openVPN-server

[pari khan]

Hi,

I am new to openwisp.

with regards to openwisp I am able to get it up and running.I was able to connect few APs to openwisp controller. My concern is I want to understand how can we  install openvpn server .Is CA and certificates related to openvpn server? Can we use the keys installed as part of openvpn server for CA and certificates options in openwisp, I mean can we import or we have to create new ?

little confused with these options, if I could get any documents or guidance will be thankful.

Kind Regards,

pari

[Federico Capoano]

Hi Pari and welcome,

this process is not documented yet (we have a ticket for it), the process is roughly the following:

• ensure OpenVPN is included in your OpenWRT firmware image or install it manually on your devices (the former option is recommended)
• install OpenVPN on the server, you can use this ansible role if you like: https://github.com/Stouts/Stouts.openvpn
• import the CA, and the server certificate in OpenWISP
• create a new VPN server, select the CA and server certificate just imported, copy the configuration parameters generated by ansible
• now create a new template of type "VPN-client"
• ensure the auto-cert option is enabled so OpenWISP will generate client x509 certificates automatically
• enable "default template" option if you want the VPN to be enabled on all the devices of that organization
• if you want to use this VPN for all the organizations leave the "organization" parameter empty
• leave the conf empty, hit "save and continue", now you can tweak the client VPN conf if you need

After all these passages, devices which will have the new VPN template will get the OpenVPN conf and the x509 certificate automatically created by OpenWISP. This does not assure the VPN will work straightaway, you may need to do some testing and tweaking before getting it right.

If you need to do some tests on the OpenWRT side, I suggest doing it on the device directly first and once you have a configuration that works you copy it into the OpenWISP web UI.

To debug, check the logs of both clients and server.

I hope this helps!

Let me know how it goes and if anything is not clear don't hesitate to ask.

Federico

[Federico Capoano]

One more thing: ensure the firmware image contains a pre-existing /etc/config/openvpn file, even an empty one is fine, otherwise when a new configuration is downloaded the OpenVPN process won't be started, you will have to manually launch it but that would invalidate all the work towards automation we are doing.

Federico

[pari khan]

Hi Federico,

Thanks for quick reply.

I installed openvpn via ansible. As per the instruction in (https://github.com/Stouts/Stouts.openvpn) I added variables for CA and certificates in playbook.yml file.

When I tried importing the CA and certificate how do we ensure the import is happening from where the ansible role created CA and certificate ?

When I tried importing CA  the country/state etc fields were empty , am I missing something.

Please help.

kind regards

pari khan

--
You received this message because you are subscribed to the Google Groups "OpenWISP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Federico Capoano]

Copy the public and private key of the CA and the server certificate from the server, you will find the files in the directory of the server which ansible created to install OpenVPN.

Then paste these in the openwisp web UI, when you create a new CA or new certificate select "import existing" and the UI will show you only the relevant fields.

Try and let me know :-)

[pari khan]

Hi Federico,,

Thanks a lot :)

It worked for me. 

kind regards

Pari Khan

[pari khan]

HI Federico,

Seems like few more issues around these..

I was able to get the openVPN installed and run based on ansible role variables. The /etc/openvpn/server.conf has variables as per the ansible role installed package. I also see a tun0 device with IP subnet as per what I configured on ansible role

Now, I configure VPN-SERVER configuration via openwisp2. on saving the configuration, I dont see it getting updated in /etc/openvpn/server.conf  and the tun IF also doesnt get IP subnet updated as per VPN-SERVER configuration.

Am i missing something?

kind regards,

Pari Khan

[Federico Capoano]

Pari,

you have to update the server configuration with Ansible, then you have to update the VPN client template manually.

The VPN server object in OpenWISP is needed only for generating the base VPN client template, store the server certificate and other internal automations, but it can't magically update everything yet. That will require a considerable amount of effort to implement.

I hope this helps.

Federico

[pari khan]

Hi all,

I am facing an issue where while including master branch for netjsonconfig , when I try to access device option in openwisp GUI, I get server error but if I try to use TAG-0.8.1 then I can access device option without any server error.

Please help me. These two branches have mgmt IP changes in it.

I think some bug in master branch because of mgmt IP changes.

#    openwisp2_django_netjsonconfig_pip: https://github.com/openwisp/django-netjsonconfig/tarball/master

                  OR

    openwisp2_django_netjsonconfig_pip: https://github.com/openwisp/django-netjsonconfig/tarball/0.8.1

Thanks 

kind regards

Pari

[Federico Capoano]

Yes that's why it's failing. 

Why are you using the development version (master branch)?
It's not supposed to be used unless you have a good understanding of how OpenWISP works internally and you know what you are doing.

This is not a bug.

PS: this thread was about the OpenVPN Server automation feature, please start a new thread when you want to ask questions about a new subject.