OpenVPN with Nethserver howto?


#1

Is there anything anywhere that shows how to setup OpenVPN with Nethserver? Even some sample screens??

Thanks!

Arch


(Michele Bortolotto) #2

http://docs.nethserver.org/en/latest/vpn.html


#3

That’s all there is???


(Stéphane de Labrusse) #4

Maybe it is time to create your howto, please ask if you have issues


(Michele Bortolotto) #5

do you think it’s not enough? are there some missing parts? have you some issue?


(Charlie Lehardy) #6

I’ve been unsuccessfully attempting to set up NethServer to accept VPN clients, and I guess because the terminology used in NS is not what I’m used to (and I’m new at this), I haven’t been successful yet. I’ve created an OpenVPN road warrior server. If I choose to allow connections with username and password, there is no place in the account tab to enter a user password. If I choose certificate, I’m not sure which certificate to use in my OpenVPN client app. Is it the server certificate or the one created when I generate a client on the client tab? Or, following some of the OpenVPN docs, maybe I need to generate certificates directly from CentOS? The client tab asks for a remote host. The road warrior will be moving from place to place with changing IP addresses, so this can’t refer to his host, but if not, what does it mean?

These questions show that I don’t know what I’m doing. :slight_smile: The help file for VPN is a bit thin for inexperienced users. Thanks.


(Stéphane de Labrusse) #7

From what I recall NS can generate .P12 certificates, it is a bundle that you can use easily with Microsoft and the openvpn client. With Network-Manager you need to use simple certificates (ta-key, pub ca root, private and public user key).

Someone should have a go and write some documentation, like I did some time ago http://wiki.contribs.org/OpenVPN_Bridge#Windows and https://geekeries.de-labrusse.fr/?p=235


(Alessio Fattorini) #8

Guess that my friend @davide_marini can help you :slight_smile:


(Davide Marini) #9

Hi Charlie,
I will try to help you, I think you just need few details to make it work :slight_smile:

  1. set the roadwarrior server on the OpenVPN tab
  • auth:
  • if you choose only certificate you don’t need to provide user and pass to authenticate
  • if you choose one of the other options you need to create system users in the general Users Section
  • mode: usually the best is routed mode, just specify a local network (rcf 1918, e,g, 192.168.101.0/255.255.255.0) not already used by the firewall

2)Now you need to crete the accounts for the people wanting to connect (Account TAB)

  • create new
  • if you selected “only certificate” you can creare a new user, otherwise you must select of the the system users
  • Don’t worry about the remote network, you need to specify it just in case of net to net openvpn

3)now your account is ready, just click on the triangle near the “edit” button e select download, first choice is the right one for using OpenVPN

  1. once you downloaded the file open it with an editor and verify the “remote” option : nethserver automatically set it with the server name , but if you server name is not public (not resolved from internet dns) you should replace it with the server’s public ip

  2. be sure the port 1194 UDP is correctly forwarded from router to the red initerface of NethServer.

Hope this helps :smile:

and… any suggestion to improve the interface is welcome!

Davide


OpenVPN net2net service
WARNING: No server certificate verification method has been enabled
(Charlie Lehardy) #10

Thank you, Davide. I have it working now and your instructions helped me find the issue that was preventing my connection, which was the “remote” address in the OVPN config file. My domain is not registered, and I had seen that my VPN client was attempting to connect to “fakedomain.lan”, but it wasn’t until I looked more closely at the OVPN file that I saw that I could simply replace that non-existent host with the static IP of my NethServer box. Or, a DynDNS domain would have worked just as well for those without static IPs. Once I made that correction, the client VPN connected to NethServer perfectly.

I had assumed I might need to use port forwarding to open up 1194, but that doesn’t seem to be the case. I assume the reason is that the VPN server running on NethServer is already looking for incoming requests for 1194 and allows them through the firewall.

Again, thanks for your help. Now I’m going to try to create a client that will connect my NethServer box to my Zentyal box. This process has been a good learning experience.


#13

Well, I deleted my post because after skimming the docs, I don’t know enough about nethservers firewalls, there may be a default ruleset when in gateway mode, it looks like there are two different fws depending on role, so I was going to stay out of it but I will say this… port forwarding and firewalls are completely different… I also don’t know if in gateway mode, nethserver opens port 1194 by script when the openvpn module is started.
As long as you don’t have other services, like ssh available to the 'net, so script kiddies can entertain themselves with your server.


#14

The real question here, is who can create the longest post and then delete it.

lol!


(Charlie Lehardy) #15

lol. After digging some more, I found that the default for VPN (network services) when NethServer installs the service is that it is accessible from both green and red. That can be changed, but it seems necessary to open UDP 1194 so that a VPN client can ask for access. Since NethServer already opens 1194, no port forwarding is needed. Thanks for your (retracted) warning. It prompted me to dig a bit deeper to make sure I had the firewall configured properly.


(Alessio Fattorini) #16

I moved a post to a new topic: OpenVpn and no server certificate verification method