LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 04-14-2010, 10:44 PM   #1
slacker_et
Member
 
Registered: Dec 2009
Distribution: Slackware
Posts: 113

Rep: Reputation: 23
Use OpenVPN to connect to home network ?


I have a network that consists of a few desktop machines, laptops, and two Internet connected linux servers. The Linux servers are the gateways, routers, and firewalls for my desktop and laptop machines.

Whenever I'm away from home; I can connect to my home machines over the Internet by first ssh'ng (technically I use Webmin; because my firewall on each Linux servers blocks ssh from the Internet.) to one of the linux servers and then ssh'ng to the desired machine on my home network.

This works fine for my home linux machines. But not my Windows machines.
I'd like to be able to rdp or rdesktop to my Windows machines.

Will OpenVPN allow me to accomplish this ?
Is there a simpler solution ?

Thanks;
ET
 
Old 04-15-2010, 03:24 AM   #2
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by slacker_et View Post
I have a network that consists of a few desktop machines, laptops, and two Internet connected linux servers. The Linux servers are the gateways, routers, and firewalls for my desktop and laptop machines.

Whenever I'm away from home; I can connect to my home machines over the Internet by first ssh'ng (technically I use Webmin; because my firewall on each Linux servers blocks ssh from the Internet.) to one of the linux servers and then ssh'ng to the desired machine on my home network.

This works fine for my home linux machines. But not my Windows machines.
I'd like to be able to rdp or rdesktop to my Windows machines.

Will OpenVPN allow me to accomplish this ?
Is there a simpler solution ?

Thanks;
ET
you can accomplish what you desire using openvpn, yes.
but you can also accomplish it by using simple port forwarding on the gateway machine.

either iptables or pbnc which does the forwarding at network rather then kernel level.

out of the 2 methods, pbnc is probably easiest to get going

http://duncanthrax.net/pbnc/
 
1 members found this post helpful.
Old 04-15-2010, 03:25 AM   #3
deadeyes
Member
 
Registered: Aug 2006
Posts: 605

Rep: Reputation: 79
You can also setup an ssh tunnel. So you can still get to your m$ windows machine.
However this is rather a clumsy solution.

OpenVPN can perfectly accomplish this.
Open port 1194 on your fw, forward it to your openvpn server and setup the client and server config.
Make sure you have the correct routes on your network.

In the end setting up openvpn is not that hard.
 
1 members found this post helpful.
Old 04-15-2010, 07:45 AM   #4
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,287

Rep: Reputation: 97
If I may make a recommendation, I would open SSH on your gateways and close off Webmin as it is a greater security risk in most peoples eyes than SSH. That said, OpenVPN would work, it would provide you a means to make it look like you machine was on your local LAN or connected to your LAN by a direct router instead of over the Internet. This would let you access any resources like you were in your house. You can as someone mentioned though also accomplish this with SSH tunneling just have a tunnel setup so localhost:someport gets sent over the SSH connection to the remote machine windowsmachine:3984. Then you RDP to localhost:someport and get an encrypted connection to your windows machine. I have OpenVPN and SSH setup at my work and will use SSH tunneling to occasionally access a machine on a public machine because I only need putty.
 
1 members found this post helpful.
Old 04-16-2010, 10:20 PM   #5
slacker_et
Member
 
Registered: Dec 2009
Distribution: Slackware
Posts: 113

Original Poster
Rep: Reputation: 23
Thanks everyone for the suggestions.
I've been trying to setup openvpn for the past two nights.
But it's failing miserably. I can't build a certificate.
The build-ca script (actually openssl) is failing with a common error.
BUT it's an error that no one appears to have a viable solution.

Running build-ca results in:
Code:
+ cd /usr/doc/openvpn-2.0.9/easy-rsa/keys
+ openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config /usr/doc/openvpn-2.0.9/easy-rsa/openssl.cnf
error on line 37 of /usr/doc/openvpn-2.0.9/easy-rsa/openssl.cnf
21561:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 37
I've searched through several pages of a Google search. And all the results either don't have any answers or they state to comment out the "pkcs11_section". And my openssl.cnf doesn't have a "pkcs11_section" or any section remotely resembling it.
And there's only one thread on linuxquestions about the same issue. And it's been unanswered for quite a while.

