Welcome to the Sophos User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
Wizard
Join Date: Apr 2007
Posts: 961
#1 (permalink)  
Old 06-16-2010, 05:18 AM
Default off topic: Astaor VPN Client mit Opensuse Server ?

Hallo,

open-vpn-client gegen Astaro ist ja kein Hexenwerk und funktioniert fats out-of-the-box.
Wie sieht es aber mit dem kostenlosen Astaro-Client in Richtung Open-VPN-Server aus.
Hintergrund:
Ich nutze einen Windows-XP-PC als Einwahl-System und möchte natürlich mit möglichts wenig verschiedenen Clients auskommen.
Weiter die Frage ob jemand ein schöne knackige einfache Anleitung für einen Open-VPN-Server unter Opensuse kennt.

Gruß
Reply With Quote
Junior Member
Join Date: Oct 2009
Posts: 27
#2 (permalink)  
Old 06-16-2010, 07:11 AM
Default

Hallo rprengel,

ich selbst habe den Astaro Open-VPN Client gegen einen dd-wrt geflashten Router laufen lassen. Du musst nur im Konfig-Verzeichnis die passenden Konfigurationen ablegen. Diese werden dann bei einem Rechtsklick auf das Tray-Icon aufgelistet.
Anleitung für einen openvpn-server unter Linux findest Du zu Hauf bei z.B. google.
Hier mal ein Beispiel:

Deutsches OpenVPN howto - linuxforen.de -- User helfen Usern

Viele Grüße und Erfolg
Holger
Reply With Quote
Wizard
Join Date: Apr 2007
Posts: 961
#3 (permalink)  
Old 06-17-2010, 06:04 AM
Default

Quote:
Originally Posted by h.winkler View Post
Hallo rprengel,

ich selbst habe den Astaro Open-VPN Client gegen einen dd-wrt geflashten Router laufen lassen. Du musst nur im Konfig-Verzeichnis die passenden Konfigurationen ablegen. Diese werden dann bei einem Rechtsklick auf das Tray-Icon aufgelistet.
Anleitung für einen openvpn-server unter Linux findest Du zu Hauf bei z.B. google.
Hier mal ein Beispiel:

Deutsches OpenVPN howto - linuxforen.de -- User helfen Usern

Viele Grüße und Erfolg
Holger
Install & Configure OpenVPN SSL VPN in SUSE & openSUSE Linux | SUSE & openSUSE
mit dem Artikel war es recht einfach.

Zwei Punkte sind noch offen:
1)
Der Client meldet sich an und bekommt eine IP aber wie wird das Default-Gateway gesetzt?
2)
Im Moment meldet sich der Client ohne Password an.
Wie funktioniert das mit Passwörtern?

das ganze ist im Moment mehr ein Spiel & Spaßprojekt. Ich bin dazu gestern abend nicht mehr gekommen die Punkte zu klären. Ein paar Tips wären nett.

Gruß
Reply With Quote
Junior Member
Join Date: Oct 2009
Posts: 27
#4 (permalink)  
Old 06-17-2010, 09:22 AM
Default

Hallo rprengel,


Username/Passwort
Using username/password authentication as the only form of client authentication
By default, using auth-user-pass-verify or a username/password-checking plugin on the server will enable dual authentication, requiring that both client-certificate and username/password authentication succeed in order for the client to be authenticated.
While it is discouraged from a security perspective, it is also possible to disable the use of client certificates, and force username/password authentication only. On the server:

client-cert-not-required

Such configurations should usually also set:

username-as-common-name

which will tell the server to use the username for indexing purposes as it would use the Common Name of a client which was authenticating via a client certificate.

Note that client-cert-not-required will not obviate the need for a server certificate, so a client connecting to a server which uses client-cert-not-required may remove the cert and key directives from the client configuration file, but not the ca directive, because it is necessary for the client to verify the server certificate.


Quelle: HOWTO


Default-Gateway
Routing all client traffic (including web-traffic) through the VPN
Overview

By default, when an OpenVPN client is active, only network traffic to and from the OpenVPN server site will pass over the VPN. General web browsing, for example, will be accomplished with direct connections that bypass the VPN.

In certain cases this behavior might not be desirable -- you might want a VPN client to tunnel all network traffic through the VPN, including general internet web browsing. While this type of VPN configuration will exact a performance penalty on the client, it gives the VPN administrator more control over security policies when a client is simultaneously connected to both the public internet and the VPN at the same time.
Implementation

Add the following directive to the server configuration file:

push "redirect-gateway def1"

If your VPN setup is over a wireless network, where all clients and the server are on the same wireless subnet, add the local flag:

push "redirect-gateway local def1"

Pushing the redirect-gateway option to clients will cause all IP network traffic originating on client machines to pass through the OpenVPN server. The server will need to be configured to deal with this traffic somehow, such as by NATing it to the internet, or routing it through the server site's HTTP proxy.

On Linux, you could use a command such as this to NAT the VPN client traffic to the internet:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

This command assumes that the VPN subnet is 10.8.0.0/24 (taken from the server directive in the OpenVPN server configuration) and that the local ethernet interface is eth0.

When redirect-gateway is used, OpenVPN clients will route DNS queries through the VPN, and the VPN server will need handle them. This can be accomplished by pushing a DNS server address to connecting clients which will replace their normal DNS server settings during the time that the VPN is active. For example:

push "dhcp-option DNS 10.8.0.1"

will configure Windows clients (or non-Windows clients with some extra server-side scripting) to use 10.8.0.1 as their DNS server. Any address which is reachable from clients may be used as the DNS server address.
Caveats

Redirecting all network traffic through the VPN is not entirely a problem-free proposition. Here are some typical gotchas to be aware of:

* Many OpenVPN client machines connecting to the internet will periodically interact with a DHCP server to renew their IP address leases. The redirect-gateway option might prevent the client from reaching the local DHCP server (because DHCP messages would be routed over the VPN), causing it to lose its IP address lease.
* Issues exist with respect to pushing DNS addresses to Windows clients.
* Web browsing performance on the client will be noticably slower.

For more information on the mechanics of the redirect-gateway directive, see the manual page.


Quelle: HOWTO

Viel Spaß beim Basteln :-)

Holger
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 10:32 AM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.

These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.