You are here
Stas Grishin - Sat, 2010/01/16 - 08:48
Location: see attached file
Intended for: TKL Core
Description: Installs openvpn (+bridge-utils) and the webmin openvpn module to TKL Core, allowing easier configuration and management of openvpn servers and certificates.
Forum:
Tags:
Nicely done!
Regarding the webmin openvpn package, can you provide a link to the source you used. How did you build the package? I'd like to add it to the webmin package in the TurnKey package repo.
BTW, when using sed to change paths, I find it more readable to use a different delimiter and then you don't need to escape slashes:
OpenVPN Updates
Thanks for the advice about sed syntax Alon, it makes the conf file a bit more readable.
I am also attaching a step-by-step tutorial on how to setup a routed openvpn server.
Bonus: I am attaching a all-in-one installation script I used when creating the openvpn machine. I documented the exact commands I used. I later used this script to create the tklpatch, simplifying various parts to fit the tklpatch model.
I will create a new topic to post information about how I made the webmin package. The all-in-one script is a good example as well.
Oh, there appears to be a bug in the forum code which messes up the uploads when I try to re-upload a newer version of tkl-openvpn.tar.gz. For now just right-click, save as, rename.
Enable NAT
Stas,
Thank you for this article and script. It was exactly what I was looking for my simple OpenVPN solution. One configuration setting I had to perform on the TKL system after enabling IP forwarding was to also enable NAT on the server.
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 (ovpn-net + ovpn-net mask) -o eth0 -j MASQUERADE
Everything else worked perfectly.
Some other options I added to force all vpn clients to pass all traffic through the VPN was to add the option below the push "route"
push "redirect-gateway def1"
Again thank you very much for this detailed and awesome article / walkthrough.
Regards,
James
Kudos this is excellent work
But with the help of contributors from the community the sky is the limit! This is why I love open source. We'll be sure to give you credit for this when we make the announcement.
Wow, I'm surprised
I just logged in and noticed the karma bonus and this message. Thanks so much. I knew I was one of the first outside developers but didn't realize I was the first with a release. I am working on a few more random patches.
Thanks to the TKL team for making an excellent linux-based VM appliance platform.
New TKLPatch section on development wiki
apply patch to different appliance
Can I use this patch on the LAMP appliance?
Probably, try it!
OpenVPN appliance available yet?
Hi Guys
Is a non-beta OpenVPN appliance available yet? Looking forward to it!!
It's so helpful that you thought of many things (like instructions) that us newbies really need.
Could the appliance include best-practice instructions for security lock-down of production servers? I'm concerned someone would hack the VPN server and gain access to the entire cloud.
Not yet
But I imagine it will be one of the appliances in "Part 2" of the current v11.0RC release.
IMO unfortunately documentation is one area where TKL could do with some serious improvement. Stas has provided some documentation of this above in the tklopenvpn-howto.txt which should be helpful; beyond that you're out of luck other than having a google and crossing your fingers.
DEV TUN/TAP
Why is everybody talking about PC-to-PC (Level 2 Bridging)? I want level 3 bridging (TAP Tunneling) aka LAN/Ethernet bridging. Can anyone create instructions for this one? Thanks!
Dev Tun/Tap
In reply to DEV TUN/TAP, I believe you have that backwards. You are correct that Tap exists at Layer 3, and Tun exists at Layer 2. Layer 3 stacks on top of Layer 2, Layer 3 gives you the IP layer that TCP/IP is on top of, and Layer 2 is the ethernet bridging you say that you would like.
Either way should work just as well. IMO, Layer 2 is unnecessary in almost all circumstances. It introduces ARP through hops, which is not the design intended. ARP just wastes bandwith on your local net before the router forwards the connection whereas a route defined over Layer 3 would have been a more direct approach.
In reply to the patch, looking forward to trying it out. I'm just getting started with TKL, and my end goal is to have all of my appliances on Squeeze opposed to Lenny. I'm going to take a look at the mechanics of this and post a patch if needed to apply to the current Debian Core RC.
still in progress?
Hello,
First I would like to thank you all for developing TKL. It is a wonderful tool.
Then I would like to ask if this appliance, TKL OpenVPN, is still in development or was it abandoned?
I would really like deploying such a tool and was about to use TKL core to install one.
Is there a "TKL from core to OpenVPN gateway" tutorial somewhere?
Also, regarding other appliances, it would be nice to have a one liner command to specify the security parameters (such as RSA key lenght) of certificates, secret keys, ... and to renew/change them.
It seems at boot that some RSA-1024 keys are still generated whereas I would prefer 4096 by default (and the possibility to choose 8192).
I tried to do it for instance on TKL Mediawiki but failed. So it was either using my TKL Core with custom install of media wiki and custom self signed certificate with the key lenght of my choice or to use TKL Media wiki as is without managing to chance the security level.
Kind regards,
A big fan :)
No further development AFAIK
But you could possibly still use the patch. It may require some updating but could be a starting point. Have a read about TKLPatch in the docs.
As for the RSA stuff I have no idea TBH, so I'm no help there...
If you are using Debian
...for your installed to metal OS, would this enable VPn for me safely enough?? I'm using the most recent proxmox 2.2-31 Or, is there a better way to do this running Debian Sqeeze?
Thanks, Ric
i can't configure it
Where can i configure openvpn ??? On the webmin GUI there is nothing about openvpn!!!!
Please help
TurnKey OpenVPN appliance now available
The appliance page is here. Don't forget to take a look at the usage documentation (link at the bottom of the appliance page).
Add new comment