eurephia-users Mailing List for eurephia
Brought to you by:
dazo
Menu
▾
▴
eurephia-users — A generic mailing list for administrators installing and using eurephia
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
(1) |
Dec
(8) |
| 2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(8) |
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(3) |
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(5) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2013 |
Jan
(5) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
(2) |
Nov
|
Dec
|
| 2015 |
Jan
|
Feb
(2) |
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2016 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(2) |
Dec
|
|
From: David S. <da...@eu...> - 2016-11-06 22:55:48
|
On 06/11/16 15:47, jia...@gm... wrote: > Dear David Sommerset, > How are you doing ? Sorry to interrupt to you . Hi, first of all do not add such a broad list recipients. Choose the best matching mailing list as a starting point. In this case, the eurephia-users mailing list is the appropriate channel. > I happened > to eurephia command issue. you can see below detailed information, when > I input command "eurephiadm certs --add --depth 1 --certfile > /etc/openvpn/ca.crt " and want to register OPENVPN CA certificate , but > it appeared "User:", this is kind of one bug ? The eurephiadm > version is v1.1.0 > > linux-2jsj:/etc/openvpn # eurephiadm certs --add --depth 1 --certfile > /etc/openvpn/ca.crt > User: When you initialize eurephia, you create an admin user account. This user account is what is needed in this case. So when it asks for "User:", it means it wants the admin user name you created. Once this is provided, it will ask for the password. Please read through the initialization part of eurephia more carefully: <http://www.eurephia.net/documentation/eurephia/1.1/html/Administrators_Tutorial_and_Manual/initcfg_init_eurephia.html> <http://www.eurephia.net/documentation/eurephia/1.1/html/Administrators_Tutorial_and_Manual/ch04s03s02.html> I see that the documentation can probably better describe the admin account and the login process which will happen. I'll add that to the TODO list and get it done at some point. The reason eurephia asks for this is to make eurephia ready for some larger changes in the future, where it will support running these admin tools remotely from the database and probably also an "admin server" not running directly on the OpenVPN server. When this will happen depends on when I'll get some time available to hack on it. -- kind regards, David Sommerseth -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: OpenPGP digital signature |
|
From: <jia...@gm...> - 2016-11-06 14:47:25
|
Dear David Sommerset,
How are you doing ? Sorry to interrupt to you . I happened to eurephia command issue. you can see below detailed information, when I input command "eurephiadm certs --add --depth 1 --certfile /etc/openvpn/ca.crt " and want to register OPENVPN CA certificate , but it appeared "User:", this is kind of one bug ? The eurephiadm version is v1.1.0
linux-2jsj:/etc/openvpn # eurephiadm certs --add --depth 1 --certfile /etc/openvpn/ca.crt
User:
linux-2jsj:/etc/openvpn # eurephiadm users --help
User:
linux-2jsj:/etc/openvpn # eurephiadm --version
eurephiadm (v1.1.0) - eurephia administration utility
Copyright (C) 2008-2012 David Sommerseth <da...@us...>
linux-2jsj:/etc/openvpn #
-------------- next part --------------
An HTML attachment was scrubbed...
|
|
From: David S. <da...@eu...> - 2015-03-02 17:23:45
|
Hi Steven,
This is an interesting use case, and I would say that it is most likely
that eurephia to quite some extent can help you achieve this goal. But
it will require some additional tricks.
On 28/02/15 16:00, Steven Anderson wrote:
> Sorry fat fingered that and message was sent early.
>
> I would like group B users to share a virtual lan
> same for groups C, and D
>
> At the same time I want to make sure group A can not see group B, and visa
> versa
> same with all the other groups.
This should be doable, with some clever iptables rules. But you will
most likely need to use more advanced netfilter features, such as MARK
to mark packets to which group they belong to.
> I want to use google 2 factor authentication
The currently stable release of eurephia (v1.1.x) does not support other
authentication methods than the SQLite based one. The reason for this
is that you have first the certificate authentication, then you have
username/password authentication where the username must be "linked" to
a certificate. In addition, you can add --tls-auth for further enhanced
security. The only aspect this security approach does not protect well
against (which 2FA can to a higher degree), is lost devices - where
certificate and --tls-auth keying material is lost.
