Re: [Astlinux-users] OpenVPN Questions

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Kristian,

First, my OpenVPN experience is a total of the last two weeks; so,  
with that in mind...

Yes, I think OpenVPN will solve your problem.  Until Darrick has a  
chance to look at my openvpn changes in AstLinux, you might look at:

/etc/init.d/openvpn
http://lonnie.abelbeck.com/share/openvpn2.txt

which allows you to specify a text file /mnt/kd/openvpn/openvpn.conf  
that overrides any rc.conf openvpn settings.

The 'clients' should be straight forward.
http://openvpn.net/howto.html#client

The 'server' requires a non-overlapping virtual network (usually  
private) for the openvpn clients.  It would be up to you to route  
these private address to the proper places in the data center.
http://openvpn.net/howto.html#server

The 'server' config would probably use the "client-config-dir ccd"  
command to specify each of the clients virtual IP address, cert/key,  
route, etc. .

You should be able to create a test-bed with AstLinux at each end,  
one with openvpn set as a server and the other as a openvpn client.   
The key is getting the routing correct.

To start with, you might want to make your AstLinux OpenVPN server,  
openvpn only (no asterisk), route with an external firewall and use  
asterisk with another AstLinux box.  This mimics your data center  
situation better and makes testing easier.

Lonnie

On Feb 13, 2007, at 4:49 PM, Kristian Kielhofner wrote:

> Hey everyone,
>
>   OpenVPN - looks very cool, I'm glad that AstLinux has it.
>
>   I have a problem that looks like it could be solved with the
> appropriate VPN.  OpenVPN looks like it can probably do it for me.
>
>   Here is what I need to do:
>
>   Many boxes are behind NAT.  Each box has several services that need
> to be accessed by a few remote systems that all all on the same
> network (probably a dedicated VLAN) in a datacenter.  By many boxes I
> mean hundreds, thousands, etc.  Here is what I think I need:
>
> - openvpn on each box with public key authentication (I don't want to
> have to deal with passwords)
>
> - openvpn "concentrator" doing routing/firewalling/etc in the  
> datacenter
>
>   The "kick" is I need the openvpn concentrator to hand out unique IP
> addresses that are rout able (at least within my VLAN in the
> datacenter - maybe by proxyarp) to each client as it connects.
> Multiple machines on that VLAN (not running openvpn) must be able to
> access the remote IP addresses without any extra software or
> configuration.
>
>   Can openvpn do this?  What extra rc.conf values will I need?   
> Thanks!
>
> -- 
> Kristian Kielhofner
>
> ---------------------------------------------------------------------- 
> ---
> Using Tomcat but need to do more? Need to support web services,  
> security?
> Get stuff done quickly with pre-integrated technology to make your  
> job easier.
> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> Geronimo
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to  
> pa...@kr....
>