Time to try something else I guess
--ET
 
Old 04-17-2010, 06:08 AM   #6
deadeyes
Member
 
Registered: Aug 2006
Posts: 605

Rep: Reputation: 79
Did you do this first?
. ./vars

What's on line 37 in /usr/doc/openvpn-VERSION/easy-rsa/openssl.cnf?

Quote:
Time to try something else I guess
Well, as this is a very common piece of software I would believe it should work.
So I would try some more.
 
1 members found this post helpful.
Old 04-17-2010, 06:21 AM   #7
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Servers: Debian Squeeze and Wheezy. Desktop: Slackware64 14.0. Netbook: Slackware 13.37
Posts: 8,551
Blog Entries: 28

Rep: Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176
The files under /usr/doc are samples; the usual technique, following the HOWTO, is
Code:
cp -pR /usr/doc/openvpn-2.0.9/easy-rsa /etc/openvpn
Then edit /etc/openvpn/easy-rsa/vars, setting the following to suit your installation:
KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL. Then
Code:
. ./vars
./clean-all
./build-ca
The HOWTO is very good; the only thing I got wrong (apart from silly typos and forgetting to turn off the client's firewall for stage one testing) was choosing routed mode when bridged mode was better suited to the users.
 
1 members found this post helpful.
Old 04-17-2010, 06:43 AM   #8
deadeyes
Member
 
Registered: Aug 2006
Posts: 605

Rep: Reputation: 79
Quote:
Originally Posted by catkin View Post
The files under /usr/doc are samples; the usual technique, following the HOWTO, is
Code:
cp -pR /usr/doc/openvpn-2.0.9/easy-rsa /etc/openvpn
Then edit /etc/openvpn/easy-rsa/vars, setting the following to suit your installation:
KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL. Then
Code:
. ./vars
./clean-all
./build-ca
The HOWTO is very good; the only thing I got wrong (apart from silly typos and forgetting to turn off the client's firewall for stage one testing) was choosing routed mode when bridged mode was better suited to the users.
If I recall correctly using the clean-all script will delete the contents of the keys directory. So be careful with it.

The howto is indeed good.

Do note that in your case you should go with routed and not bridged (this would also sent the arp requests, ... over the tunnel). There are only some rare cases where this should be used.
 
1 members found this post helpful.
Old 04-17-2010, 04:35 PM   #9
slacker_et
Member
 
Registered: Dec 2009
Distribution: Slackware
Posts: 113

Original Poster
Rep: Reputation: 23
Thanks all. I've managed to progress a little further.
Yes I did run ". ./vars". But I still had to define some of those variables in clean-all and build-ca.
I've managed to build all the keys and certs. And have copied them to /etc/openvpn/keys and /etc/openvpn/certs.
I'm now working on trying to get openvpn running. After a several failed attempts and fixes; here is my latest attempt:
Code:
Sat Apr 17 17:27:57 2010 OpenVPN 2.0.9 i486-slackware-linux [SSL] [LZO] [EPOLL] built on Jun 11 2007
Sat Apr 17 17:27:57 2010 WARNING: --keepalive option is missing from server config
Sat Apr 17 17:27:57 2010 Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Sat Apr 17 17:27:57 2010 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Sat Apr 17 17:27:57 2010 Cannot allocate TUN/TAP dev dynamically
Sat Apr 17 17:27:57 2010 Exiting
--ET
 
Old 04-18-2010, 04:58 AM   #10
deadeyes
Member
 
Registered: Aug 2006
Posts: 605

Rep: Reputation: 79
Is tun support compiled into your kernel?
Normally it is a module called "tun".

I think this is what you need in your kernel config.
CONFIG_TUN=m

You can check the config in different ways.
Mostly the config is compiled into the running kernel.
zcat /proc/config.gz | grep CONFIG_TUN
 
1 members found this post helpful.
Old 04-18-2010, 09:30 AM   #11
slacker_et
Member
 
Registered: Dec 2009
Distribution: Slackware
Posts: 113

Original Poster
Rep: Reputation: 23
No tun is not compiled into my kernel.
But loading the module solved that problem.
So I now have the openvpn server running.
Now I am working on getting a client to connect.
And it's failing.