Having that said, some work on a more flexible authentication
integration with eurephia is on the way. The latest git master [1]
should have all the needed pieces to implement other authentication
schemes, such as Google's 2FA. The framework in git master is there,
but not very well tested.
There exist three different examples in the source tree for such
external authentication.
a) auth/dummy
This is the most minimalistic one and should never be used in
production. But provides an overview of what is needed to
implement this.
b) auth/flatfile
A simple authentication plug-in using simple flat-files, similar
to passwd/shadow.
c) auth/socket
A more advanced approach, doing the authentication to a
unix based socket server. This server can be whatever, as
long as it speaks the proper "protocol".
With these examples, I believe it is quite obvious that it should be
possible to implement other forms of authentication methods as well.
Right now my time is scarce, so I would be struggling a lot to find time
to implement a 2FA module (I'd personally love to see yubikey support,
but that's another topic). But I'm more than willing to review and
apply patches which looks good!
It's a while since I played with the admin-side of eurephia. So it
might be some minor details are missing here to fully control the setup.
If you stumble upon something in this area, I'll definitely step up and
fix that.
[1] <http://sourceforge.net/p/eurephia/eurephia/ci/master/tree/>
> Both Eurephia and Google 2 factor authentication are installed in
> OpenVPN-AS (on Amazon cloud appliance) but I find no configuration files
> for Eurephia or a database associated with it. Things seem to be in
> different places on OpenVPN-AS and the standard Eurephia configuration
> directory seems to exist but is empty. Can someone point me to a doc which
> might put me in the right direction for setting up and configuring Eurephia
> on this platform. None of the standard documents seem to apply directly to
> openvpn-as, since nothing is in the standard places.
How did you install eurephia? What base distro do you use?
Remember that you will need to locate the template database and run
'eurephia_init' to initialize and prepare the database for your setup.
This process is described here:
<http://www.eurephia.net/documentation/eurephia/1.1/html/Administrators_Tutorial_and_Manual/chap-Administrators_Manual-InitialConfig_Chapter.html>
Generally a eurephia setup only requires the eurephia-auth.so,
edb-sqlite.so and efw-iptables.so binaries (the plugins) and the
database which normally should be found under /var/lib/eurephia. For
external authentication methods, the corresponding .so module must also
be made available. The admin interface is done via the 'eurephiadm'
command, which depends on some XSLT files to be fully functional.
The OpenVPN part of the configuration is just a single 'plugin'
statement in the OpenVPN configuration file.
I hope this provides some good clues where to go next.
--
kind regards,
David Sommerseth
> On Sat, Feb 28, 2015 at 9:53 AM, Steven Anderson <wan...@gm...>
> wrote:
>
>> Hi!
>>
>> I am setting up a proof of concept instance of a private VPN service for a
>> particular end.
>>
>> As an example of what I am trying to do:
>>
>> I have 26 users: A-Z
>> and groups A-F
>>
>> Users A,B,C,D are in group A
>> Users E,F,G,H are in group B
>> Users I,J,K,L are in group C
>> Users M,N,O,P are in group D
>> etc
>>
>> I would like group A to be able to do client to client connections (occupy
>> the same virtual lan)
>> I would like group B
|
|
From: Steven A. <wan...@gm...> - 2015-02-28 15:00:46
|
Sorry fat fingered that and message was sent early. I would like group B users to share a virtual lan same for groups C, and D At the same time I want to make sure group A can not see group B, and visa versa same with all the other groups. I want to use google 2 factor authentication Both Eurephia and Google 2 factor authentication are installed in OpenVPN-AS (on Amazon cloud appliance) but I find no configuration files for Eurephia or a database associated with it. Things seem to be in different places on OpenVPN-AS and the standard Eurephia configuration directory seems to exist but is empty. Can someone point me to a doc which might put me in the right direction for setting up and configuring Eurephia on this platform. None of the standard documents seem to apply directly to openvpn-as, since nothing is in the standard places. Help is appreciated! regards, Steven On Sat, Feb 28, 2015 at 9:53 AM, Steven Anderson <wan...@gm...> wrote: > Hi! > > I am setting up a proof of concept instance of a private VPN service for a > particular end. > > As an example of what I am trying to do: > > I have 26 users: A-Z > and groups A-F > > Users A,B,C,D are in group A > Users E,F,G,H are in group B > Users I,J,K,L are in group C > Users M,N,O,P are in group D > etc > > I would like group A to be able to do client to client connections (occupy > the same virtual lan) > I would like group B > -------------- next part -------------- An HTML attachment was scrubbed... |
