernel module and updated the kernel-modules package
> > (not yet available at the feed), but the RC1 kernel refuses to load
> > it.
>
> Problem solved. Well, hacked...
>
> Meanwhile I start looking for possible performance issues.
> Everybody knows that ssh file transfer is slow, because of the SSL
> encryption used by ssh.
> What not everybody knows is that our little box has a hardware crypto
> engine on it. Unused!
>
> For the cryptsetup package, that encrypts physical partitions, I was
> able to use the hw crypto engine, with a not so-so significative
> performance improvement, "only" twice faster (but still 3-4 times
> slower than a non-encrypted partition)
>
> So, why not to use the hw crypto with SSL, benefiting both ssh and
> openvpn?
> Well, it is working, with some 23X performance improvement (on certain
> circumstances)
>
> No hardware acceleration:
>        type             16 bytes     64 bytes    256 bytes   1024
> bytes   8192 bytes
> aes-256 cbc       3058.84k     3380.65k     3508.31k     3550.09k
> 3530.75k
> aes-128-cbc       3281.25k     4232.38k     4645.72k     4772.39k
> 4786.86k
>
> With hardware acceleration:
>         type             16 bytes     64 bytes    256 bytes   1024
> bytes   8192 bytes
> aes-256 cbc       2973.93k     3384.96k     3510.27k     3538.26k
> 3522.56k
> aes-128-cbc      12210.67k    28837.12k    25379.35k    49702.84k
> 110829.83k
>
> The hw does not accelerate aes-256, but for aes-128 we have a 23 fold
> speed improvement! Even for small block sizes, the improvement is
> almost 4 times.
>
> The next challenge is to see if I can fit this in the available flash
> memory space. I doubt.
>
> > I have to see what is happening, but initial tests show that the RC1
> > kernel will not be able to use it, I will have to release RC2.
>
> Or "release" a snapshoot meanwhile, if you want to keep exploring
> (helping me with) openvpn
unk...@googlegroups.com 10/21/11 6:09 AM <This message has been deleted.>
Re: [Alt-F] Re: Alt-F-0.1RC1 OpenVPN João Cardoso 10/21/11 8:45 AM
On Friday, October 21, 2011 14:09:55 Cam1878 wrote:
> Wow...it really shows the benefits of having hardware acceleration.
>
> I tried the OpenVPN portable and it works fine, I just put a portable
> encryption program on my USB drive to secure the .conf, .crt, and .key
> files
>
> Did you get a chance to look at the pptp server? Or would it be too
> much work for this release?

No, I haven't, still busy integrating cryptodev, kernel modules and openssl;
and latter with openvnp, bridge-utill, initscripts and web pages.

There is a difference between a demo prototype, glued together with wires and
duct tape, and a user working solution ;-)
 
> I can't get openvpn to work on my Android tablet so I'm trying to look
> for alternatives for it. It works fine on my laptop though.

Looks like you have to "root" your android first. I haven't done it yet to
mine.

> I tried looking at how the GUI works for some of the other services
> but I don't know enough about html to get started on it.

Design a layout based on common needs would be possible:

Keys management:
-generate server CA button
-generate client key |client name entry field | generate button |  revoke
button

Autentication:
-certificate only radiobutton | certificate and user/pass radiobutton | user-
pass only radiobutton (not possible in near future, requires PAM)

-routing radiobutton | bridged radiobutton

and so on. Complete but not overwhelming. Ah, and write the help page :-)

I'm sure it will not be as simple and complete as I would like, it takes too
long to put it all together and test everything.

Re: Alt-F-0.1RC1 OpenVPN Cam1878 10/21/11 9:03 AM
It is rooted.

I managed to get around the tun/tap error by doing insmod tun.ko

But now I have another error saying "Linux ifconfig failed: external
program fork failed" do you happen to know what that would mean?
Google wasn't very helpful

Oh well, I'll probably figure it out eventually.

As for the GUI, when the CA, server, and client keys are made, it runs
through a script setting parameters, I don't know how you would want
show that on the webpage, it isn't as simple as just running a file.
The buttons for certificate/user-pass/others will have to edit
different lines in the .conf file, but that should be possible.

Another option is to have the ability of the webpage having a link to
"download" the client files and config to whoever is viewing it.
Otherwise it needs to be manually transferred.

There also needs to be options like setting the IP pool for the server
as well.
Re: Alt-F-0.1RC1 OpenVPN Cam1878 10/26/11 10:02 AM
> No, I haven't, still busy integrating cryptodev, kernel modules and openssl;
> and latter with openvnp, bridge-utill, initscripts and web pages.
>
> There is a difference between a demo prototype, glued together with wires and
> duct tape, and a user working solution ;-)

Any ETA on an update or new release that includes the above packages?
I'd like to try testing out some of them.
Re: Alt-F-0.1RC1 OpenVPN João Cardoso 10/26/11 11:04 AM
The Crypto Hardware Accelerator was a flop.

