Re: [IPCop-user] OpenVPN client

[Jim S. <jw...@jw...>]

On 9/28/2012 3:15 AM, G.W. Haywood wrote:
> B1;2403;0cHi there,
>
> On Thu, 27 Sep 2012, Stephane ANCELOT wrote:
>
>> Is IPCOP able to do OpenVPN client ONLY ?
> Yes, it is.  If you mean does the IPCop GUI have a little button and a
> GUI interface page somewhere that sets up an OpenVPN client to your
> specifications when you click with your mouse and fill in some form,
> then I have no idea -- I almost never use the IPCop GUI.
>
> However it is simplicity itself to set up an OpenVPN client.  All you
> have to do is create a suitable configuration file, then then e.g. tell
> OpenVPN from the IPCop (root) (bash) shell to start up using that file.
>
> Here's one of my IPCop client configuration files, sanitized so that
> you can't use it without first putting some sensible values in it:
>
> 8<----------------------------------------------------------------------
> # client.xxxxx.conf
> # OpenVPN configuration file.
> # This one is for Jubilee's backup server, in the base station
> # at Jubilee, and the server 'xxxxx' at [deleted].
> # GW Haywood
> # Modification record:
> # [deleted]
> ifconfig 10.x.1.2 10.x.1.1
> dev tun
> #
> # If we have weird off-site router issues sometimes this ...
> # proto tcp-client
> # ... is needed instead of this, e.g.
> proto udp
> #
> # Normally we use our wireless links...
> remote 192.168.x.y
> # ... but if this wireless link is down we use a land line...
> # remote xx.xxx.xxx.xx
> #
> # The 'remote' configuration directive tells IPCop it's a client.
> # That means that you don't need to open any ports on the client,
> # because the iptables OUTPUT chain defaults to ACCEPT.  You will
> # however need to open the port you choose below on the server!
> port 1234x
> #
> secret /root/openvpn_keys/openvpn.key.xxxxx
> comp-lzo
> keepalive 10 60
> ping-timer-rem
> persist-tun
> persist-key
> user nobody
> group nogroup
> daemon
> verb 5
> log-append /var/log/openvpn.d/openvpn.xxxxx
> 8<----------------------------------------------------------------------
>
> To start OpenVPN with this configuration you'd just edit the port and
> IP addresses to suit your requirements, make sure that you've created
> the log directory and that you have created the keys and put them in
> the right places (on both ends of the VPN), then type
>
> /usr/sbin/openvpn --config /path/to/client.xxxxx.conf
>
> There are all sorts of things in there that you might want to modify.
> The OpenVPN documentation is good (heck, even just running the binary
> with no arguments is good!) so it's worth spending some time with it.
>
> If you want this VPN to start when IPCop is booted, just put the
> command line e.g. in somewhere like /etc/rc.d/rc.local so that it's
> executed at startup.
>
> If you have several different VPNs running, put them on different
> ports.  You will need to open the ports for the external server using
> the normal IPCop facilities (assuming the server is another IPCop or
> is behind another IPCop).
>
> I've been using OpenVPN on IPCop like this for about a decade, and
> it's very reliable, although most of the time my VPN endpoints are not
> the IPCop machines themselves, but machines behind IPCop firewalls.
>
>> Some screenshots  may be nice.
> As I almost never use a GUI, shots of my screen really wouldn't help. :)
>
> --
>
> 73,
> Ged.
>
This misses a big part of openvpn, the DNS issues that are involved.  I 
didn't see any of the push or other config bits which handle that.  I 
have had more problems with that than anything else.  also when you are 
using a vpn, the client end connected to ipcop will have all of its dns 
replaced if you do the push, but if you don't do that, none of your 
inhouse hosts are visible by name using the ipcop dns.  At least with 
zerina and ipcop 1.4 that is the case.