|
From: Steven A. <wan...@gm...> - 2015-02-28 14:53:40
|
Hi! I am setting up a proof of concept instance of a private VPN service for a particular end. As an example of what I am trying to do: I have 26 users: A-Z and groups A-F Users A,B,C,D are in group A Users E,F,G,H are in group B Users I,J,K,L are in group C Users M,N,O,P are in group D etc I would like group A to be able to do client to client connections (occupy the same virtual lan) I would like group B -------------- next part -------------- An HTML attachment was scrubbed... |
|
From: David S. <da...@us...> - 2013-10-22 14:39:22
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 22/10/13 15:55, medtemo wrote: > I have some problems with eurephia. my environment is: > > > openvpn 2.3.2 eurephia 1.1.0 > > I configured eurephia and openvpn as eurephia documentation but > when i conect client error message appeared > > ** WARNING ** [0] Unknown certificate for: // (depth 1, digest: > 97:b8:be > > openvpn --version OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL > (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on > Sep 12 2013 eurephiadm buildinfo > > * Generic information * Version: 1.1.0 > > when I degraded openvpn version to 2.2.2 but config leave as > previous everything is ok. > Hi, Yeah, this is a known issue. In OpenVPN 2.3 the certificate info strings changed to comply with a better formatting. Unfortunately eurephia doesn't support that format right now. But there's a config workaround you can apply. If you apply --compat-names to your OpenVPN server config, it will use the same formatting earlier OpenVPN versions used. This workaround is only temporarily. I have written some code to use a newer OpenVPN plug-in API which will get access to the certificate directly. Unfortunately I haven't had time to test this code well enough to put it in a release yet. But this fix is comming. - -- kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJmieYACgkQDC186MBRfroEZACgqWOt9Z5P066/UNzcpxhA5xRN c9oAn1bj066e79yJqci2UuvCFXTI5XMB =H3Ox -----END PGP SIGNATURE----- |
|
From: medtemo <me...@gm...> - 2013-10-22 13:55:42
|
I have some problems with eurephia.
my environment is:
openvpn 2.3.2
eurephia 1.1.0
I configured eurephia and openvpn as eurephia documentation
but when i conect client error message appeared
** WARNING ** [0] Unknown certificate for: // (depth 1, digest: 97:b8:be
openvpn --version
OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL]
[PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013
eurephiadm buildinfo
* Generic information *
Version: 1.1.0
when I degraded openvpn version to 2.2.2 but config leave as previous
everything is ok.
|
|
From: Nikola R. <nkl...@gm...> - 2013-09-15 17:51:23
|
Dear community, I am totally new to OpenVPN. Before I try eurephia I had tried to install OpenVNP server on debian Wheezy and OpenVPN GUI client on Windows 7. Please note that OpenVPN GUI returns fail messages whilst trying to connect to server. What could be the cause of my error? Kindly note all configuration files as screenshots in attachment. Furthermore, my home router which is in front of server has firewall disabled. Kind regards, Nikola Radakovic Bilogorska 14, 31000 Osijek , Croatia -------------- next part -------------- An HTML attachment was scrubbed... -------------- next part -------------- A non-text attachment was scrubbed... Name: client_server.png Type: image/png Size: 457320 bytes Desc: not available -------------- next part -------------- A non-text attachment was scrubbed... Name: Clientcannotconnect.png Type: image/png Size: 448675 bytes Desc: not available -------------- next part -------------- A non-text attachment was scrubbed... Name: rc_local.png Type: image/png Size: 445013 bytes Desc: not available -------------- next part -------------- A non-text attachment was scrubbed... Name: dns_masq.png Type: image/png Size: 498738 bytes Desc: not available |
|
From: David S. <da...@us...> - 2013-01-14 16:26:53
|
On 13/01/13 17:16, ap...@gm... wrote:
> Hi
>
> Thanks it works now I use user nobody and group nobody. I did
>
> chown nobody:nobody /var/lib/eurephia
> chmod 775 /var/lib/eurephia
> chown nobody:nobody /var/chroot/openvpn/var/lib/eurephia
> chmod 775 /var/chroot/openvpn/var/lib/eurephia
>
> I also created
> mkdir -p /var/chroot/openvpn/tmp
> chmod 775 /var/chroot/openvpn/tmp
>
> And now windows clients with Openvpn windows GUI can connect and it works
> great for them, I yust add
> auth-user-pass in users config.
