Re: [Devil-Linux-discuss] vpn gateway with dl

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

cdmiller wrote:
> darkwing d wrote:
>> Hello all!
>>
>> We are searching for a reliable and secure solution to implement a vpn
>> solution for our company.
>> I came across with devil-linux and i'm enthusiastic so far.
>> ... and here comes my question:
>>
>> We want to use OpenVPN with X509 certificate authentication.
>> System + etc should reside on the cd image.
>> Does it make sense (or is it even possible) to store the client certs =
on
>> a hd ( we would prefer a cf card),
>> to get the possibility to add/revoke client certs without being forced
>> to build a new cd image.
>> Maybe this is violating the fundamental idea of dl?
>>
>> is there a better solution? any suggestions would be helpful.
>> thanks in advance!
>>
>> d.
>=20
> Place the system on the CD, and /etc on a writable hot pluggable
> removable media, like CF or USB.  Every time you make a change, plug in
> the media and do a save-config.  Remove and lock up the media when done=
.

...or if you like, http://www.pqi.com.tw/product.asp?cate1=3D5
PQI's DiskOnModule. It is attached directly to IDE cable/connector and=20
acts as an IDE HD. Technologically it seems to be flash memory, ie. same=20
as USB keys and CF.

Any way, store your root certificate (chain), OpenVPN server=20
cert+priv.key into /etc/openvpn, and quite easily off you go..

You can do just about anything with OpenVPN, it is just simpler than=20
IP-VPN (IPSec).

Please find below an example working OpenVPN configuration for a=20
bridging connection.  By using bridging your clients will get IP number=20
from your LAN and behave exaclty as if they were in the local LAN:

# /etc/openvpn/bridging-server.conf

# Bridging connections, so tap0 will be used instead of tun0.

# OpenVPN shares IPs 10.10.10.200-10.10.10.249.
# See 'server-bridge' line below for the IP shares from this server.

dev tap0
tls-server
mode server
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

ifconfig-pool-persist ipp.txt

server-bridge 10.10.10.1 255.255.255.0 10.10.10.200 10.10.10.249
push "route-gateway 10.10.10.1"  # push default gateway to clients
push "redirect-gateway"
push "dhcp-option DNS 10.10.10.10"
push "dhcp-option DNS 10.10.10.11"
push "dhcp-option WINS 10.10.10.10"
push "dhcp-option DOMAIN company.local"

# generate dh: openssl dhparam --out dh1024.pem 1024
dh dh1024.pem
ca CAcerts.pem   # Here is the root (and intermediate) cert(s)
cert openvpn.company.com.crt
key openvpn.company.com-no-password.key
crl-verify internalCA02.crl  # verify the client certs for validity

# generate ta: openvpn --genkey --secret ta.key  * client=3D1, server=3D0
tls-auth ta.key 0   # enable even better security
comp-lzo   # compress the tunnel traffic
max-clients 50

user nobody
group nogroup
persist-key  # the tunnel shall be on for ever
persist-tun  # the tunnel shall be on for ever

keepalive 10 120 #..ping every 10 sec; 120 sec silence =3D client is down

#status /var/log/openvpn-status.log  # optional logging

# default logging is to syslog; these are alternatives
#log /var/log/openvpn.log
#log-append /var/log/openvpn.log

# log verbosity: 0=3Dsilent .. 9=3Dextremely verbose
verb 3
mute 6

> - cameron
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting lang=
uage
> that extends applications into web and mobile media. Attend the live we=
bcast
> and join the prime developer group breaking into this new coding territ=
ory!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat=
=3D121642
> _______________________________________________
> Devil-linux-discuss mailing list
> Dev...@li...
> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss
>=20

Terveisin/With kind regards/Med h=E4lsningar/Lugupidamisega,

Kari Mattsson
Trivore Corp.

--=20
http://trivore.com/   tel:+358-50-69000