View previous topic :: View next topic |
Author |
Message |
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Tue Oct 10, 2006 12:49 am Post subject: |
|
|
Did you have TCP port 800 open as well? Are you using tap? or tun? Just curious. |
|
Back to top |
|
|
hanj Veteran
Joined: 19 Aug 2003 Posts: 1490
|
Posted: Tue Oct 10, 2006 2:24 am Post subject: |
|
|
cchee wrote: | Did you have TCP port 800 open as well? Are you using tap? or tun? Just curious. |
Hello
Thanks for the reply! I'm still trying to get my head around all of this, so I apologize for my newbness.
I'm not accepting TCP port 800 on my firewall. As far as I knew, this was over UDP only. In fact, my DMZ/Wireless does not accept port 800 TCP.. only UDP and works. I'm not sure what the difference is between tap and tun, but I do have a tap0 interface, so does that mean I'm using tap?
Thanks!
hanji _________________ Server Admin Blog - Uno-Code.com |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Fri Oct 13, 2006 3:57 am Post subject: |
|
|
Just curious, do you have to use root access port (i.e. port < 1024)? OpenVPN standard official port is 1194. You may want to try that first. tap0 means you are using tap. |
|
Back to top |
|
|
hanj Veteran
Joined: 19 Aug 2003 Posts: 1490
|
Posted: Fri Oct 13, 2006 3:00 pm Post subject: |
|
|
cchee wrote: | Just curious, do you have to use root access port (i.e. port < 1024)? OpenVPN standard official port is 1194. You may want to try that first. tap0 means you are using tap. |
Hello, Thanks for replying. Using port 800 isn't a problem, also, my DMZ /w VPN to LAN works.
Code: |
netstat -lnp | grep openvpn
udp 0 0 0.0.0.0:800 0.0.0.0:* 24957/openvpn |
Thanks!
hanji _________________ Server Admin Blog - Uno-Code.com |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Tue Apr 03, 2007 3:23 pm Post subject: |
|
|
Just add an update on how to setup port sharing with OpenVPN 2.1 (can't wait it becomes official in portage!!! Hint! Hint! )
NOTE: If you are using openvpn 2.1 (not yet in the official portage, hopefully soon) You can added the following line to do port sharing. The following line basically tells openvpn to listen to port 443, if the traffic is openvpn traffic, process it. Otherwise forward it to ssl_webserver.mycompany.com to process as https traffic. One great thing about this is you have one less hole in your firewall.
Code: |
port-share ssl_webserver.mycompany.com 443
|
|
|
Back to top |
|
|
Bender007 Tux's lil' helper
Joined: 11 Aug 2003 Posts: 110 Location: Göttingen
|
Posted: Mon Oct 01, 2007 10:21 pm Post subject: openvpn idle |
|
|
Hi,
I have a question. Its possible to disconnect afer an idle time of 2 mins?
I am using the "keepalive 10 120" option. It this option the problem? Or exist an other idle parameter?
And what tool can i use to watch open connections an disconnect clients? I tried the management option and Force logoff a user over the GUI but the user connects immediately again. What can i do?
server.conf:
Quote: |
proto tcp-server
port 21113
dev tap0
tls-server
ca /etc/openvpn/privnet/ca.crt
cert /etc/openvpn/privnet/server.crt
key /etc/openvpn/privnet/server.key
dh /etc/openvpn/privnet/dh1024.pem
tls-auth /etc/openvpn/privnet/ta.key 0
mode server
duplicate-cn
ifconfig 192.168.10.1 255.255.255.0 #vpnserver
ifconfig-pool 192.168.10.2 192.168.10.10 255.255.255.0 #clientiprange
#ifconfig-pool-persist ipp.txt
#server 192.168.1.0 255.255.255.0
push "dhcp-option DNS 192.168.10.1"
push "route-gateway 192.168.10.1"
#mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
#ping 10
#ping-restart 120
#push "ping 10"
#push "ping-restart 60"
push "route 192.168.0.0 255.255.255.0 192.168.10.1"
push "route 192.168.10.0 255.255.255.0 192.168.10.1"
comp-lzo
verb 1
#status /var/log/openvpn-status.log
#log /var/log/openvpn.log
keepalive 10 120
user nobody
group nobody
|
Thx Bender |
|
Back to top |
|
|
snIP3r l33t
Joined: 21 May 2004 Posts: 853 Location: germany
|
Posted: Mon Oct 15, 2007 6:10 pm Post subject: |
|
|
cchee wrote: | Just add an update on how to setup port sharing with OpenVPN 2.1 (can't wait it becomes official in portage!!! Hint! Hint! )
NOTE: If you are using openvpn 2.1 (not yet in the official portage, hopefully soon) You can added the following line to do port sharing. The following line basically tells openvpn to listen to port 443, if the traffic is openvpn traffic, process it. Otherwise forward it to ssl_webserver.mycompany.com to process as https traffic. One great thing about this is you have one less hole in your firewall.
Code: |
port-share ssl_webserver.mycompany.com 443
|
|
can you also please tell how to configure apache to make this working?? cause i cannot start both configs (openvpn and apache) with usage of port 443. i also found no example on the web.
thx in advance
snIP3r _________________ Intel i3-4130T on ASUS P9D-X
Kernel 5.15.88-gentoo SMP
-----------------------------------------------
if your problem is fixed please add something like [solved] to the topic! |
|
Back to top |
|
|
quackyo n00b
Joined: 26 Nov 2007 Posts: 1
|
Posted: Mon Nov 26, 2007 3:17 pm Post subject: |
|
|
I have fiddled around with OpenVPN today..
