Location: see attached file
Intended for: TKL Core
Description: Installs openvpn (+bridge-utils) and the webmin openvpn module to TKL Core, allowing easier configuration and management of openvpn servers and certificates.
sed -i "s/cmd=\/opt/cmd=\/usr\/share/" $OVPN_CONFIG
sed -i "s|cmd=/opt|cmd=/usr/share|" $OVPN_CONFIG
Thanks for the advice about sed syntax Alon, it makes the conf file a bit more readable.
I am also attaching a step-by-step tutorial on how to setup a routed openvpn server.
Bonus: I am attaching a all-in-one installation script I used when creating the openvpn machine. I documented the exact commands I used. I later used this script to create the tklpatch, simplifying various parts to fit the tklpatch model.
I will create a new topic to post information about how I made the webmin package. The all-in-one script is a good example as well.
Oh, there appears to be a bug in the forum code which messes up the uploads when I try to re-upload a newer version of tkl-openvpn.tar.gz. For now just right-click, save as, rename.
Thank you for this article and script. It was exactly what I was looking for my simple OpenVPN solution. One configuration setting I had to perform on the TKL system after enabling IP forwarding was to also enable NAT on the server.
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 (ovpn-net + ovpn-net mask) -o eth0 -j MASQUERADE
Everything else worked perfectly.
Some other options I added to force all vpn clients to pass all traffic through the VPN was to add the option below the push "route"
push "redirect-gateway def1"
Again thank you very much for this detailed and awesome article / walkthrough.
But with the help of contributors from the community the sky is the limit! This is why I love open source. We'll be sure to give you credit for this when we make the announcement.
I just logged in and noticed the karma bonus and this message. Thanks so much. I knew I was one of the first outside developers but didn't realize I was the first with a release. I am working on a few more random patches.
Thanks to the TKL team for making an excellent linux-based VM appliance platform.
Can I use this patch on the LAMP appliance?
Is a non-beta OpenVPN appliance available yet? Looking forward to it!!
It's so helpful that you thought of many things (like instructions) that us newbies really need.
Could the appliance include best-practice instructions for security lock-down of production servers? I'm concerned someone would hack the VPN server and gain access to the entire cloud.
But I imagine it will be one of the appliances in "Part 2" of the current v11.0RC release.
IMO unfortunately documentation is one area where TKL could do with some serious improvement. Stas has provided some documentation of this above in the tklopenvpn-howto.txt which should be helpful; beyond that you're out of luck other than having a google and crossing your fingers.
Why is everybody talking about PC-to-PC (Level 2 Bridging)? I want level 3 bridging (TAP Tunneling) aka LAN/Ethernet bridging. Can anyone create instructions for this one? Thanks!
In reply to DEV TUN/TAP, I believe you have that backwards. You are correct that Tap exists at Layer 3, and Tun exists at Layer 2. Layer 3 stacks on top of Layer 2, Layer 3 gives you the IP layer that TCP/IP is on top of, and Layer 2 is the ethernet bridging you say that you would like.
Either way should work just as well. IMO, Layer 2 is unnecessary in almost all circumstances. It introduces ARP through hops, which is not the design intended. ARP just wastes bandwith on your local net before the router forwards the connection whereas a route defined over Layer 3 would have been a more direct approach.
In reply to the patch, looking forward to trying it out. I'm just getting started with TKL, and my end goal is to have all of my appliances on Squeeze opposed to Lenny. I'm going to take a look at the mechanics of this and post a patch if needed to apply to the current Debian Core RC.
First I would like to thank you all for developing TKL. It is a wonderful tool.
Then I would like to ask if this appliance, TKL OpenVPN, is still in development or was it abandoned?
I would really like deploying such a tool and was about to use TKL core to install one.
Is there a "TKL from core to OpenVPN gateway" tutorial somewhere?
Also, regarding other appliances, it would be nice to have a one liner command to specify the security parameters (such as RSA key lenght) of certificates, secret keys, ... and to renew/change them.
It seems at boot that some RSA-1024 keys are still generated whereas I would prefer 4096 by default (and the possibility to choose 8192).
I tried to do it for instance on TKL Mediawiki but failed. So it was either using my TKL Core with custom install of media wiki and custom self signed certificate with the key lenght of my choice or to use TKL Media wiki as is without managing to chance the security level.
A big fan :)
But you could possibly still use the patch. It may require some updating but could be a starting point. Have a read about TKLPatch in the docs.
As for the RSA stuff I have no idea TBH, so I'm no help there...
...for your installed to metal OS, would this enable VPn for me safely enough?? I'm using the most recent proxmox 2.2-31 Or, is there a better way to do this running Debian Sqeeze?
Where can i configure openvpn ??? On the webmin GUI there is nothing about openvpn!!!!
The appliance page is here. Don't forget to take a look at the usage documentation (link at the bottom of the appliance page).
More information about text formats