When using UDP protocol; on the server I'm getting:
Code:
Sun Apr 18 10:02:08 2010 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sun Apr 18 10:02:08 2010 TLS Error: incoming packet authentication failed from 10.0.0.101:51878
And when using TCP protocol; on the server I'm getting:
Code:
Sun Apr 18 10:16:33 2010 TCP connection established with 10.0.0.101:48414
Sun Apr 18 10:16:33 2010 TCPv4_SERVER link local: [undef]
Sun Apr 18 10:16:33 2010 TCPv4_SERVER link remote: 10.0.0.101:48414
Sun Apr 18 10:16:33 2010 10.0.0.101:48414 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sun Apr 18 10:16:33 2010 10.0.0.101:48414 TLS Error: incoming packet authentication failed from 10.0.0.101:48414
Sun Apr 18 10:16:33 2010 10.0.0.101:48414 Fatal TLS error (check_tls_errors_co), restarting
The client's openvpn log file displays similar messages.

I'm assuming my keys and/or certs are messed up.
BUT the instructions have had me create so many keys and certs; I've lost track of what goes where.

--ET
 
Old 04-18-2010, 12:25 PM   #12
slacker_et
Member
 
Registered: Dec 2009
Distribution: Slackware
Posts: 113

Original Poster
Rep: Reputation: 23
Got it working; sort of.
I added these two lines to the end of the config files on both the server and client:
Code:
auth none
cipher none
The connection worked.
Next I tried restarting both server and client WITHOUT the "cipher none".
A connection then also worked.
Next I tried restarting both the server and client WITHOUT the "auth none".
Putting right back where I started.
BUT the connection STILL worked ! That doesn't make sense !

Anyways; now I'm at the point of configuring my firewall.

--ET
 
Old 04-18-2010, 01:51 PM   #13
deadeyes
Member
 
Registered: Aug 2006
Posts: 605

Rep: Reputation: 79
You can take this as an example client config:
Code:
proto udp
dev tun
remote yourserver.com # host to connect to

tls-client
ns-cert-type server
#tls-auth keys/ta.key 1
ca keys/ca.crt
cert keys/youruser.crt
key keys/youruser.key

pull # this will execute the "push" options shown in the server config.

port 1194
user root
group root

ping 15
verb 5
log-append /var/log/openvpn/openvpn.log
status /var/log/openvpn/status.log

#persist-key
#persist-tun
#comp-lzo

cipher AES256
So you need 3 file to start it.
You can also generate a diffie helman file and a tls-auth key.
This improves security.
I would go step by step until it works.

I would recommend using udp as it gives less overhead.
 
1 members found this post helpful.
Old 04-19-2010, 07:41 AM   #14
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,287

Rep: Reputation: 97
If I recall you use webmin and there is an openVPN webmin module that you could use to ehlp administer it, it may help.
 
1 members found this post helpful.
Old 04-19-2010, 12:33 PM   #15
slacker_et
Member
 
Registered: Dec 2009
Distribution: Slackware
Posts: 113

Original Poster
Rep: Reputation: 23
Thumbs up

I'd like to say thanks to everyone for their suggestions, insights, and other help.
I eventually got the openvpn server running on one of my linux servers.
And I also setup a couple of the OS's my laptop to function as openvpn clients.

I think what originally threw my off was two things.
First; I had three different windows on the linux server when setting up openvpn.
One for reading the READMEs, one for editing files, and another for entering commands.
I'm wondering if I may have run a few commands (ie. . ./vars) in the wrong window.
Second; While following the README in the easy-rsa directory I created every key and cert it mentioned. And I probably mixed them up somewhere along the way.

I think in total I spent about 4 or 5 hours spread across three nights getting everything configured.
What I lack in efficiency I make up for in stubbornness.

--ET
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN client has not default gateway when connect to OpenVPN server sailershen Linux - Security 3 03-04-2010 02:20 AM
Connect to PC in home network by name Geert86 Linux - Networking 5 01-06-2010 01:50 PM
openvpn :- Unable to connect local network linuxfreaks Linux - Networking 1 08-18-2009 04:17 PM
OpenVPN cannot connect to remote network behind server csweden Linux - Newbie 1 08-31-2008 04:27 AM
Cannot connect to home network in xubuntu RArocks12 Linux - Newbie 1 09-29-2006 02:36 PM


All times are GMT -5. The time now is 04:47 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration