LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 09-20-2009, 11:00 AM   #16
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30

Any ideas on how to get the server started?
I have followed the instructions on:
http://www.openvpn.net/index.php/ope...o.html#install

Code:
[root@localhost easy-rsa]# openvpn /etc/openvpn/easy-rsa/server.conf
Sun Sep 20 16:59:22 2009 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar  8 2007
Sun Sep 20 16:59:22 2009 Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file
Sun Sep 20 16:59:22 2009 Exiting
[root@localhost easy-rsa]#
 
Old 09-20-2009, 11:02 AM   #17
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by prasanta View Post
Are you planning to log into the VPN server using MSN? Normally you would have the openvpn client (including software) wherein you specify the server name along with the port.

Regards,

--
Prasanta
No, I'll be using the VPN client but what I mean is that the port MSN uses must connect to the MSN server at some point on 1080? How can it do that if my VPN server does not have port 1080 open?

Last edited by qwertyjjj; 09-20-2009 at 11:05 AM.
 
Old 09-20-2009, 11:08 AM   #18
prasanta
Member
 
Registered: Mar 2005
Location: India
Distribution: Debian
Posts: 368

Rep: Reputation: 37
It will create a tunnel between the client and the server. The users logged in using VPN will be able to go out via the same rules that you have places for your LAN. In case from your LAN, MSN is blocked, the same will be true for VPN clients also.

Regards,

--
Prasanta
 
Old 09-20-2009, 11:10 AM   #19
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by prasanta View Post
It will create a tunnel between the client and the server. The users logged in using VPN will be able to go out via the same rules that you have places for your LAN. In case from your LAN, MSN is blocked, the same will be true for VPN clients also.

Regards,

--
Prasanta

But since I can't possibly know all the client ports and the software that they will be running, in order to allow a client to use the VPN, I would have to leave every port open on my server both outgoing and incoming. That's kind of dangerous.

Any ideas on how to get the server started?
I have followed the instructions on:
http://www.openvpn.net/index.php/ope...o.html#install

Code:
[root@localhost easy-rsa]# openvpn /etc/openvpn/easy-rsa/server.conf
Sun Sep 20 16:59:22 2009 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar  8 2007
Sun Sep 20 16:59:22 2009 Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file
Sun Sep 20 16:59:22 2009 Exiting
[root@localhost easy-rsa]#

Last edited by qwertyjjj; 09-20-2009 at 11:15 AM.
 
Old 09-20-2009, 11:16 AM   #20
prasanta
Member
 
Registered: Mar 2005
Location: India
Distribution: Debian
Posts: 368

Rep: Reputation: 37
Nope, you don't need to open each and every port. When a client logs via VPN, services that are there in your LAN will only be accessible. As an example, in case you have blocked FTP for your LAN, user connected via VPN will not be able to use FTP.

Regards,

--
Prasanta
 
Old 09-20-2009, 11:26 AM   #21
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by prasanta View Post
Nope, you don't need to open each and every port. When a client logs via VPN, services that are there in your LAN will only be accessible. As an example, in case you have blocked FTP for your LAN, user connected via VPN will not be able to use FTP.

Regards,

--
Prasanta
So, could someone connected via VPN get into my SQL server and my server files?
I only want them to connect via VPN so they can have a country specific IP address. This is mainly for HTTP requests but there are some sites that the proxy server will not work for so they have to use VPN.
At present I have every outgoing port open so that would be okay but some servers respond on different ports incoming. How can a VPN be secure if many ports have to be open just for certain applications to work? If I have 100 clients using VPN, it is impossible for me to list all the different applications and ports that they could want to use, no? This then also opens up my server to someone trying to hack into it?
 
Old 09-20-2009, 11:29 AM   #22
prasanta
Member
 
Registered: Mar 2005
Location: India
Distribution: Debian
Posts: 368

Rep: Reputation: 37
Quote:
Any ideas on how to get the server started?
I have followed the instructions on:
http://www.openvpn.net/index.php/ope...o.html#install
The sample server.conf file has lot of parameters in it. Just open the file and check the required files. In your case, the Diffie hellman parameters are missing and hence it is throwing out an error. Just create those along with the certificates, and then start.

Regards,

--
Prasanta
 
Old 09-20-2009, 11:38 AM   #23
prasanta
Member
 
Registered: Mar 2005
Location: India
Distribution: Debian
Posts: 368

Rep: Reputation: 37
Yes, anyone connected via VPN can access your whole LAN, until you have put on some access restrictions for VPN users. As you have said, you can not keep track of each and every application that the client is using and open the port simultaneously. That defeats the purpose using VPN. Normally, why will people use VPN? Most probable answer is to get data from the LAN and access things which are not accessible from the internet like the intranet website for an example. In case they want to use some application which you have restricted in your LAN, better ask them to log of from VPN and use their own Internet.

Regards,

--
Prasanta
 
Old 09-20-2009, 11:42 AM   #24
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by prasanta View Post
The sample server.conf file has lot of parameters in it. Just open the file and check the required files. In your case, the Diffie hellman parameters are missing and hence it is throwing out an error. Just create those along with the certificates, and then start.

Regards,

--
Prasanta
I created the diffie config here:
Code:
[root@localhost keys]# ls -l
total 68
-rw-r--r-- 1 root root 3693 Sep 20 17:07 01.pem
-rw-r--r-- 1 root root 3589 Sep 20 17:08 02.pem
-rw-r--r-- 1 root root 1257 Sep 20 17:07 ca.crt
-rw------- 1 root root  887 Sep 20 17:07 ca.key
-rw-r--r-- 1 root root  245 Sep 20 17:38 dh1024.pem
-rw-r--r-- 1 root root  220 Sep 20 17:08 index.txt
-rw-r--r-- 1 root root   20 Sep 20 17:08 index.txt.attr
-rw-r--r-- 1 root root   21 Sep 20 17:07 index.txt.attr.old
-rw-r--r-- 1 root root  110 Sep 20 17:07 index.txt.old
-rw-r--r-- 1 root root 3589 Sep 20 17:08 my.cert.crt
-rw-r--r-- 1 root root  688 Sep 20 17:08 my.cert.csr
-rw------- 1 root root  887 Sep 20 17:08 my.cert.key
-rw-r--r-- 1 root root    3 Sep 20 17:08 serial
-rw-r--r-- 1 root root    3 Sep 20 17:07 serial.old
-rw-r--r-- 1 root root 3693 Sep 20 17:07 server.crt
-rw-r--r-- 1 root root  688 Sep 20 17:07 server.csr
-rw------- 1 root root  887 Sep 20 17:07 server.key
[root@localhost keys]#
The server.conf file has this:
Code:
# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh dh1024.pem

Last edited by qwertyjjj; 09-20-2009 at 11:44 AM.
 
Old 09-20-2009, 11:46 AM   #25
prasanta
Member
 
Registered: Mar 2005
Location: India
Distribution: Debian
Posts: 368

Rep: Reputation: 37
Your server.conf is sitting at /etc/openvpn/easy-rsa/, while dh1024.pem is sitting in another location. Just move it to the former and it should start.

Regards,

--
Prasanta
 
Old 09-20-2009, 11:51 AM   #26
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by prasanta View Post
Your server.conf is sitting at /etc/openvpn/easy-rsa/, while dh1024.pem is sitting in another location. Just move it to the former and it should start.

Regards,

--
Prasanta
Sorry for all the questions.
No, that didn't help either.

Code:
[root@localhost easy-rsa]# mv /etc/openvpn/easy-rsa/server.conf /etc/openvpn/easy-rsa/keys/server.conf
[root@localhost easy-rsa]# openvpn /etc/openvpn/easy-rsa/keys/server.conf
Sun Sep 20 17:49:35 2009 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar  8 2007
Sun Sep 20 17:49:35 2009 Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file
Sun Sep 20 17:49:35 2009 Exiting
[root@localhost easy-rsa]# cd keys
[root@localhost keys]# ls -l
total 80
-rw-r--r-- 1 root root 3693 Sep 20 17:07 01.pem
-rw-r--r-- 1 root root 3589 Sep 20 17:08 02.pem
-rw-r--r-- 1 root root 1257 Sep 20 17:07 ca.crt
-rw------- 1 root root  887 Sep 20 17:07 ca.key
-rw-r--r-- 1 root root  245 Sep 20 17:38 dh1024.pem
-rw-r--r-- 1 root root  220 Sep 20 17:08 index.txt
-rw-r--r-- 1 root root   20 Sep 20 17:08 index.txt.attr
-rw-r--r-- 1 root root   21 Sep 20 17:07 index.txt.attr.old
-rw-r--r-- 1 root root  110 Sep 20 17:07 index.txt.old
-rw-r--r-- 1 root root 3589 Sep 20 17:08 my.cert.crt
-rw-r--r-- 1 root root  688 Sep 20 17:08 my.cert.csr
-rw------- 1 root root  887 Sep 20 17:08 my.cert.key
-rw-r--r-- 1 root root    3 Sep 20 17:08 serial
-rw-r--r-- 1 root root    3 Sep 20 17:07 serial.old
-rw-r--r-- 1 root root 9968 Sep 20 16:55 server.conf
-rw-r--r-- 1 root root 3693 Sep 20 17:07 server.crt
-rw-r--r-- 1 root root  688 Sep 20 17:07 server.csr
-rw------- 1 root root  887 Sep 20 17:07 server.key
[root@localhost keys]#
I moved it the other way round as well but got this:

Code:
[root@localhost easy-rsa]# mv /etc/openvpn/easy-rsa/keys/dh1024.pem /etc/openvpn/easy-rsa/dh1024.pem
[root@localhost easy-rsa]# ls -l
total 108
drwxr-xr-x 2 root root 4096 Sep 20 16:21 2.0
-rwxr-xr-x 1 root root  242 Sep 20 16:21 build-ca
-rwxr-xr-x 1 root root  228 Sep 20 16:21 build-dh
-rw-r--r-- 1 root root  529 Sep 20 16:21 build-inter
-rwxr-xr-x 1 root root  516 Sep 20 16:21 build-key
-rw-r--r-- 1 root root  424 Sep 20 16:21 build-key-pass
-rw-r--r-- 1 root root  695 Sep 20 16:21 build-key-pkcs12
-rwxr-xr-x 1 root root  662 Sep 20 16:21 build-key-server
-rw-r--r-- 1 root root  466 Sep 20 16:21 build-req
-rw-r--r-- 1 root root  402 Sep 20 16:21 build-req-pass
-rwxr-xr-x 1 root root  280 Sep 20 16:21 clean-all
-rw-r--r-- 1 root root  245 Sep 20 17:38 dh1024.pem
-rw------- 1 root root    0 Sep 20 16:59 ipp.txt
drwx------ 2 root root 4096 Sep 20 17:48 keys
-rw-r--r-- 1 root root  264 Sep 20 16:21 list-crl
-rw-r--r-- 1 root root  268 Sep 20 16:21 make-crl
-rw-r--r-- 1 root root 7487 Sep 20 16:21 openssl.cnf
-rw------- 1 root root    0 Sep 20 17:41 openvpn-status.log
-rw-r--r-- 1 root root 6075 Sep 20 16:21 README
-rw-r--r-- 1 root root  268 Sep 20 16:21 revoke-crt
-rw-r--r-- 1 root root  593 Sep 20 16:21 revoke-full
-rw-r--r-- 1 root root 9968 Sep 20 16:55 server.conf
-rw-r--r-- 1 root root  411 Sep 20 16:21 sign-req
-rw-r--r-- 1 root root 1273 Sep 20 16:30 vars
drwxr-xr-x 2 root root 4096 Sep 20 16:21 Windows
[root@localhost easy-rsa]# openvpn /etc/openvpn/easy-rsa/server.conf
Sun Sep 20 17:48:23 2009 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar  8 2007
Sun Sep 20 17:48:23 2009 Diffie-Hellman initialized with 1024 bit key
Sun Sep 20 17:48:23 2009 Cannot load certificate file server.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Sun Sep 20 17:48:23 2009 Exiting

Last edited by qwertyjjj; 09-20-2009 at 11:52 AM.
 
Old 09-20-2009, 11:53 AM   #27
prasanta
Member
 
Registered: Mar 2005
Location: India
Distribution: Debian
Posts: 368

Rep: Reputation: 37
Have you installed lzo package? The other way round is to comment out the line and then start it.

Regards,

--
Prasanta
 
Old 09-20-2009, 11:55 AM   #28
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by prasanta View Post
Have you installed lzo package? The other way round is to comment out the line and then start it.

Regards,

--
Prasanta
lzo?

the error was:
If I put server.conf in the keys folder, then it doesn't load the diffie. It's a circle!
Code:
[root@localhost easy-rsa]# openvpn /etc/openvpn/easy-rsa/server.conf
Sun Sep 20 17:48:23 2009 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar  8 2007
Sun Sep 20 17:48:23 2009 Diffie-Hellman initialized with 1024 bit key
Sun Sep 20 17:48:23 2009 Cannot load certificate file server.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Sun Sep 20 17:48:23 2009 Exiting

Last edited by qwertyjjj; 09-20-2009 at 11:59 AM.
 
Old 09-20-2009, 11:59 AM   #29
prasanta
Member
 
Registered: Mar 2005
Location: India
Distribution: Debian
Posts: 368

Rep: Reputation: 37
Comment out that line and then try to start.

Regards,

--
Prasanta
 
Old 09-20-2009, 12:00 PM   #30
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by prasanta View Post
Comment out that line and then try to start.

Regards,

--
Prasanta
Sorry, which line?
The server needs diffie and server.crt so they should both be present shouldn't they?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN client has not default gateway when connect to OpenVPN server sailershen Linux - Security 3 03-04-2010 02:20 AM
OpenVPN key generation chillster Linux - Security 1 12-22-2008 07:21 PM
Openvpn key system paranoid times Linux - Software 0 02-22-2008 01:52 PM
how to configure samba server every time login to that folder need key password. hocheetiong Linux - Software 1 11-23-2007 12:36 AM
SOLVED -- Hard-to-find gotcha in OpenVPN jlinkels Linux - Networking 0 07-30-2007 11:34 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 03:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration