OpenVPN RoadWarrior - How to use CCD Directory

ozburn (Luciano) 2017-12-04 19:46:23 UTC #1

NethServer Version: 7.4.1708 (Final)
Module: OpenVPN RoadWarrior

Hello everyone.! o/

Already use OpenVPN in other “on-premises” installation and that lifted some needs…
So, when i trying to use NethServer for that JOB, because do it manually Sucks, and NethServer Rox.!!, just one need i can´t solved yet…!! and for that i need someone help, please.!! Sorry My Bad English too

I need to use the CCD for a specific user configuration…! “Push Route” and “Fixed IP”

Fixed IP = Solved using the NethServer reservation.! , no problem here.! works perfect.!

Push Route = i specific control what user can access through VPN specifying the Servers IP on push route inside the user ccd file…! , when i manually create the user file inside CCD it works, but it´s deleted after server restart, or by watchguard… no big deal to know by Who, lol… =D.

So, already look in Nethserver WEBUI but no success to find where i can add this specific routing pushs to user on WEBUI…!

I didin´t set VPN to be Default route when client connects.! And I Don´t whant that approach…!! I Just want to push a user´s specific route, like i do today on my other OpenVPN server.! , That way, my user can still access other network things without need to disconnect from VPN, and just the specifc access come through VPN tunnel.

Any Help, how can i edit a user ccd file without be deleted.!? no problem if WEBUI can´t do this right now.! , all the things Nethserver WEBUI do on OpenVPN is very nice and help a lot…!!

I Just has this problem to solve…!!

I´m appreciate the time dedicated to read this post, Thank you… And sorry my PT-BR English ;).

o/
Ozburn

mrmarkuz (Markus Neuberger) 2017-12-04 21:52:08 UTC #2

Hi @ozburn,

NethServers config files are built upon templates and rewritten on config changes and restarts:

http://docs.nethserver.org/projects/nethserver-devel/en/v7/templates.html

So you have to create a custom template and put your config in the templates, my example userfile is named user1.conf:

mkdir -p /etc/e-smith/templates-custom/etc/openvpn/ccd/user1.conf
echo "# Your configuration" > /etc/e-smith/templates-custom/etc/openvpn/ccd/user1.conf/10pushroute
expand-template /etc/openvpn/ccd/user1.conf
cat /etc/openvpn/ccd/user1.conf

ozburn (Luciano) 2017-12-07 19:04:33 UTC #3

Hello Mr. Markuz.! Thank you for help me…!! i´m appreciate

Based on your instructions, i create a bash script where i ask for the Common Name of the VPN User, because it´s based on the User Certificate Common Name to openvpn identify and do what you need, so… Works Like a Charm…!! Thank you very much…!!

Find another problem to me…, i believe my way to work is a little better than the way in netheserver…

The IP reservation on Nethserver, reserv more than One IP to every client…! and i put on teh WEBUI something like 10.10.10.10 to be a user static IP on user configuration through WEBUI , but whenuser conects its receive 10.10.10.11 , i didin´t look closely , bu i think its reserve like a CIDR /30 for every client… Anyway…

I prefer to use a “topoly subnet” on openvpn server configuration , and a “ifconfig-push 10.10.10.10 255.255.255.0” on that CCD user file…!! because i just use 1 IP per user…!! and for my needs , i have no problem to fix this ip per user , i have not a lot of users…

So i put this option “topology subnet” at end of the file /etc/e-smith/templates/etc/openvpn/host-to-net.conf/10server

And works after force a refresh on WEBUI , the way i do this is…! choosing a option like “Enable LZO Compression” and SUBMIT , forces to rebuild the openvpn servers.conf . i try to restart the Service, but this not rebuild the openvpn servers conf. Don´t know a better way to do this, like to read a clue about this

Doing this IP Reservation Way, i lost one more Nethserver facilities , love use WEBUI for all my needs, but i no nothing about programing Language and not a good English speaker either… Lol…

I just have some doubts about eh NethServer RoadWarrior Topology, i try to find more info, because belive was Subnet… , but looking on host-tonet.conf( the openvpn server config file in /etc/openvpn/) i find no option about topology…

And another thing i will do… because the client warnings about, and sure improove secutiry… , is to use the option tls-server on servers config and i will need to figure out how to add this schema on Nethserver to automatically ad the new TLS cert. to the users client file to keep the Outstanding Nethserver “Download Client config” , its a time saver…!!!

If some Dev like to talk more about this things, i love to help…!! Nethserver is great…!! IT´s Evolving So much…!!

Thanks for your time Markuz…!! Help me a lot…!! really help…!! cya o/

Ozburn.

mrmarkuz (Markus Neuberger) 2017-12-07 19:15:49 UTC #4

Please don’t use the /etc/e-smith/templates dir for your custom changes, use /etc/e-smith/templates-custom instead, because they are not overwritten by system updates. And you should try not to use same template name if possible because updated templates by system updates won’t have an effect because they will be overidden by your custom templates.

ozburn (Luciano) 2017-12-07 20:09:41 UTC #5

Living and Learning =D , thanks again Markuz, i will follow your instructions , Very nice of you…!! Thanks…!!

Just Did it.!! and Works.! create a new directory …

          /etc/e-smith/templates-custom/etc/openvpn/host-to-net.conf

And a new file inside… with a differente name…

          11server

Inside to test…, just one option…

       topology subnet

And Works…!!!

Thankyou very Much…!! i will do the same for futures options =D …

Cya

Ozburn o/