Differences

This shows you the differences between two versions of the page.

--- technical:openvpn-bridges-prep-openvpn [2023/10/21 05:28]
admin
+++ technical:openvpn-bridges-prep-openvpn [2024/01/11 13:24] (current)
admin [OpenVPN server config for br0.103]
@@ Line 9: / Line 9: @@
         * We are not going to use encryption of the tunnel.
         * We are not going to use the PKI.
-        * We are compressing the data.
+        * We are not compressing the data.
         * We are using a username and password given by the client and pass it onto a script to verify if the client is valid.
   * Remove /etc/openvpn/server.conf
@@ Line 17: / Line 17: @@
 ===== OpenVPN server config for br0.101 =====
   * Create a file called **/etc/openvpn/server_vlan_101.conf**.
-  * Be sure to check the correct value for eth0.101. It might be eth1.101 with your config. (up “/etc/openvpn/up.sh br0.101 eth1.101”)
+  * Be sure to check the correct value for eth1.101. It might be eth0.101 with your config. (up “/etc/openvpn/up.sh br0.101 eth0.101”)
 <file bash server_vlan_101.conf>
 mode server
 auth none
-cipher none
 tmp-dir /dev/shm
 auth-user-pass-verify "/etc/openvpn/openvpn_auth.pl" via-file
 verify-client-cert none
 username-as-common-name
 script-security 2
-local 198.27.111.78
+local 178.1.1.20
 port 1194
 proto udp
@@ Line 39: / Line 38: @@
 key server.key  # This file should be kept secret
 dh dh.pem
-up "/etc/openvpn/up.sh br0.101 eth0.101"
+up "/etc/openvpn/up.sh br0.101 eth1.101"
 server-bridge 10.101.0.1 255.255.0.0 10.101.0.2 10.101.0.100
 ifconfig-pool-persist ipp.txt
 ;client-config-dir ccd
 keepalive 10 120
-comp-lzo
 persist-key
 persist-tun
 status openvpn-status.log
 verb 4
+allow-compression no
+data-ciphers none
+cipher none
 </file>
@@ Line 60: / Line 61: @@
 auth none
-cipher none
 tmp-dir /dev/shm
@@ Line 69: / Line 69: @@
 script-security 2
-local 198.27.111.78
+local 178.1.1.20
 port 1195
 proto udp
@@ Line 78: / Line 78: @@
 dh dh.pem
-up "/etc/openvpn/up.sh br0.102 eth0.102"
+up "/etc/openvpn/up.sh br0.102 eth1.102"
 server-bridge 10.102.0.1 255.255.0.0 10.102.0.2 10.102.0.100
@@ Line 84: / Line 84: @@
 ;client-config-dir ccd
 keepalive 10 120
-comp-lzo
 persist-key
 persist-tun
 status openvpn-status.log
 verb 4
+allow-compression no
+data-ciphers none
+cipher none
 </file>
@@ Line 98: / Line 100: @@
 auth none
-cipher none
 tmp-dir /dev/shm
@@ Line 107: / Line 108: @@
 script-security 2
-local 198.27.111.78
+local 178.1.1.20
 port 1196
 proto udp
@@ Line 116: / Line 117: @@
 dh dh.pem
-up "/etc/openvpn/up.sh br0.103 eth0.103"
+up "/etc/openvpn/up.sh br0.103 eth1.103"
 server-bridge 10.103.0.1 255.255.0.0 10.103.0.2 10.103.0.100
@@ Line 122: / Line 123: @@
 ;client-config-dir ccd
 keepalive 10 120
-comp-lzo
 persist-key
 persist-tun
 status openvpn-status.log
 verb 4
+allow-compression no
+data-ciphers none
+cipher none
 </file>
 ===== Prepare /etc/openvpn/up.sh =====
   * You'll see in the config files there are reference to two scripts.
   * **/etc/openvpn/up.sh** is called when the tap interface comes up.
-  * **/home/system/openvpn_auth.pl** is used to verify the clients.
+  * **/etc/openvpn/openvpn_auth.pl** is used to verify the clients.
   * Create the /etc/openvpn/up.sh file
 <code bash>
@@ Line 156: / Line 159: @@
   * The **openvpn_auth.pl** script can then be copied to the server running the OpenVPN server.
   * You just have to configure the **openvpn_auth.pl** script to point to your RADIUSdesk server to do the API calls when authenticating a client.
-  * The **openvpn_auth.pl** script is traditionally under **/usr/share/nginx/html/cake2/rd_cake/Setup/Scripts/**.
+  * The **openvpn_auth.pl** script is traditionally under **/var/www/rdcore/cake4/rd_cake/setup/scripts/**.
-  * Copy this file to a convenient location on the OpenVPN server and edit the following to point to your RADIUSdesk server.
