# OpenVPN question

## mariourk

I have a question about configuring OpenVPN

Iam following the howto on: http://openvpn.sourceforge.net/howto.html

To start easy I decided to use a static pre-shared key first. Once that 

works I want to switch to SSL/TLS + RSA keys

But first things first. Iam working on the configuration as discribed in the

howto. There is one thing I don't understand quite well...

The howto says:

```

# 10.1.0.1 is our local VPN endpoint (office).

# 10.1.0.2 is our remote VPN endpoint (home).

ifconfig 10.1.0.1 10.1.0.2

```

What exacly is ment with  local VPN endpoint and remote VPN endpoint ?

What to do if more that one client should be able to connect to the VPN-server ?

(wich is my intention)

Thanks a lot!  :Smile: 

----------

## drdebian

 *mariourk wrote:*   

> I have a question about configuring OpenVPN
> 
> Iam following the howto on: http://openvpn.sourceforge.net/howto.html
> 
> To start easy I decided to use a static pre-shared key first. Once that 
> ...

 

The local endpoint is the one "on your side" of the VPN connection, while the romote endpoint designates the IP-address under which the other side will be accessible.

OpenVPN is designed to create point-to-point tunnels, which means that you will have to create a separate config file for each connection. Not only that, but you will also have to reserve a fixed incoming port for each connection.

I there's a configuration hack around that involves xinetd (or similar) for spawning new OpenVPN tunnels for each connection coming in on one port, but I deem this to be a bit experimental.

----------

## mariourk

Ok, I will experiment with this a bit more.

It's cool stuf but a little bit complicated though  :Wink: 

Thanks for the help.  :Smile: 

Btw, any advice from anyone is still welcome  :Rolling Eyes: 

----------

## mariourk

Does someone know how to get openvpn running?

I made the nessecery configuration files in /etc/openvpn

but it still refuses to start. This is the error I get

```

mail openvpn # /etc/init.d/openvpn start

 * Expected /etc/openvpn/local.conf to be a directory containing a local.conf.

 * Expected /etc/openvpn/office.up to be a directory containing a local.conf.

 * Expected /etc/openvpn/static.key to be a directory containing a local.conf.

```

Thanks a lot  :Smile: 

----------

## RageX^NZ

Hiya,

I know what your problem is.

You need to make a directory with the name of the link and put those configs inside it.

e.g. we have links called masonic and dome, so I have

/etc/openvpn/dome

/etc/openvpn/masonic

each directory contains it's own local.cf and any other shell scripts particular to that specific link.

Any other questions, just ask.

----------

## nobspangle

To answer the earlier question about what to do if you want a more client-server orientated setup, the answer is to use openvpn 2. It doesn't seem to be in portage yet, maybe you should request a version bump. The new version allows for multiple clients to connect on the same port and get assigned IP addresses from a pool (a bit like dhcp).

----------

## mariourk

Ok, I placed the scripts in an extra subdirectory ( /etc/openvpn/mario ) 

When I start openvpn, it seems to do something. However it will give

an error and crash. This is what the logs say:

```

Sep 29 08:59:01 [openvpn] OpenVPN 1.5.0 i686-pc-linux-gnu [SSL] [LZO] built on Sep 27 2004

Sep 29 08:59:01 [openvpn] Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

Sep 29 08:59:01 [openvpn] Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Sep 29 08:59:01 [openvpn] Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

Sep 29 08:59:01 [openvpn] Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Sep 29 08:59:01 [openvpn] TUN/TAP device tun0 opened

Sep 29 08:59:01 [openvpn] /sbin/ifconfig tun0 192.168.15.1 pointopoint 80.68.215.81 mtu 1256

Sep 29 08:59:01 [openvpn] ./office.up tun0 1256 1300 192.168.15.1 80.68.215.81 init

Sep 29 08:59:01 [openvpn] script failed: shell command exited with error status: 126

Sep 29 08:59:01 [openvpn] Exiting

```

Does anyone know what goes wrong? It seems to be something with office.up

This is what office.up contains:

```

route add -net 192.168.15.1 netmask 255.255.255.0 gw $5

```

It is my intention to give the tunnel-device 192.168.15.1 as IP.

What I'm also wandering. Is there a limit to the number of tunnel-devices

I can use on my Gentoobox? I red once (years ago...) that Linux could

handle up to 4 network-devices, is this true??

----------

## nobspangle

you need to make the up script executable (i.e. chmod 700)

I'm not sure how many tun devices you can have I didn't realise there was a limitation

----------

## mariourk

Making the script executable worked indeed, stupid I didn't think of that   :Embarassed: 

I have the tunnel-devices working now. I do, however, have another question.

This is my situation:

my computer <--> my Linux server <--> my ADSL-router <--> internet <-

-> office ADSL-router <--> office Linux server <--> office networks.

The VPN-connection is established between the two Linux-servers (my linux server and office Linux server The tunneldivice on my Linux server

has 192.168.15.2 as IP and the tunneldevice on office Linux server has

192.168.15.1 as IP.

From my Linux server I can ping 192.168.15.1, so I have a working connection (hurray!  :Smile:  ) I can also ping the office subnet  (fe 192.168.1.14)

But from my own computer this doesn't work. I can only ping 192.168.15.2

(the tunnedevice on my Linux server)

What I want is that any computer on my homenetwork can ping any computer

on the office subnetwork (192.168.1.x)

How can I make this work?

----------

## mariourk

Correction on my previous post. I can NOT ping the office subnet

from my Linux server I tested this in the wrong terminal. Yes,

the one with an ssh connection to office Linux server

Oops..   :Wink: 

----------

## mariourk

Ok, I have it working now. I can ping the office network from any pc in

my own network. I've done this with adding this iptables rule

```

-A POSTROUTING -d 192.168.1.0/255.255.255.0 -j SNAT --to-source 192.168.15.2

```

192.168.1.0/255.255.255.0 is the office network and 192.168.15.2 is the

tunnel-device on my Linux server

So, now I can acces all pc's on the office network from my own pc at home.

This is not really a question for this forum but some might now the answer

anyway.

When I boot windows, I can still ping all the pc's on the office network. But

when I try to connect to one of the office-pc's whith the smb protocol it

doesn't work. Does someone know why that is?

----------

## nobspangle

you could have also solved it by adding some routes.

on your linux server you need

route add -net 192.168.1.0 netmask 255.255.255.0 gw $5

and on the remote you need something similar pointing to your local subnet.

----------

## mariourk

Ok, I'll try.

Thanks  :Very Happy: 

----------

## Jacobs

Regarding OpenVPN 2 - it's still in beta so that's why it's not in portage. You may find experimental ebuild at bugzilla https://bugs.gentoo.org/show_bug.cgi?id=50767 - it works fine for me (using the brand new server mode  :Smile: ).

----------

## mariourk

Iam working on this stuff to use it for the company I work for.

So I think it's not a good idea to use beta stuff  :Wink: 

I think I'll wait while OpenVPN is stable in portage, after that I

will absolutely try to merge to version 2.0   :Smile: 

----------

## Jacobs

Sure thing - the features come and go in these days so once I even had to reconfigure the whole thing when upgrading to the new beta version. But the problem with 1.x is that there's no multi-client server support, so I hope the 2.0 final is out soon.

----------