Great to hear! Your modificatoins makes sense too, so this looks correct.
> But I have faced another problem. Linux VPN server which is configured as
> client can't autenticate with Openvpn Server becouse Eurephia is enabled.
> I have to disable Eurephia temporarily to make things working again.
>
> How to provide username and password to Eurephia for the VPN server which
> connects automaticly at boot?
> Can I put them (pass/username) into the client.config ?
Yes, this is possible, just a little bit different from what you are guessing. If you check the man page for openvpn ('man openvpn' on the command line) and search for '--auth-user-pass' (type '/--auth-user-pass' without quotes, use the [n] key to go to next) ... then you'll find this paragraph:
--------------------------------------------------------------------------
--auth-user-pass [up]
Authenticate with server using username/password. up is a file
containing username/password on 2 lines (Note: OpenVPN will only
read passwords from a file if it has been built with the
--enable-password-save configure option, or on Windows by defin-
ing ENABLE_PASSWORD_SAVE in win/settings.in).
If up is omitted, username/password will be prompted from the
console.
--------------------------------------------------------------------------
So that's all which is needed in your client configuration.
--
kind regards,
David Sommerseth
> -----Izvorno sporočilo-----
> From: David Sommerseth
> Sent: Wednesday, January 09, 2013 8:19 PM
> To: ap...@gm...
> Cc: eur...@li...
> Subject: Re: Could not register sessionkey
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/01/13 15:32, ap...@gm... wrote:
>> Hi
>>
>> My problem is how to set proper permision ant to which user ? Shall
>> I use user openvpn ? and set perimisions to openvpn to write in
>> chroted directory ?
>>
>> Openvpn is chrooted in /var/chroot/openvpn
>
> Okay, so now you switched to chroot? You said in your earlier mail
> that you didn't use chroot. So please make up your mind here.
>
>> Eupheria database is located in cd /var/lib/eurephia/
>
> *IF* you are also using chroot, you need to have this directory as well:
>
> /var/chroot/openvpn/var/lib/eurephia
>
> Then ensure that this directory *and* /var/lib/eurephia is owned by
> the user OpenVPN is running as. If you are using 'user openvpn' or
> 'group openvpn' in your configuration file, or see that these have
> been added to the command line (ps faxuww) ... then this command line
> will do the magic:
>
> # chown openvpn:openvpn /var/lib/eurephia
> # chmod 775 /var/lib/eurephia
> # chown openvpn:openvpn /var/chroot/openvpn/var/lib/eurephia
> # chmod 775 /var/chroot/openvpn/var/lib/eurephia
>
> The first two lines gives the openvpn user and group read/write access
> to /var/lib/eurephia. The next two lines does the same, but to the
> chrooted directory.
>
>> Here is log from openvpn.log
>>
>> 2013-01-09 14:58:30 CET] -- INFO -- [1] Found certid 1 for
>> user: nnnnnn/nnnnnn_CA/in...@nn... Wed Jan 9 13:58:30 2013
>> xxx.xxx.xxx.x:xxxxx PLUGIN_CALL: POST
>> /usr/lib64/openvpn/eurephia-auth.so/PLUGIN_TLS_VERIFY status=0 Wed
>> Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx VERIFY PLUGIN OK:
>> depth=1,
>> /C=xx/L=xxxxxxxxx/O=xxxxxx/CN=xxxxxx_CA/xxx...@xx...
>>
>>
> Wed Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx CRL CHECK OK:
>> /C=SI/L=xxxxxxxxx/O=xxxxxx/CN=xxxxxx_CA/ema...@xx...