I'm using OpenVPN server set up as bridge.
When I connect to it I get IP from DHCP (the DHCP in the net my VPN-server is on), but no ping.
after a while the connection times out, and tries reconnecting. After 1-5 minutes it gets reconnected and from then everything is fine.
I thought it was a firewall issue, but after trying to disable firewall in both ends I was stuck.. Until I remembered that I had a Linksys DD-WRT box with VPN-setup that works. I took a look at the setup there and found that the only difference was that my OpenVPN server runs in "mode server" and TLS-server (with certificates), but the Linksys runs with static-key only.
Well, I tried to reconfigure my VPN-server to use static key only and then it worked perfectly.
But I want the TLS-server feature, both for the multiple-client feature and for safety.
Anybody have a clue? I have tried to regenerate all certificates, but that didn't help.
All certificates i built with the easy-rsa scripts that follows openVPN. |
|
Back to top |
|
|
TatooFim n00b
Joined: 20 Dec 2007 Posts: 1
|
Posted: Thu Dec 20, 2007 6:06 pm Post subject: |
|
|
damed92 wrote: | Firstly, thank you VERY much for this howto. I have OpenVPN working well.
One question:
I have the server set up at Location 1 (L1). It accepts Windows client connections from the internet fine.
What I need to do now is set up Location 2 (L2) to connect to L1 and create a permanant VPN tunnel, so that clients at L1 can get to L2 and clients at L2 can get to L1. L2 currently has a Linux firewall set up. My plan is to set up this machine as a Linux client to the server at L1
Basically, what I want to know:
Do I need to create a new conf file on the server using a different port for this connection, or can it use 5000? Keep in mind that I still want Windows clients from the net to get into L1.
Please advise, and thank you again. |
Agree thanks _________________ Coast to Coast AM |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Fri Oct 03, 2008 3:01 pm Post subject: |
|
|
snIP3r wrote: | cchee wrote: | Just add an update on how to setup port sharing with OpenVPN 2.1 (can't wait it becomes official in portage!!! Hint! Hint! )
NOTE: If you are using openvpn 2.1 (not yet in the official portage, hopefully soon) You can added the following line to do port sharing. The following line basically tells openvpn to listen to port 443, if the traffic is openvpn traffic, process it. Otherwise forward it to ssl_webserver.mycompany.com to process as https traffic. One great thing about this is you have one less hole in your firewall.
Code: |
port-share ssl_webserver.mycompany.com 443
|
|
can you also please tell how to configure apache to make this working?? cause i cannot start both configs (openvpn and apache) with usage of port 443. i also found no example on the web.
thx in advance
snIP3r |
snIP3r,
Sorry for really late reply. Have been busy and haven't had a chance to check back here for a while.
Your firewall will port forward 443 traffic to openvpn server with port-share configured. In your openvpn configuration file, you will add the aforementioned line where ssl_webserver.mycompany.com is the hostname or IP address of your webserver. But I don't think you can have both your openvpn and webserver running on the same physical machine. If you have a powerful box and some cpu/memory to spare, try to virtualize your webserver using vmware server or virtual box. Logically, it is still different IP address, but everything runs on one physical box.
You shouldn't need to change apache configuration file. OpenVPN will detect what kind of traffic it is and then redirect it to apache server if it is webserver request. Hope this help. |
|
Back to top |
|
|
snIP3r l33t
Joined: 21 May 2004 Posts: 853 Location: germany
|
Posted: Fri Oct 03, 2008 6:41 pm Post subject: |
|
|
cchee wrote: | snIP3r wrote: | cchee wrote: | Just add an update on how to setup port sharing with OpenVPN 2.1 (can't wait it becomes official in portage!!! Hint! Hint! )
NOTE: If you are using openvpn 2.1 (not yet in the official portage, hopefully soon) You can added the following line to do port sharing. The following line basically tells openvpn to listen to port 443, if the traffic is openvpn traffic, process it. Otherwise forward it to ssl_webserver.mycompany.com to process as https traffic. One great thing about this is you have one less hole in your firewall.
Code: |
port-share ssl_webserver.mycompany.com 443
|
|
can you also please tell how to configure apache to make this working?? cause i cannot start both configs (openvpn and apache) with usage of port 443. i also found no example on the web.
thx in advance
snIP3r |
snIP3r,
Sorry for really late reply. Have been busy and haven't had a chance to check back here for a while.
Your firewall will port forward 443 traffic to openvpn server with port-share configured. In your openvpn configuration file, you will add the aforementioned line where ssl_webserver.mycompany.com is the hostname or IP address of your webserver. But I don't think you can have both your openvpn and webserver running on the same physical machine. If you have a powerful box and some cpu/memory to spare, try to virtualize your webserver using vmware server or virtual box. Logically, it is still different IP address, but everything runs on one physical box.
You shouldn't need to change apache configuration file. OpenVPN will detect what kind of traffic it is and then redirect it to apache server if it is webserver request. Hope this help. |
hi cchee!
thx for your reply - even if its a little late ,)
thx also for the tip. my first thought is to have both on the same machine. but after reading your post here i will try to do as you suggested and put the webserver on another (test-)machine. if this works i can think about further steps...
i have a powerfull machine and i would like to have the webserver on the same machine than the openvpn server. but this may be difficult to realize - i hope i can do it.
thx for your tip anyway. after the first tests, i will post my results.
thx
snIP3r _________________ Intel i3-4130T on ASUS P9D-X
Kernel 5.15.88-gentoo SMP
-----------------------------------------------
if your problem is fixed please add something like [solved] to the topic! |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|