Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Vpn Help Needed, almost working, almos :)
Robert83
post Apr 1 2004, 07:12 AM
Post #1


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

I'm using two Whitebox 3.0 linux computers [1 fully updated, 1 only has latest openvpn and bridge utils, I'm getting that yum error, will wait a while, till the servers will be fast again]

So here I go

I've downloaded onto both machines the bridge utils
I've downloaded with apt-get from [DAG something, can't remember the full name] the openvpn rpm...

I've created a static key... wich is called key and it's in /home/key on both computers
I've copied the key to the other machine using MC's SSH link.

I've modified my and the other computers kernel to enable BRIDGE and TUN in the config file.

My machine rc.local looks like this :

CODE
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
echo 1 > /proc/sys/net/ipv4/ip_forward
openvpn --mktun --dev tap0
brctl addbr br1
brctl addif br1 tap0
brctl addif br1 eth0
ifconfig tap0 0.0.0.0 promisc up
ifconfig eth0 0.0.0.0 promisc up
ifconfig br1 192.168.0.102 netmask 255.255.255.0
openvpn --tun-mtu 1500 --tun-mtu-extra 64 --dev tap0
       --secret /home/key
    --ping 40 --float --comp-lzo --daemon

I'm using only 1 ethernet card [for testing that bridge I though 1 should do the same thing...]

Here is my modules.conf
CODE
alias eth0 8139too
alias usb-controller usb-ohci
alias usb-controller1 ehci-hcd
alias sound-slot-0 i810_audio
alias char-major-10-200 tun
post-install sound-slot-0 /bin/aumix-minimal -f /etc/.aumixrc -L >/dev/null 2>&1 || :
pre-remove sound-slot-0 /bin/aumix-minimal -f /etc/.aumixrc -S >/dev/null 2>&1 || :


and on the other computer

CODE
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
echo 1 > /proc/sys/net/ipv4/ip_forward
openvpn --mktun --dev tap0
brctl addbr br0
brctl addif br0 tap0
brctl addif br0 eth0
ifconfig tap0 0.0.0.0 promisc up
ifconfig eth0 0.0.0.0 promisc up
ifconfig br0 192.168.0.100 netmask 255.255.255.0
openvpn --tun-mtu 1500 --tun-mtu-extra 64 --dev tap0
       --secret /home/key
    --ping 30 --remote 192.168.0.102 --float


and the modules.conf file
CODE
alias usb-controller usb-ohci
alias usb-controller1 ehci-hcd
alias sound-slot-0 i810_audio
post-install sound-slot-0 /bin/aumix-minimal -f /etc/.aumixrc -L >/dev/null 2>&1 || :
pre-remove sound-slot-0 /bin/aumix-minimal -f /etc/.aumixrc -S >/dev/null 2>&1 || :
alias eth0 nvnet
alias sound-slot-1 nvaudio
alias usb-interface usb-ohci
alias char-major-10-200 tun


Note: I've tried the nvnet card and it works as it should [so ethernet drivers on the remote computer should not be a problem]...
I've also left iptables enabled , BUT I don't use any rules...so it shouldn't be in the way...

When the client computers tries to connect to me [I've tested the cable to , it's ok] it says :
CODE
TUN / TAP device tap0 opened
Persist state set to : ON
OpenVPN ver[blablabla]
TUN /TAP device tap0 opened
PTHREAD support initialized
UDPV v4 link local (bound ) ....[don't know what was here]
read UDPv4 EHOSTUNREACH No route to host
read UDPv4 EHOSTUNREACH no route to host

and it continues forever with this error

please help me

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
Robert83
post Apr 1 2004, 10:32 AM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

Ok I recompiled my kernels on both computers again, now it seems to be working ok , the machines boot up, that message about connecting to 192.168.0.102[thats me] is not shown up , I mean that Host Not Reachable message...

I've pinged the other computer it is now capable of pinging it [ping 192.168.0.100] and I'm also capable of using ssh 192.168.0.100 [from 192.168.0.102].

