Menu
▾
▴
astlinux-users
|
From: Kristian K. <kri...@gm...> - 2007-02-13 22:50:01
|
Hey everyone, OpenVPN - looks very cool, I'm glad that AstLinux has it. I have a problem that looks like it could be solved with the appropriate VPN. OpenVPN looks like it can probably do it for me. Here is what I need to do: Many boxes are behind NAT. Each box has several services that need to be accessed by a few remote systems that all all on the same network (probably a dedicated VLAN) in a datacenter. By many boxes I mean hundreds, thousands, etc. Here is what I think I need: - openvpn on each box with public key authentication (I don't want to have to deal with passwords) - openvpn "concentrator" doing routing/firewalling/etc in the datacenter The "kick" is I need the openvpn concentrator to hand out unique IP addresses that are rout able (at least within my VLAN in the datacenter - maybe by proxyarp) to each client as it connects. Multiple machines on that VLAN (not running openvpn) must be able to access the remote IP addresses without any extra software or configuration. Can openvpn do this? What extra rc.conf values will I need? Thanks! -- Kristian Kielhofner |
|
From: Lonnie A. <li...@lo...> - 2007-02-14 03:20:32
|
Kristian, First, my OpenVPN experience is a total of the last two weeks; so, with that in mind... Yes, I think OpenVPN will solve your problem. Until Darrick has a chance to look at my openvpn changes in AstLinux, you might look at: /etc/init.d/openvpn http://lonnie.abelbeck.com/share/openvpn2.txt which allows you to specify a text file /mnt/kd/openvpn/openvpn.conf that overrides any rc.conf openvpn settings. The 'clients' should be straight forward. http://openvpn.net/howto.html#client The 'server' requires a non-overlapping virtual network (usually private) for the openvpn clients. It would be up to you to route these private address to the proper places in the data center. http://openvpn.net/howto.html#server The 'server' config would probably use the "client-config-dir ccd" command to specify each of the clients virtual IP address, cert/key, route, etc. . You should be able to create a test-bed with AstLinux at each end, one with openvpn set as a server and the other as a openvpn client. The key is getting the routing correct. To start with, you might want to make your AstLinux OpenVPN server, openvpn only (no asterisk), route with an external firewall and use asterisk with another AstLinux box. This mimics your data center situation better and makes testing easier. Lonnie On Feb 13, 2007, at 4:49 PM, Kristian Kielhofner wrote: > Hey everyone, > > OpenVPN - looks very cool, I'm glad that AstLinux has it. > > I have a problem that looks like it could be solved with the > appropriate VPN. OpenVPN looks like it can probably do it for me. > > Here is what I need to do: > > Many boxes are behind NAT. Each box has several services that need > to be accessed by a few remote systems that all all on the same > network (probably a dedicated VLAN) in a datacenter. By many boxes I > mean hundreds, thousands, etc. Here is what I think I need: > > - openvpn on each box with public key authentication (I don't want to > have to deal with passwords) > > - openvpn "concentrator" doing routing/firewalling/etc in the > datacenter > > The "kick" is I need the openvpn concentrator to hand out unique IP > addresses that are rout able (at least within my VLAN in the > datacenter - maybe by proxyarp) to each client as it connects. > Multiple machines on that VLAN (not running openvpn) must be able to > access the remote IP addresses without any extra software or > configuration. > > Can openvpn do this? What extra rc.conf values will I need? > Thanks! > > -- > Kristian Kielhofner > > ---------------------------------------------------------------------- > --- > Using Tomcat but need to do more? Need to support web services, > security? > Get stuff done quickly with pre-integrated technology to make your > job easier. > Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... > |
|
From: Darrick H. <dha...@dj...> - 2007-02-17 20:36:55
|
Lonnie Abelbeck wrote: > Kristian, > > First, my OpenVPN experience is a total of the last two weeks; so, > with that in mind... > > Yes, I think OpenVPN will solve your problem. Until Darrick has a > chance to look at my openvpn changes in AstLinux, you might look at: > > /etc/init.d/openvpn > http://lonnie.abelbeck.com/share/openvpn2.txt > Lonnie, I committed most of the changes you requested for openvpn to trunk. This includes a modified init script, the inclusion of only easy-rsa version 2 scripts, changes to rc.conf for a few additional variables and the possibility of using your own openvpn.conf file from the key disk. One key setting that I did not include is the enabling of ip_forwarding. While this is required if you want openvpn to route to other pc's on the network, this should be enabled by the firewall. If you want to enable ip fowarding without a firewall, add a line to rc.local on your keydisk. Darrick -- Darrick Hartman DJH Solutions, LLC http://www.djhsolutions.com |
|
From: Lonnie A. <li...@lo...> - 2007-02-17 21:18:16
|