After installing Cryptodev and updating to openssl-1.0, so that all
ssl-enabled apps could use the crypto engine, it turns out that there
is a bug that avoids its usage on some cyphers/digests.
   alg: hash: Test 6 failed for mv-hmac-sha1

So, the hardware crypto engine and ssl infrastructure is ready and
working, but can't be used with confidence.
Fortunately enough software can still be used as a fallback, so I will
restart openvpn work after finishing some open issues.

I will announce the snapshot and accompanying packages ASAP.


Re: Alt-F-0.1RC1 OpenVPN João Cardoso 4/13/12 8:30 AM
Have you done any progress on openVPN, now that the bridge package and  kernel module are available for RC2?
Re: Alt-F-0.1RC1 OpenVPN didier belin 10/13/12 1:15 PM
openvpn works and with bridge it seems to work also. More tests on monday.
Re: Alt-F-0.1RC1 OpenVPN didier belin 12/12/12 5:29 AM
bridge version works fine since 2 months.
No time for make scripts to run openvpn at startup time.
But if someone wants my configuration files...
Re: Alt-F-0.1RC1 OpenVPN João Cardoso 12/12/12 4:38 PM


On Wednesday, December 12, 2012 1:29:16 PM UTC, didier belin wrote:
bridge version works fine since 2 months.
No time for make scripts to run openvpn at startup time.
But if someone wants my configuration files...

please do. But please explain your setup, as there are several possible setups.
Re: Alt-F-0.1RC1 OpenVPN didier belin 1/2/13 2:59 PM
Sorry, I see your msg only now. I'll post my configuration with comments this WE.
Re: Alt-F-0.1RC1 OpenVPN medoc 10/15/13 11:19 AM
Hi,

what is the status of this?

I have managed to set up tun mode (TAP is not available via iOS:() and connect to the server remotely.

I was not able however to set up the network in a way that I reach the LAN from outside.

I use the default 10.... virtual IP for the VPN and 192.168.1. network for the LAN.

Can someone explain how to set up routing between the two in order to reach the internal network - not just the NAS - from outside?

Thanks,
medoc
Re: Alt-F-0.1RC1 OpenVPN michae...@googlemail.com 2/24/14 1:42 AM
Hi,
just wanted to mention that I got this working too. Using version 0.1RC3
It did need a little twittling, since apparently the tun-device is not created by OpenVPN as it should be. To get around this I used the instructions in the link given by Cam1878: http://wiki.vpslink.com/TUN/TAP_device_with_OpenVPN_or_Hamachi

So supposing you have a working OpenVPN config file (which I had confirmed previously with a PC), the steps are (this is basically just a summary of the things mentioned in this thread):

1) install the Alt-F openvpn package
2) load the tun module: >> modprobe tun
3) create the tunnel device (from link above):
>> mkdir -p /dev/net
>> ls /dev/net # confirm it's working (see link)
>> mknod /dev/net/tun c 10 200
>> chmod 600 /dev/net/tun
4) start OpenVPN:
>> openvpn --config client.conf

If the tun-device is not created manually, then OpenVPN will initialize fine (given a correct config), but will fail when creating the tun-device with the message:
  Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
  ifconfig: SIOCSIFADDR: No such device
  Linux ifconfig failed: external program exited with error status: 1
  Exiting

It would be nice, if we could work out, why OpenVPN can't create the tun-device by itself, as it usually should.
Re: Alt-F-0.1RC1 OpenVPN João Cardoso 2/24/14 8:20 AM


On Monday, February 24, 2014 9:42:36 AM UTC, michae...@googlemail.com wrote:
Hi,
just wanted to mention that I got this working too. Using version 0.1RC3
It did need a little twittling, since apparently the tun-device is not created by OpenVPN as it should be. To get around this I used the instructions in the link given by Cam1878: http://wiki.vpslink.com/TUN/TAP_device_with_OpenVPN_or_Hamachi

So supposing you have a working OpenVPN config file (which I had confirmed previously with a PC), the steps are (this is basically just a summary of the things mentioned in this thread):

1) install the Alt-F openvpn package
2) load the tun module: >> modprobe tun
3) create the tunnel device (from link above):
>> mkdir -p /dev/net
>> ls /dev/net # confirm it's working (see link)
>> mknod /dev/net/tun c 10 200
>> chmod 600 /dev/net/tun
4) start OpenVPN:
>> openvpn --config client.conf

If the tun-device is not created manually, then OpenVPN will initialize fine (given a correct config), but will fail when creating the tun-device with the message:
  Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
  ifconfig: SIOCSIFADDR: No such device
  Linux ifconfig failed: external program exited with error status: 1
  Exiting

It would be nice, if we could work out, why OpenVPN can't create the tun-device by itself, as it usually should.