>>
>>
> Wed Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx VERIFY OK: depth=1,
>> /C=xx/L=xxxxxxxxx/O=xxxxxx/CN=xxxxxx_CA/ema...@xx...
>>
>>
> [2013-01-09 13:58:30 UTC] -- INFO -- [0] Found certid 2 for user:
>> xxxxxx/xxxxxx1/xx...@xx... Wed Jan 9 13:58:30 2013
>> xxx.xx.xxx.xx:xxxxx PLUGIN_CALL: POST
>> /usr/lib64/openvpn/eurephia-auth.so/PLUGIN_TLS_VERIFY status=0 Wed
>> Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx VERIFY PLUGIN OK:
>> depth=0,
>> /C=xx/L=xxxxxxxxx/O=xxxxxx/CN=xxxxxx1/ema...@xx...
>> VERIFY OK: depth=0,
>> /C=XX/L=XXXXX/O=YYY/CN=yyyyy/ema...@yy...
>
> All these lines looks very good and promising!
>
>> Wed Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx Could not create
>> temporary file
>> '/tmp/openvpn_acf_3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.tmp':
>> Permission denied
>
> You probably need to create /var/chroot/openvpn/tmp ... and make sure
> openvpn have full read/write access to that new tmp directory as well.
> I presume here that you *do* use chroot.
>
>
> kind regards,
>
> David Sommerseth
>
>
>
>> -----Izvorno sporočilo----- From: David Sommerseth Sent: Wednesday,
>> January 09, 2013 1:08 PM To: ap...@gm... Cc:
>> eur...@li... Subject: Re: Could not
>> register sessionkey
>>
>> On 05/01/13 17:00, ap...@gm... wrote:
>>> Hi
>>
>>> I am not using chroot.
>>
>>> Regarding the problem about write permision I don't know to
>>> which user set write permision to. OpenVPN drops root privileges
>>> after initialization with command user nobody. I have database
>>> in /var/lib/eurephia.
>>
>>> Can you plese advise how to go further and correctly set write
>>> permisions
>>
>> Please ensure that the /var/lib/eurephia directory is writeable
>> for the user OpenVPN is running as. The database file must also
>> be writeable for the OpenVPN user as well. So make sure that the
>> ownership of both the directory and the database file are set
>> accordingly.
>>
>> Also be sure that you have copied the eurephiadb-template to
>> eurephiadb and have run the eurehpia_init program against this
>> database. If you are able to use eurephiadm successfully, that's
>> a good start. F.ex. if you can run this command:
>>
>> $ eurephiadm users -l
>>
>> If you cannot do that, then you need to initialise your
>> installation using the eurephia_init program. This should all be
>> pretty well explained in the documentation.
>>
>>
>> kind regards,
>>
>> David Sommerseth
>>
>>
>>> -----Izvorno sporočilo----- From: David Sommerseth Sent:
>>> Wednesday, January 02, 2013 11:24 AM To: ap...@gm... Cc:
>>> eur...@li... Subject: Re:
>>> [eurephia-users] Please help, error: Could not register
>>> sessionkey
>>
>>> On 30/12/12 19:26, ap...@gm... wrote:
>>>> Hi
>>
>>>> I have instaled eurephia and have a problem with registering
>>>> user.
>>
>>>> Openvpn is working and users can connect if I disable plugin
>>>> in openvpn.config.
>>
>>>> With plugin enabled I get an error in openvpn log:
>>
>>>> [2012-12-30 18:24:30 CET] ** - FATAL - ** [0]
>>>> eDBregister_sessionkey: Error registering sessionkey into
>>>> openvpn_sessionkeys ** - FATAL - ** [0] Could not register
>>>> sessionkey [2012-12-30 18:24:30 CET] ** ERROR ** [0]
>>>> Could not update last access status for uid 2 [2012-12-30
>>>> 18:24:30 CET] ** WARNING ** [0] Failed to cache password for
>>>> user 'user' [2012-12-30 18:24:30 CET] -- INFO -- [0] User
>>>> 'user' authenticated
>>
>>>> I could not find anything on internet what could help to solve
>>>> the error.
>>
>>
>>> Hi Toni,
>>
>>> Please read the following section carefully, especially the
>>> yellow/orange block.