Darrick, Thanks... quick look, looks great. 1) Line 94 of your /etc/init.d/openvpn needs another "fi" 94: fi 95: fi 96: } 2) So if I include "sysctl -w net.ipv4.ip_forward=1" on my rc.local keydisk, no problem that this gets called a bunch of times? 3) How about my NO_ASTERISK (exit) variable in /etc/init.d/asterisk ? Lonnie On Feb 17, 2007, at 2:36 PM, Darrick Hartman wrote: > Lonnie Abelbeck wrote: >> Kristian, >> >> First, my OpenVPN experience is a total of the last two weeks; so, >> with that in mind... >> >> Yes, I think OpenVPN will solve your problem. Until Darrick has a >> chance to look at my openvpn changes in AstLinux, you might look at: >> >> /etc/init.d/openvpn >> http://lonnie.abelbeck.com/share/openvpn2.txt >> > Lonnie, > > I committed most of the changes you requested for openvpn to trunk. > This includes a modified init script, the inclusion of only easy-rsa > version 2 scripts, changes to rc.conf for a few additional > variables and > the possibility of using your own openvpn.conf file from the key disk. > One key setting that I did not include is the enabling of > ip_forwarding. While this is required if you want openvpn to route to > other pc's on the network, this should be enabled by the firewall. If > you want to enable ip fowarding without a firewall, add a line to > rc.local on your keydisk. > > Darrick > > -- > Darrick Hartman > DJH Solutions, LLC > http://www.djhsolutions.com > > > ---------------------------------------------------------------------- > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php? > page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... > |
|
From: Darrick H. <dha...@dj...> - 2007-02-14 19:07:17
|
Kristian Kielhofner wrote: > Hey everyone, > > OpenVPN - looks very cool, I'm glad that AstLinux has it. > > I have a problem that looks like it could be solved with the > appropriate VPN. OpenVPN looks like it can probably do it for me. > > Here is what I need to do: > > Many boxes are behind NAT. Each box has several services that need > to be accessed by a few remote systems that all all on the same > network (probably a dedicated VLAN) in a datacenter. By many boxes I > mean hundreds, thousands, etc. Here is what I think I need: > > - openvpn on each box with public key authentication (I don't want to > have to deal with passwords) > Not a problem. When you use the easy-rsa scripts you can decide to create a client certificate with or without a password. > - openvpn "concentrator" doing routing/firewalling/etc in the datacenter > > The "kick" is I need the openvpn concentrator to hand out unique IP > addresses that are rout able (at least within my VLAN in the > datacenter - maybe by proxyarp) to each client as it connects. > Multiple machines on that VLAN (not running openvpn) must be able to > access the remote IP addresses without any extra software or > configuration. > It may be easier to see this as a diagram. xfig or Dia would produce something that I could look at. It shouldn't be too difficult to do this. You may have to add a few route statements in rc.local to handle this. You may also need some of Lonnie's requested changes. I haven't had time to look at those yet in depth. Perhaps this afternoon or tomorrow I'll have a chance. No chance in hell of looking at that stuff after 5pm tonight though. We're going to partake in the commercialized holiday. > Can openvpn do this? What extra rc.conf values will I need? Thanks! Darrick -- Darrick Hartman DJH Solutions, LLC http://www.djhsolutions.com |
|
From: Darrick H. <dha...@dj...> - 2007-02-17 22:06:29
|
Lonnie Abelbeck wrote: > Darrick, > > Thanks... quick look, looks great. > > 1) Line 94 of your /etc/init.d/openvpn needs another "fi" > > 94: fi > 95: fi > 96: } Good catch. I moved a few other things around too. Check rev 592. > 2) So if I include "sysctl -w net.ipv4.ip_forward=1" on my rc.local > keydisk, no problem that this gets called a bunch of times? If that's called multiple times, it is not going to cause any harm. Overkill, but no harm. > 3) How about my NO_ASTERISK (exit) variable in /etc/init.d/asterisk ? Forgot about that one... I'd like Kristian's input on this one. We'd need a variable in rc.conf to not start asterisk. Then a check in the asterisk init script to check for this variable and exit cleanly if it's found. There may be another way to accomplish this though. We may want a list of services which should be started at boot or perhaps a list of disabled services. It would be nice to include openser in the stock Astlinux image, but if both asterisk and openser are started, there may be some issues. As a reminder, what Lonnie is doing is using an instance of Astlinux to provide an openvpn end point. He didn't want asterisk started. (no need to in this case). Darrick -- Darrick Hartman DJH Solutions, LLC http://www.djhsolutions.com |
|
From: Kristian K. <kri...@gm...> - 2007-02-18 00:29:54
|
On 2/17/07, Darrick Hartman <dha...@dj...> wrote: > > 3) How about my NO_ASTERISK (exit) variable in /etc/init.d/asterisk ? > Forgot about that one... I'd like Kristian's input on this one. We'd > need a variable in rc.conf to not start asterisk. Then a check in the > asterisk init script to check for this variable and exit cleanly if it's > found. > > There may be another way to accomplish this though. We may want a list > of services which should be started at boot or perhaps a list of > disabled services. It would be nice to include openser in the stock > Astlinux image, but if both asterisk and openser are started, there may > be some issues. > Hey Guys, If we started doing NO_* variables, we'd eventually run out :). What about this: ASTERISK_USER=root ASTERISK_GROUP=root At least this way we accomplish two things - 1) We know the user wants to start Asterisk 2) They can run it under alternate credentials if desired If they didn't define either (upgrade with old keydisk, for instance) I'd like to make the asterisk init script say something clever and warn the user that they aren't running Asterisk on AstLinux ;)! That's more similar to the other packages (openvpn, for instance). What do you think? -- Kristian Kielhofner |
|
From: Lonnie A. <li...@lo...> - 2007-02-18 00:56:05
|
Guys, I'll be happy with 'any' rc.local variable that keeps asterisk from starting. > ASTERISK_USER=root > ASTERISK_GROUP=root Kristian, seems you might want to add these variables anyway, but, by not defining them means disabling asterisk seems a little obscure to me. Maybe then in addition: ASTERISK_DISABLE=yes By default asterisk should be on, hence, I think a new variable should be set to turn asterisk off. Lonnie PS: Is anyone using the $EXTENSIONS variable anymore? Time for it to go? On Feb 17, 2007, at 6:29 PM, Kristian Kielhofner wrote: > On 2/17/07, Darrick Hartman <dha...@dj...> wrote: >>> 3) How about my NO_ASTERISK (exit) variable in /etc/init.d/ >>> asterisk ? >> Forgot about that one... I'd like Kristian's input on this one. >> We'd >> need a variable in rc.conf to not start asterisk. Then a check in >> the >> asterisk init script to check for this variable and exit cleanly >> if it's >> found. >> >> There may be another way to accomplish this though. We may want a >> list >> of services which should be started at boot or perhaps a list of >> disabled services. It would be nice to include openser in the stock >> Astlinux image, but if both asterisk and openser are started, >> there may >> be some issues. >> > > Hey Guys, > > If we started doing NO_* variables, we'd eventually run out :). > > What about this: > > ASTERISK_USER=root > > ASTERISK_GROUP=root > > At least this way we accomplish two things - > > 1) We know the user wants to start Asterisk > > 2) They can run it under alternate credentials if desired > > If they didn't define either (upgrade with old keydisk, for > instance) I'd like to make the asterisk init script say something > clever and warn the user that they aren't running Asterisk on AstLinux > ;)! > > That's more similar to the other packages (openvpn, for instance). > > What do you think? > > -- > Kristian Kielhofner > > ---------------------------------------------------------------------- > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php? > page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... > |
|
From: Lonnie A. <li...@lo...> - 2007-03-08 19:27:29
|
Kristian, As a follow-up to your original question, The openvpn.conf server-side option: (for OpenVPN 2.0.x) ifconfig-pool-linear might be useful to you. Instead of creating /30 networks for each client, a single IP from the VPN subnet is used, starting at x.x.x.4 by default. The only 'drawback' of using "ifconfig-pool-linear" in the server config, is that Windows clients cannot connect... the /30 option was made to deal with Windows tun driver. (Some may consider this a security feature. <smile> ) UNIX and Mac OS X work fine with "ifconfig-pool-linear". This might be the choice for SIP over OpenVPN in an all UNIX environment. Lonnie On Feb 13, 2007, at 4:49 PM, Kristian Kielhofner wrote: > Hey everyone, > > OpenVPN - looks very cool, I'm glad that AstLinux has it. > > I have a problem that looks like it could be solved with the > appropriate VPN. OpenVPN looks like it can probably do it for me. > > Here is what I need to do: > > Many boxes are behind NAT. Each box has several services that need > to be accessed by a few remote systems that all all on the same > network (probably a dedicated VLAN) in a datacenter. By many boxes I > mean hundreds, thousands, etc. Here is what I think I need: > > - openvpn on each box with public key authentication (I don't want to > have to deal with passwords) > > - openvpn "concentrator" doing routing/firewalling/etc in the > datacenter > > The "kick" is I need the openvpn concentrator to hand out unique IP > addresses that are rout able (at least within my VLAN in the > datacenter - maybe by proxyarp) to each client as it connects. > Multiple machines on that VLAN (not running openvpn) must be able to > access the remote IP addresses without any extra software or > configuration. > > Can openvpn do this? What extra rc.conf values will I need? > Thanks! > > -- > Kristian Kielhofner > > ---------------------------------------------------------------------- > --- > Using Tomcat but need to do more? Need to support web services, > security? > Get stuff done quickly with pre-integrated technology to make your > job easier. > Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X