The only two things that still bother me are :

1. I've checked my /var/log/messages.log
and these errors show up about LZO
CODE
Apr  1 17:30:14 test1 kernel: hdb: ATAPI 52X CD-ROM drive, 128kB Cache, UDMA(33)
Apr  1 17:30:14 test1 kernel: Uniform CD-ROM driver Revision: 3.12
Apr  1 17:30:14 test1 openvpn[2770]: Bad LZO decompression header byte: 40
Apr  1 17:30:14 test1 openvpn[2770]: Bad LZO decompression header byte: 255
Apr  1 17:30:15 test1 kernel: cdrom: This disc doesn't have any tracks I recognize!
Apr  1 17:30:24 test1 openvpn[2770]: Bad LZO decompression header byte: 40
Apr  1 17:30:34 test1 openvpn[2770]: Bad LZO decompression header byte: 40
Apr  1 17:30:37 test1 kernel: eth0: Promiscuous mode enabled.
Apr  1 17:30:37 test1 kernel: eth0: Promiscuous mode enabled.
Apr  1 17:30:44 test1 openvpn[2770]: Bad LZO decompression header byte: 40
Apr  1 17:30:45 test1 openvpn[2770]: Bad LZO decompression header byte: 255
Apr  1 17:30:52 test1 last message repeated 5 times
Apr  1 17:30:55 test1 openvpn[2770]: Bad LZO decompression header byte: 40
Apr  1 17:30:55 test1 openvpn[2770]: Bad LZO decompression header byte: 255
Apr  1 17:31:05 test1 last message repeated 8 times
Apr  1 17:31:05 test1 openvpn[2770]: Bad LZO decompression header byte: 40
Apr  1 17:31:05 test1 openvpn[2770]: Bad LZO decompression header byte: 255
Apr  1 17:31:12 test1 last message repeated 8 times
Apr  1 17:31:15 test1 openvpn[2770]: Bad LZO decompression header byte: 40
Apr  1 17:31:35 test1 last message repeated 2 times
Apr  1 17:31:51 test1 openvpn[2770]: Bad LZO decompression header byte: 255
Apr  1 17:31:58 test1 last message repeated 5 times
Apr  1 17:32:28 test1 openvpn[2770]: Bad LZO decompression header byte: 42
Apr  1 17:33:28 test1 last message repeated 2 times
Apr  1 17:34:58 test1 kernel: Intel 810 + AC97 Audio, version 0.24, 15:56:11 Apr  1 2004
Apr  1 17:34:58 test1 kernel: i810: NVIDIA nForce Audio found at IO 0xd800 and 0xd400, MEM 0x0000 and 0x0000, IRQ 5
Apr  1 17:34:59 test1 kernel: i810_audio: Audio Controller supports 6 channels.
Apr  1 17:34:59 test1 kernel: i810_audio: Defaulting to base 2 channel mode.
Apr  1 17:34:59 test1 kernel: i810_audio: Resetting connection 0
Apr  1 17:34:59 test1 kernel: ac97_codec: AC97  codec, id: ALG96 (Unknown)
Apr  1 17:34:59 test1 kernel: i810_audio: only 48Khz playback available.
Apr  1 17:34:59 test1 kernel: i810_audio: AC'97 codec 0 Unable to map surround DAC's (or DAC's not present), total channels = 2
Apr  1 17:34:59 test1 modprobe: modprobe: Can't locate module sound-service-0-3

is this a big problem? or is this normal? [at startup , since then I've copied some files with MC using it's ssh link to the other computer 192.168.0.100 , and it went there , about 100MB ok].

2.The other computer [wich uses the fix IP to connect to the remote site] stops at that OpenVPN link established stuff, and won't go further, where should I put this OpenVPN startup script , so that my other linux computer could start up without stopping at that OpenVPN part [I mean its fully functional, trough ssh , but it stops there...]

3.How complicated would it be to link my 3 existing remote whitebox linux computers to my central NAT/PROXY/DNS server ? [it has 4 ethernet cards...], would this be good? or should I put in another computer in front of the NAT/PROXY/DNS server that will connect the 3 locations togeather trough OpenVPN, and would be directly connected to the NAT/PROXY/DNS.

4.Also since I don't have that many computers to try this out in real life, I would like to ask the following :
If the OpenVPN link is done with these fix IP adresses 192.168.0.100 ---OpenVPN----192.168.0.102
would a computer from 192.168.2.14 ---- 192.168.0.100 ---OpenVPN ---- 192.168.0.102 ---- 192.168.2.250 [NAT/PROXY/DNS] be able to go to the internet , and see all computers in its own subnet [192.168.2.x] ?
I DO hope that Win98SE also supports this OpenVPN sollution [since this is the oldest type of windows we use 5 workstations].

5.I've read about these security types in OpenVPN, and they say that this static key should be ok for LAN's , this would be secure enough for me in our WAN ? [one city only, locations are 2-3 km in disctance from each other]. I already use some security with the Wireless Bridges [48Bit encryption [?] ], and now this OpenVPN with 2048bit security should be a good combo right? IF I change the keys each month , for an example.

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
Robert83
post Apr 1 2004, 11:00 AM
Post #3


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

I'm looking at the firewall example for such a OpenVPN connection .

Would this be ok with me? what I want to do is, only allow comunication trough OpenVPN , and drop the rest, I'm hoping that with this I can make sure that if someone figures out the 48bit[?] encryption code for the wireless lan, and can get a signal, he/she still won't be able to comunicate without the proper key. He'll be stuck between the four OpenVPN points.

CODE
iptables -A INPUT -p udp --dport 5000 -j ACCEPT
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-prefix iptables --log-level info
iptables -A drop-and-log-it -j DROP
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -j drop-and-log-it
iptables -A FORWARD -s 0/0 -d 0/0 -j drop-and-log-it

would the above firewall ruleset work well ? I mean it would supposedly allow comunication trough OpenVPN only, and drop everything else...except it would allow users to connect to the Bridge itself [since it's a Samba Local Master Browser, WINS server, Small Backup File Server].

and please tell me what is tap?
and what does that tun+ , tap+ , what is that + supposed to do?

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
Robert83
post Apr 2 2004, 08:41 AM
Post #4


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

I apologize for posting this again,
but please could someone have a look at this post ?
I've already managed to get OpenVPN working, I would just need those other questions
answered about the firewall , would it be ok [for the bridge machines using OpenVPN], and that other few questions...


Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Apr 2 2004, 09:28 AM
Post #5


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



I have only used the openvpn once, and for a short period of time. (We replaced the wireless link with a point to point t-1 line).

I don't know what the openvpn[2770]: Bad LZO decompression error is ... does it only happen on startup or all the time you have the vpn running?


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
Robert83
post Apr 2 2004, 09:32 AM
Post #6


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

thanks for the reply smile.gif

it only happens during startup, after that it stops...everything works

even tried that firewall thing it works to...I can ping the computer [both] ...so I guess it's up n running.

Could you please tell me [in theory , at least] would it be possible for a
Windows computer IP=192.168.2.14 to see a computer that is on the other side of the bridge 192.168.2.250 ?
[I mean between is the 192.168.1.200---OpenVPN---192.168.1.210 Bridges]


Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Apr 2 2004, 09:33 AM
Post #7


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



does ifconfig show br0, tun+ and tap+ as devices ... if so, I would think that the ruleset you have will work for iptables.


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
Robert83
post Apr 2 2004, 09:53 AM
Post #8


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

ifconfig shows

br0
eth0 [I'm doing this test with only 1 ethernet card, should work with
2,3 etc...]
lo
tap0

I've modified my modules.conf file alias char-major-10-200 tun

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Apr 2 2004, 06:06 PM
Post #9


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



Yes ... if openvpn is running correctly, all pc's on both sides that are on 192.168.2.x should be able to ping each other (if the subnet mask of each is 255.255.255.0).


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 15th December 2017 - 05:23 AM