>>
>>> <http://www.eurephia.net/documentation/eurephia/1.1/html/Administrators_Tutorial_and_Manual/chap-Administrators_Manual-ConfigOVPN_Chapter.html#id810951>
>>
>>>
>>
>>
>>
>>
>>> I don't know if you use chroot or not. But it might be that
>>> even though you don't use chroot, that openvpn/eurephia doesn't
>>> have the proper access to create the .jnl file as well. So
>>> please ensure openvpn/eurephia is allowed to create temporary
>>> files the directory where the database file resides.
>>
>>> Please keep us updated if this helped, and I'll make sure to
>>> update the documentation as well.
>>
>>
>>> kind regards,
>>
>>> David Sommerseth
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAlDtwtUACgkQDC186MBRfrpOiQCeLtArPjkSW9MhrrMus2rrAJIH
> 15gAnisHEwgvtvo7P89LxFOTaUUad7fE
> =Jo6/
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_123012
> _______________________________________________
> eurephia-users mailing list - http://www.eurephia.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
|
|
From: <ap...@gm...> - 2013-01-13 16:16:59
|
Hi Thanks it works now I use user nobody and group nobody. I did chown nobody:nobody /var/lib/eurephia chmod 775 /var/lib/eurephia chown nobody:nobody /var/chroot/openvpn/var/lib/eurephia chmod 775 /var/chroot/openvpn/var/lib/eurephia I also created mkdir -p /var/chroot/openvpn/tmp chmod 775 /var/chroot/openvpn/tmp And now windows clients with Openvpn windows GUI can connect and it works great for them, I yust add auth-user-pass in users config. But I have faced another problem. Linux VPN server which is configured as client can't autenticate with Openvpn Server becouse Eurephia is enabled. I have to disable Eurephia temporarily to make things working again. How to provide username and password to Eurephia for the VPN server which connects automaticly at boot? Can I put them (pass/username) into the client.config ? Regards, Anton -----Izvorno sporočilo----- From: David Sommerseth Sent: Wednesday, January 09, 2013 8:19 PM To: ap...@gm... Cc: eur...@li... Subject: Re: Could not register sessionkey -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/01/13 15:32, ap...@gm... wrote: > Hi > > My problem is how to set proper permision ant to which user ? Shall > I use user openvpn ? and set perimisions to openvpn to write in > chroted directory ? > > Openvpn is chrooted in /var/chroot/openvpn Okay, so now you switched to chroot? You said in your earlier mail that you didn't use chroot. So please make up your mind here. > Eupheria database is located in cd /var/lib/eurephia/ *IF* you are also using chroot, you need to have this directory as well: /var/chroot/openvpn/var/lib/eurephia Then ensure that this directory *and* /var/lib/eurephia is owned by the user OpenVPN is running as. If you are using 'user openvpn' or 'group openvpn' in your configuration file, or see that these have been added to the command line (ps faxuww) ... then this command line will do the magic: # chown openvpn:openvpn /var/lib/eurephia # chmod 775 /var/lib/eurephia # chown openvpn:openvpn /var/chroot/openvpn/var/lib/eurephia # chmod 775 /var/chroot/openvpn/var/lib/eurephia The first two lines gives the openvpn user and group read/write access to /var/lib/eurephia. The next two lines does the same, but to the chrooted directory. > Here is log from openvpn.log > > 2013-01-09 14:58:30 CET] -- INFO -- [1] Found certid 1 for > user: nnnnnn/nnnnnn_CA/in...@nn... Wed Jan 9 13:58:30 2013 > xxx.xxx.xxx.x:xxxxx PLUGIN_CALL: POST > /usr/lib64/openvpn/eurephia-auth.so/PLUGIN_TLS_VERIFY status=0 Wed > Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx VERIFY PLUGIN OK: > depth=1, > /C=xx/L=xxxxxxxxx/O=xxxxxx/CN=xxxxxx_CA/xxx...@xx... > > Wed Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx CRL CHECK OK: > /C=SI/L=xxxxxxxxx/O=xxxxxx/CN=xxxxxx_CA/ema...@xx... > > Wed Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx VERIFY OK: depth=1, > /C=xx/L=xxxxxxxxx/O=xxxxxx/CN=xxxxxx_CA/ema...