Can you please add the following line to the end of /etc/mdev.conf

(tun|tap) 0:0 660 =net/%1

and then,

modprobe -r tun
rm
-rf /dev/net
modprobe tun

and see if the devices are created at 'modprobe' time?
Does it also works for the 'tap' mode of operation, or a /dev/net/tap device has to be explicitly created?

I still think that 'modprobe' should be performed by openvpn itself...


Re: Alt-F-0.1RC1 OpenVPN michae...@googlemail.com 2/26/14 1:45 AM
Hi.
So it took a while. But I can confirm that modifying /etc/mdev.conf as you stated and redoing modprobe solves it.
Now OpenVPN is able to create the tun as well as the tap devices, when initializing a connection.

Only question now is how to 'modprobe tun' by default and have OpenVPN run at start-up (and daemon mode to keep it alive), so that the connection is setup by default after restarting.

Edit: Forgot to mention. In my limited testing it solves it also solves it for tap devices (I usually only use tun).
Re: Alt-F-0.1RC1 OpenVPN João Cardoso 2/26/14 9:14 AM


On Wednesday, February 26, 2014 9:45:26 AM UTC, michae...@googlemail.com wrote:
Hi.
So it took a while. But I can confirm that modifying /etc/mdev.conf as you stated and redoing modprobe solves it.
Now OpenVPN is able to create the tun as well as the tap devices, when initializing a connection.

Only question now is how to 'modprobe tun' by default and have OpenVPN run at start-up (and daemon mode to keep it alive), so that the connection is setup by default after restarting.

Please try the attached initscript. In order for it to be persistent across reboots you must have Alt-F packages installed, 'ipkg' itself is enough.
Uncompress the file and put it under /etc/init.d/ and "openvpn" should appear under Services->Network. The script assumes that keys reside in /etc/openvpn. Is that sensible or customary? I don't know.
Also, in /etc/openvpn/server.conf you must add /etc/openvpn/ to the relevant keys:

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key  # This file should be kept secret
dh /etc/openvpn/dh1024.pem

At "stop" time 'modprobe -r' is executed, which is not failsafe, but I don't like to have unnecessary modules loaded.

Re: Alt-F-0.1RC1 OpenVPN michae...@googlemail.com 3/3/14 2:01 AM
Ok. So I finally got around to trying this.
In principle the script works, but it's not optimal, since you make it hard-wired to the config file-name 'server.conf'.
In my case I am running openvpn on my NAS as the client of another server and aptly named the config-file 'client.conf'. I changed your script and remove the checks for the keys and then it worked nicely.
It gets problematic, if you have multiple config files, which can be the case if the NAS is a client and a server or a client to multiple VPNs.
I looked at the init-script of Raspbian on the Raspberry and they run openpvn for all config-files: /etc/openvpn/*.conf, which is perhaps what this script should also do. It would also require removing the checks for the config-files in /etc/openvpn/, which also aren't ideal, if for example you have server and client configs at the same time and would have the keys nicely separated in /etc/openvpn/server_keys and /etc/openvpn/client_keys.
But for the time being this script works perfectly for me. Just bringing in suggestions... :)
Thanks for all your hard work. Alt-F is really, really nice!
Re: Alt-F-0.1RC1 OpenVPN João Cardoso 3/6/14 11:21 AM


On Monday, March 3, 2014 10:01:21 AM UTC, michae...@googlemail.com wrote:
Ok. So I finally got around to trying this.
In principle the script works, but it's not optimal, since you make it hard-wired to the config file-name 'server.conf'.
In my case I am running openvpn on my NAS as the client of another server and aptly named the config-file 'client.conf'. I changed your script and remove the checks for the keys and then it worked nicely.
It gets problematic, if you have multiple config files, which can be the case if the NAS is a client and a server or a client to multiple VPNs.
I looked at the init-script of Raspbian on the Raspberry and they run openpvn for all config-files: /etc/openvpn/*.conf, which is perhaps what this script should also do. It would also require removing the checks for the config-files in /etc/openvpn/, which also aren't ideal, if for example you have server and client configs at the same time and would have the keys nicely separated in /etc/openvpn/server_keys and /etc/openvpn/client_keys.
But for the time being this script works perfectly for me. Just bringing in suggestions... :)

Thanks. The attached script should cover all your suggestions.

More topics »