Unfortunately no one can be told what fun_plug is - you have to see it for yourself.
You are not logged in.
Hi,
I am looking for sample configs for openvpn. A client/server sample was posted in this thread, but that is not for a windows client. My setup is internet -> cable modem -> router (forwarding udp port 1194) -> dns323. I have openvpn on the dns323 and windows clients (XPsp2 & Vista). What I want to be able to do is use my dyndns address to access the dns323 remotely with openvpn. I have tried for ages to get this working, using sample config files that I have found on places like the openvpn website, but with little success, I usually get an "ifconfig is used inconsistently" error (even when I have copied and pasted from the openvpn how to....) Can somebody post some samples they have from working setups to help me out please.... Ideally where either a static key is used, or where the sample certificates and keys that are available as part of the openvpn distro can be used, so that I can get a working system before moving on to the certificate based security.
thanks
lu
Offline
The configuration that I posted *is* for Windows client. In theory, however, it shouldn't matter whether it is *nix or Windows client.
Offline
openvpn won't initialize when using the client config on windows because it complains that there is a missing ifconfig directive .... so, while I did try and get it to work, I just couldn't (and I have been looking at the docs on www.openvpn.net). Also there are some windows commands such as ip-win32 in some of the sample configs that have come across. I am not trying to be lazy - as I said in the post I have been trying for ages to get this to work, by using different configs and changing relevant directives (such as using my dyndns address for the remote directive), but no luck so far (and I don't believe that it is down to firewall problems).
thanks
lu
Offline
Lu
Here is my configuration:
internet >> router (runs dynddns) --- DNS-323
--- 1st PC
--- 2nd PC
--- printer
I also have laptop that I use to connect from remote location. Basically, you set up DynDDNS on your router and open a specific port for VPN. At the same time, on DNS-323 you should have running OpenVPN on that specific port. Once that is done, install OpenVPN GUI on a remote laptop that you'd be connecting with.
Remember, on Windows you need to install OpenVPN GUI (http://openvpn.se/) and not OpenVPN server. Once that is done and you have appropriate keys, use the configuration that I posted earlier to get it to work. This has worked for me and for several other folks on this board, so hopefully you'll get it to work too! Good luck!
-- Andrey
Last edited by andrey (2008-06-25 19:57:11)
Offline
Hi Andrey,
andrey wrote:
Here is my configuration:
internet >> router (runs dynddns) --- DNS-323
--- 1st PC
--- 2nd PC
--- printer
Exactly the same setup here. (I don't access the printer via the dns323 though and all PCs run windows, and have a laptop with vista).
andrey wrote:
Basically, you set up DynDDNS on your router and open a specific port for VPN. At the same time, on DNS-323 you should have running OpenVPN on that specific port.
That is what I have been trying ... I use the default 1194 port (and even explicitly mention it in the openvpn config) and forward that port to the dns323 which is assigned a static IP. netstat -l shows
udp 0 0 dlink-ABC123:1194 0.0.0.0:*
So the dns323 is listening on that port.
andrey wrote:
Once that is done, install OpenVPN GUI on a remote laptop that you'd be connecting with.
Remember, on Windows you need to install OpenVPN GUI (http://openvpn.se/) and not OpenVPN server.
Now you are losing me .... Is there such a thing as two seperate binaries one for client and one for server? I thought that it was the same package, the only difference being that at the dns323 end you use a 'server' config and at the other end (in my case a windows laptop) a client configuration. Am I mistaken, I thought that the GUI was only that .. a GUI ... a front end to the OpenVPN binary - the one I tried has a log window which outputs the console results. So you can either go to an administrator console on windows and type openvpn --config client.ovpn and get the output there or use a gui to launch the same openvpn binary - in fact the gui detects what config files you have in the openvpn\config directory and lists them ready for use. I don't have the laptop with me at the moment (where the gui is installed), but I think that the openvpn gui was even telling me that a connection was established when the openvpn daemon was not even running on the dns323!
I just went to the website you mentioned (and indeed that was one of the GUIs that I had installed on the laptop) and it says:
"OpenVPN is normally run in a console window, which can be a little annoying to have lying on the taskbar all the time. OpenVPN GUI lets you run OpenVPN without this console window."
Once that is done and you have appropriate keys, use the configuration that I posted earlier to get it to work. This has worked for me and for several other folks on this board, so hopefully you'll get it to work too! Good luck!
I used the sample keys / certs that come with openvpn to try your config with the exeption of "tls-auth ta.key 1" which I commented out as I didn't know which of the sample keys to use with this setting, but got the error I mentioned earlier: "Options error: On Windows, --ifconfig is required when --dev tun is used". That is why I couldn't get it to work
thanks
lu
Offline
lu,
here is my exact client configuration that I use with OpenVPN GUI
OpenVPN folder\
client.ovpn
ta.key
\keys
ca.crt
ta.key
laptop.crt
laptop.key
client
remote site_xyz.dlinkddns.com 1723
dev tun
;dev tap
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
# server security
tls-client
tls-auth ta.key 1
# mute repated wireless packets
mute-replay-warnings
# connection keys
ca keys/ca.crt
# unique client keys
cert keys/laptop.crt
key keys/laptop.key
# ensure connection to a server
ns-cert-type server
# cryptographic cipher.
;cipher AES-128-CBC
# enable compression
comp-lzo
;verb 3
To get things working on DNS-323 side, I installed debian etch, installed VPN there using "apt-get install openvpn". Once that was done, I generated each set of keys and placed them in the appropriate folder for OpenVPN binaries (the link to binaries is in another thread). Next step was to setup configuration on the server.
Volume_1\openvpn
openvpn
server.conf
ta.key
tun.ko
\etc
ca.crt
dh1024.pem
key.crt
key.key
Here is exactly how server.conf looks like:
local 10.0.0.150
port 1723
proto udp
;dev tap
dev tun0
tls-server
tls-auth ta.key 0 # server
# root certificates
ca etc/ca.crt
dh etc/dh1024.pem
# server certificates
cert etc/key.crt
key etc/key.key # server
server 10.10.0.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0"
push "dhcp-option DNS 10.0.0.1"
# direct all traffic through VPN
;push "redirect-gateway"
;ifconfig-pool-persist ip.lst
# allow clients to be able to "see" each other.
client-to-client
# allow multiple clients to connect
duplicate-cn
keepalive 10 120
# extra security
;cipher BF-CBC # Blowfish
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# enable compression on the VPN link.
comp-lzo
max-clients 10
persist-key
persist-tun
;verb 3
;status openvpn-status.log
I would strongly suggest generating keys using etch rather than using sample keys. You can reference this website http://www.ventanazul.com/webzine/artic … u-and-hulu for how to get those keys (don't look at their configuration though, just the keys part!).
Last edited by andrey (2008-06-26 01:13:09)
Offline
andrey wrote:
lu,
To get things working on DNS-323 side, I installed debian etch, installed VPN there using "apt-get install openvpn". Once that was done, I generated each set of keys and placed them in the appropriate folder for OpenVPN binaries (the link to binaries is in another thread).
ah, I didn't want to have to install a whole linux image - the wiki page put me off - where it says you need to hack a serial port into the dns323 - although I have just noticed the chroot_debian page where you don't need to do anything of the sort! Maybe something to consider for the future. I just used the binary that HaydnH made available on the forum, unfortunately though it doesn't include the scripts to generate the keys (but perhaps you need openssl installed on the dns323 too to be able to use them (windows openvpn comes with an openssl.exe))
andrey wrote:
I would strongly suggest generating keys using etch rather than using sample keys. You can reference this website http://www.ventanazul.com/webzine/artic … u-and-hulu for how to get those keys (don't look at their configuration though, just the keys part!).
Sure, I just wanted to get a working system before I start generating keys and certificates myself, so if it stops working I will know it is because of the new certificates. In case anybody else reads this thread, the openvpn docs clearly state use of the sample certs/keys should be confined to testing purposes only. Generate your own for production systems.
Thanks for your help and persistence. I won't be able to give it another go for a week or so, but fingers crossed.
cheers
lu
Offline