@xx... > > [2013-01-09 13:58:30 UTC] -- INFO -- [0] Found certid 2 for user: > xxxxxx/xxxxxx1/xx...@xx... Wed Jan 9 13:58:30 2013 > xxx.xx.xxx.xx:xxxxx PLUGIN_CALL: POST > /usr/lib64/openvpn/eurephia-auth.so/PLUGIN_TLS_VERIFY status=0 Wed > Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx VERIFY PLUGIN OK: > depth=0, > /C=xx/L=xxxxxxxxx/O=xxxxxx/CN=xxxxxx1/ema...@xx... > VERIFY OK: depth=0, > /C=XX/L=XXXXX/O=YYY/CN=yyyyy/ema...@yy... All these lines looks very good and promising! > Wed Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx Could not create > temporary file > '/tmp/openvpn_acf_3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.tmp': > Permission denied You probably need to create /var/chroot/openvpn/tmp ... and make sure openvpn have full read/write access to that new tmp directory as well. I presume here that you *do* use chroot. kind regards, David Sommerseth > -----Izvorno sporočilo----- From: David Sommerseth Sent: Wednesday, > January 09, 2013 1:08 PM To: ap...@gm... Cc: > eur...@li... Subject: Re: Could not > register sessionkey > > On 05/01/13 17:00, ap...@gm... wrote: >> Hi > >> I am not using chroot. > >> Regarding the problem about write permision I don't know to >> which user set write permision to. OpenVPN drops root privileges >> after initialization with command user nobody. I have database >> in /var/lib/eurephia. > >> Can you plese advise how to go further and correctly set write >> permisions > > Please ensure that the /var/lib/eurephia directory is writeable > for the user OpenVPN is running as. The database file must also > be writeable for the OpenVPN user as well. So make sure that the > ownership of both the directory and the database file are set > accordingly. > > Also be sure that you have copied the eurephiadb-template to > eurephiadb and have run the eurehpia_init program against this > database. If you are able to use eurephiadm successfully, that's > a good start. F.ex. if you can run this command: > > $ eurephiadm users -l > > If you cannot do that, then you need to initialise your > installation using the eurephia_init program. This should all be > pretty well explained in the documentation. > > > kind regards, > > David Sommerseth > > >> -----Izvorno sporočilo----- From: David Sommerseth Sent: >> Wednesday, January 02, 2013 11:24 AM To: ap...@gm... Cc: >> eur...@li... Subject: Re: >> [eurephia-users] Please help, error: Could not register >> sessionkey > >> On 30/12/12 19:26, ap...@gm... wrote: >>> Hi > >>> I have instaled eurephia and have a problem with registering >>> user. > >>> Openvpn is working and users can connect if I disable plugin >>> in openvpn.config. > >>> With plugin enabled I get an error in openvpn log: > >>> [2012-12-30 18:24:30 CET] ** - FATAL - ** [0] >>> eDBregister_sessionkey: Error registering sessionkey into >>> openvpn_sessionkeys ** - FATAL - ** [0] Could not register >>> sessionkey [2012-12-30 18:24:30 CET] ** ERROR ** [0] >>> Could not update last access status for uid 2 [2012-12-30 >>> 18:24:30 CET] ** WARNING ** [0] Failed to cache password for >>> user 'user' [2012-12-30 18:24:30 CET] -- INFO -- [0] User >>> 'user' authenticated > >>> I could not find anything on internet what could help to solve >>> the error. > > >> Hi Toni, > >> Please read the following section carefully, especially the >> yellow/orange block. > >> <http://www.eurephia.net/documentation/eurephia/1.1/html/Administrators_Tutorial_and_Manual/chap-Administrators_Manual-ConfigOVPN_Chapter.html#id810951> > >> > > > > >> I don't know if you use chroot or not. But it might be that >> even though you don't use chroot, that openvpn/eurephia doesn't >> have the proper access to create the .jnl file as well. So >> please ensure openvpn/eurephia is allowed to create temporary >> files the directory where the database file resides. > >> Please keep us updated if this helped, and I'll make sure to >> update the documentation as well. > > >> kind regards, > >> David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlDtwtUACgkQDC186MBRfrpOiQCeLtArPjkSW9MhrrMus2rrAJIH 15gAnisHEwgvtvo7P89LxFOTaUUad7fE =Jo6/ -----END PGP SIGNATURE----- |
