Well, since the server is bricked, it sounds like you won't be able to do
anything until Monday.
But once you get access back to it, if you want to proceed through the GUI,
you can try using the settings I pasted earlier- under OpenVPN Server
configuration.
In summary:
(Tunnel Options)
Protocol: TCP (This is preferable to UDP)
Port: 1194 (The default, but could be changed if you want to - just make
sure it's the same on clients too)
Compression: Yes (Optional, but suggested)
Cipher: AES-128-CBC (You can set this to whatever you want, but make sure
it's all consistent. The higher the encryption, the more taxing it will be).
Device: tun0 (What the interface will be created for this tunnel on the
server)
Raw Commands: ifconfig-pool-linear
(Server Mode)
Network: ***This is the network you want to be running over the TUNNEL.
Make sure you chose something not being used by any other network
interface. This might have been what caused the bricking earlier, if you
set it the same as the WAN interface. It should be in the format of X.X.X.X
Y.Y.Y.Y, with X as the network address and Y as the subnet mask (ie:
172.21.0.0 255.255.255.0)***
Push: This is where you will put in any options you want pushed to the
remote clients. If you want to route two networks behind the server,
specify them here. for example:
*
route 172.20.0.0 255.255.255.0
route 172.30.0.0 255.255.255.0
dhcp-option domain abc.com
dhcp-option DNS 172.20.0.1
*
The above should be self explanatory, but you are basically pushing the
routes to those networks down, as well as the dhcp options. Customize as
necessary.
The route commands above will handle routing traffic FROM clients TO
networks behind the server. If you need to support routing traffic FROM
networks behind the server TO networks behind the client, you will need to
add the following lines as well:
client-to-client
client-config-dir /mnt/kd/openvpn/ccd
You will then need to make the client-config-dir directory, and add
per-client files (using the client name specified below) in that directory,
with the networks that those clients have. Such as this:
*ccd # cat client1
iroute 192.168.10.0 255.255.255.0*
Again, that part is only necessary if you need that functionality.
Save all of that, and then make sure to generate a server certificate and
key.
Once that is done, you can generate client certs/keys, and setup the client
side configuration. You can use those certs/keys on a computer to test out
openvpn connectivity first, just to make sure the settings are all correct.
This way, if you run into problems on the client side, you know the problem
is with the client side.
The client side settings should mimic the server settings. The "Device"
option can be whatever you want to use on the client though, it doesn't
need to match. My raw commands are:
*
link-mtu 1560
persist-key
persist-tun*
Remote server is the hostname/IP of the VPN server. Remote network should
be the network you chose on the Server side above.
You will need to upload (through the GUI) the client CA/Cert/Key you
created for each client under the server side client generator. These need
to be unique for each client.
On the Server Network Configuration GUI page, you will need to go to the
Firewall Configuration and enable OpenVPN access to whatever LAN interfaces
you need to allow them to access.
Good luck, and let us know if you run into any problems.
-James
On Fri, Mar 30, 2012 at 11:37 AM, Tom Chadwin <
nnpait.servi...@googlemail.com> wrote:
> > Are you trying to just create an encrypted tunnel between the two
> Astlinux
> boxes for inter-server communication, or are you trying to route traffic
> across it as well? Are there certain networks you do/don't want to route
> traffic across?
>
> Connect two (well, four) subnets. We have a head office and three satellite
> offices, so this solution would allow clients at the remote sites to access
> central services and allow the central site to back up to the remote sites.
>
> > I have set this up in the past, and it is fairly simple and
> straightforward. It's actually easier in some ways to do it manually (ie:
> not through the GUI). It's been a while since I did it though, so I don't
> remember the precise "step-by-step" instructions.
>
> This is what I need - step-by-step.
>
> > I thought there was a How-To guide on the docs.astlinux.com site, but I
> couldn't find it when I just briefly looked.
>
> Ditto. I've found an old thread on this list, but it is far from an idiot's
> guide. Given my performance so far, an idiot's guide is plainly what I
> need.
>
> > How did you brick the server? That shouldn't have happened.
>
> I wish I knew. At the server end, I created cert/key and saved some initial
> (largely default) settings. Hit save, and the box disappeared. I will have
> to hook up a serial cable on Monday when I am back in the office.
>
> Tom
>
>
> On Fri, Mar 30, 2012 at 10:18 AM, Tom Chadwin
> <nnpait.servi...@googlemail.com> wrote:
> Hello all
>
> Would it be too much to ask for someone to give the full steps, from start
> to finish, to set up a VPN between two Astlinux boxes? I'd prefer OpenVPN.
> I
> need to know what to do (with no shorthand) on both server and client ends.
> While I have some knowledge of VPN (IPSEC, L2TP, and OpenVPN), it's very
> amateur, and gleaned from GUI front ends to systems.
>
> I've had a go at starting to config the server end with no prior knowledge,
> and have bricked a remote box in the process. Hence this request.
>
> Thanks
>
> Tom
>
>
>
> ----------------------------------------------------------------------------
> --
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
>
>
>
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
>
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