+  * Copy this file to **/etc/openvpn/** on the OpenVPN server and edit the following to point to your RADIUSdesk server.
 <code bash>
 my $protocol='http';
 my $server_name_or_ip='198.27.111.78';
-my $api_path="/cake2/rd_cake/openvpn_servers/auth_client.json";
+my $api_path="/cake4/rd_cake/openvpn-servers/auth-client.json";
 </code>
   * Make sure this file is executable in its new location:
 <code bash>
-sudo chmod 755 /home/system/openvpn_auth.pl
+sudo chmod 755 /etc/openvpn/openvpn_auth.pl
 </code>
-===== Restart OpenVPN service =====
+  * Make sure the Perl modules that are used by this script are installed.
-  * Restart the OpenVPN service.
 <code bash>
-sudo service openvpn stop
+sudo apt-get install liblwp-protocol-https-perl
-sudo service openvpn start
+</code>
-#You should now see the following
+===== Test Start OpenVPN service =====
-* Starting virtual private network daemon(s)...
+  * Be aware that the **systemctl start openvpn** is not starting your openvpn you just defined.
-Autostarting VPN 'server_vlan_101'
+  * Openvpn uses templatized systemd jobs, openvpn@CONFIGFILENAME.
-Autostarting VPN 'server_vlan_102'
+  * So if for example your configuration file is myserver.conf your service is called openvpn@myserver.
-Autostarting VPN 'server_vlan_103'
+  * You can run all kinds of service and systemctl commands like start/stop/enable/disable/preset against a templatized service like openvpn@server.
+  * With that in view you can tests start the individual servers based on their config files.
+<code bash>
+#start 101
+sudo systemctl start openvpn@server_vlan_101
+#check the output for any errors
+journalctl -xeu openvpn@server_vlan_101.service
+#start 102
+sudo systemctl start openvpn@server_vlan_102
+#check the output for any errors
+journalctl -xeu openvpn@server_vlan_102.service
+#start 103
+sudo systemctl start openvpn@server_vlan_103
+#check the output for any errors
+journalctl -xeu openvpn@server_vlan_103.service
 </code>
 ===== Check the bridges =====
@@ Line 190: / Line 206: @@
 							tap2
 </code>
+===== Install ifconfig =====
+  * Although ifconfig does not come standard with recent versions of Ubuntu and we try to use the replacement **ip** command where possible, we will install ifconfig to help here.
+  * It is also required during the next section when we work with CoovaChilli.
+<code bash>
+sudo apt install net-tools
+</code>
+==== Test ifconfig ====
   * ifconfig should also include a list of three tap interfaces
 <code bash>
@@ Line 216: / Line 239: @@
           RX bytes:0 (0.0 B)  TX bytes:648 (648.0 B)
 </code>
-<WRAP center round tip 90%>
-  * If your server has only **one** interface card, be sure to add the following line to the **/etc/rc.local** file to ensure OpenVPN is only started up after the bridges have been set up.
+===== OpenVPN Startup =====
+  * Since we use our own startup script to prepare the environment we will disable the normal startup sequience of OpenVPN.
+  * We will start it up **after** our environment has been prepared.
+  * Disable the startup of OpenVPN
+<code bash>
+sudo systemctl disable openvpn
+</code>
+  * Add the following lines to the **/etc/rc.local** file to ensure OpenVPN starts up **after** the bridges have been set up.
 <code bash>
-/sbin/brctl addif br0.103 eth1.103
 /sbin/ip addr add 10.103.0.1/16 dev br0.103
 /sbin/ip link set dev br0.103 up
 #Add the startup of OpenVPN
-/usr/sbin/service openvpn start
+systemctl start openvpn@server_vlan_101
+systemctl start openvpn@server_vlan_102
+systemctl start openvpn@server_vlan_103
 exit 0
 </code>
-</WRAP>
   * We are making good progress. Next we will install and configure **Coova Chilli** so that it runs an instance on each VLAN.
   * To confirm everything will come up after a power cycle, go ahead and reboot the server.

RADIUSdesk

Page Tools

Site Tools

User Tools

Differences