I would suspect the link-mtu set that high on most connections would cause problems with fragmentation. Most cable internet connections and T1's use 1500. Most dsl circuits use 1492. I wouldn't explicitly set the link-mtu unless you're trying to do something non-standard or trying to solve a problem.
Also concur with Lonnie on the transport method. It should be UDP unless you're trying to solve a specific problem. Darrick -----Original Message----- From: Lonnie Abelbeck [mailto:li...@lonnie.abelbeck.com] Sent: Friday, March 30, 2012 2:23 PM To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] OpenVPN config Hi James and Tom, First, I can't say I ever disagreed with James, but I guess there is always a first time. :-) I'd use UDP as the transport Protocol, not TCP. TCP over TCP can lead to jitter problems. So unless there is some upstream restrictions, I'd suggest using Protocol: UDP No need to define... -- persist-key persist-tun -- since they are set by default. I'm not sure about setting link-mtu 1560, I'd leave that out. Tom, if your goal is to connect box A, B, C ... local subnets with each other's subnets, and each box has a static IP address, I'd suggest using "IPsec Peers" VPN type using a strong Preshared Key. Use the web interface, use your *existing* local subnets and define the associations via the public IP address of the boxes. Each tunnel/association on one box is the mirror of the tunnel/association on the other box. If you have 4 boxes, you would define 3 tunnel/associations on each box. The routes will be automatically created. Use the default options as a start, keep them all the same for all the boxes. Of course try to just get two talking at first. Use a Local-Host of either 0.0.0.0 or it's external IP address. My 2 cents. Lonnie On Mar 30, 2012, at 11:13 AM, James Babiak wrote: > Well, since the server is bricked, it sounds like you won't be able to do > anything until Monday. > > But once you get access back to it, if you want to proceed through the GUI, > you can try using the settings I pasted earlier- under OpenVPN Server > configuration. > > In summary: > (Tunnel Options) > Protocol: TCP (This is preferable to UDP) > Port: 1194 (The default, but could be changed if you want to - just make sure > it's the same on clients too) > Compression: Yes (Optional, but suggested) > Cipher: AES-128-CBC (You can set this to whatever you want, but make sure > it's all consistent. The higher the encryption, the more taxing it will be). > Device: tun0 (What the interface will be created for this tunnel on the > server) > Raw Commands: ifconfig-pool-linear > > (Server Mode) > Network: ***This is the network you want to be running over the TUNNEL. Make > sure you chose something not being used by any other network interface. This > might have been what caused the bricking earlier, if you set it the same as > the WAN interface. It should be in the format of X.X.X.X Y.Y.Y.Y, with X as > the network address and Y as the subnet mask (ie: 172.21.0.0 255.255.255.0)*** > Push: This is where you will put in any options you want pushed to the remote > clients. If you want to route two networks behind the server, specify them > here. for example: > > route 172.20.0.0 255.255.255.0 > route 172.30.0.0 255.255.255.0 > dhcp-option domain abc.com > dhcp-option DNS 172.20.0.1 > > The above should be self explanatory, but you are basically pushing the > routes to those networks down, as well as the dhcp options. Customize as > necessary. > > The route commands above will handle routing traffic FROM clients TO networks > behind the server. If you need to support routing traffic FROM networks > behind the server TO networks behind the client, you will need to add the > following lines as well: > > client-to-client > client-config-dir /mnt/kd/openvpn/ccd > > You will then need to make the client-config-dir directory, and add > per-client files (using the client name specified below) in that directory, > with the networks that those clients have. Such as this: > > ccd # cat client1 > iroute 192.168.10.0 255.255.255.0 > > Again, that part is only necessary if you need that functionality. > > Save all of that, and then make sure to generate a server certificate and key. > > Once that is done, you can generate client certs/keys, and setup the client > side configuration. You can use those certs/keys on a computer to test out > openvpn connectivity first, just to make sure the settings are all correct. > This way, if you run into problems on the client side, you know the problem > is with the client side. > > The client side settings should mimic the server settings. The "Device" > option can be whatever you want to use on the client though, it doesn't need > to match. My raw commands are: > > link-mtu 1560 > persist-key > persist-tun > > Remote server is the hostname/IP of the VPN server. Remote network should be > the network you chose on the Server side above. > > You will need to upload (through the GUI) the client CA/Cert/Key you created > for each client under the server side client generator. These need to be > unique for each client. > > On the Server Network Configuration GUI page, you will need to go to the > Firewall Configuration and enable OpenVPN access to whatever LAN interfaces > you need to allow them to access. > > Good luck, and let us know if you run into any problems. > > -James > > On Fri, Mar 30, 2012 at 11:37 AM, Tom Chadwin > <nnpait.servi...@googlemail.com> wrote: > > Are you trying to just create an encrypted tunnel between the two Astlinux > boxes for inter-server communication, or are you trying to route traffic > across it as well? Are there certain networks you do/don't want to route > traffic across? > > Connect two (well, four) subnets. We have a head office and three satellite > offices, so this solution would allow clients at the remote sites to access > central services and allow the central site to back up to the remote sites. > > > I have set this up in the past, and it is fairly simple and > straightforward. It's actually easier in some ways to do it manually (ie: > not through the GUI). It's been a while since I did it though, so I don't > remember the precise "step-by-step" instructions. > > This is what I need - step-by-step. > > > I thought there was a How-To guide on the docs.astlinux.com site, but I > couldn't find it when I just briefly looked. > > Ditto. I've found an old thread on this list, but it is far from an idiot's > guide. Given my performance so far, an idiot's guide is plainly what I need. > > > How did you brick the server? That shouldn't have happened. > > I wish I knew. At the server end, I created cert/key and saved some initial > (largely default) settings. Hit save, and the box disappeared. I will have > to hook up a serial cable on Monday when I am back in the office. > > Tom > > > On Fri, Mar 30, 2012 at 10:18 AM, Tom Chadwin > <nnpait.servi...@googlemail.com> wrote: > Hello all > > Would it be too much to ask for someone to give the full steps, from start > to finish, to set up a VPN between two Astlinux boxes? I'd prefer OpenVPN. I > need to know what to do (with no shorthand) on both server and client ends. > While I have some knowledge of VPN (IPSEC, L2TP, and OpenVPN), it's very > amateur, and gleaned from GUI front ends to systems. > > I've had a go at starting to config the server end with no prior knowledge, > and have bricked a remote box in the process. Hence this request. > > Thanks > > Tom > > > ---------------------------------------------------------------------------- > -- > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > > > ------------------------------------------------------------------------------ > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > ------------------------------------------------------------------------------ > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure_______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.