|
From: David S. <da...@us...> - 2013-01-09 19:20:11
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/01/13 15:32, ap...@gm... wrote: > Hi > > My problem is how to set proper permision ant to which user ? Shall > I use user openvpn ? and set perimisions to openvpn to write in > chroted directory ? > > Openvpn is chrooted in /var/chroot/openvpn Okay, so now you switched to chroot? You said in your earlier mail that you didn't use chroot. So please make up your mind here. > Eupheria database is located in cd /var/lib/eurephia/ *IF* you are also using chroot, you need to have this directory as well: /var/chroot/openvpn/var/lib/eurephia Then ensure that this directory *and* /var/lib/eurephia is owned by the user OpenVPN is running as. If you are using 'user openvpn' or 'group openvpn' in your configuration file, or see that these have been added to the command line (ps faxuww) ... then this command line will do the magic: # chown openvpn:openvpn /var/lib/eurephia # chmod 775 /var/lib/eurephia # chown openvpn:openvpn /var/chroot/openvpn/var/lib/eurephia # chmod 775 /var/chroot/openvpn/var/lib/eurephia The first two lines gives the openvpn user and group read/write access to /var/lib/eurephia. The next two lines does the same, but to the chrooted directory. > Here is log from openvpn.log > > 2013-01-09 14:58:30 CET] -- INFO -- [1] Found certid 1 for > user: nnnnnn/nnnnnn_CA/in...@nn... Wed Jan 9 13:58:30 2013 > xxx.xxx.xxx.x:xxxxx PLUGIN_CALL: POST > /usr/lib64/openvpn/eurephia-auth.so/PLUGIN_TLS_VERIFY status=0 Wed > Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx VERIFY PLUGIN OK: > depth=1, > /C=xx/L=xxxxxxxxx/O=xxxxxx/CN=xxxxxx_CA/xxx...@xx... > > Wed Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx CRL CHECK OK: > /C=SI/L=xxxxxxxxx/O=xxxxxx/CN=xxxxxx_CA/ema...@xx... > > Wed Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx VERIFY OK: depth=1, > /C=xx/L=xxxxxxxxx/O=xxxxxx/CN=xxxxxx_CA/ema...@xx... > > [2013-01-09 13:58:30 UTC] -- INFO -- [0] Found certid 2 for user: > xxxxxx/xxxxxx1/xx...@xx... Wed Jan 9 13:58:30 2013 > xxx.xx.xxx.xx:xxxxx PLUGIN_CALL: POST > /usr/lib64/openvpn/eurephia-auth.so/PLUGIN_TLS_VERIFY status=0 Wed > Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx VERIFY PLUGIN OK: > depth=0, > /C=xx/L=xxxxxxxxx/O=xxxxxx/CN=xxxxxx1/ema...@xx... > VERIFY OK: depth=0, > /C=XX/L=XXXXX/O=YYY/CN=yyyyy/ema...@yy... All these lines looks very good and promising! > Wed Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx Could not create > temporary file > '/tmp/openvpn_acf_3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.tmp': > Permission denied You probably need to create /var/chroot/openvpn/tmp ... and make sure openvpn have full read/write access to that new tmp directory as well. I presume here that you *do* use chroot. kind regards, David Sommerseth > -----Izvorno sporočilo----- From: David Sommerseth Sent: Wednesday, > January 09, 2013 1:08 PM To: ap...@gm... Cc: > eur...@li... Subject: Re: Could not > register sessionkey > > On 05/01/13 17:00, ap...@gm... wrote: >> Hi > >> I am not using chroot. > >> Regarding the problem about write permision I don't know to >> which user set write permision to. OpenVPN drops root privileges >> after initialization with command user nobody. I have database >> in /var/lib/eurephia. > >> Can you plese advise how to go further and correctly set write >> permisions > > Please ensure that the /var/lib/eurephia directory is writeable > for the user OpenVPN is running as. The database file must also > be writeable for the OpenVPN user as well. So make sure that the > ownership of both the directory and the database file are set > accordingly. > > Also be sure that you have copied the eurephiadb-template to > eurephiadb and have run the eurehpia_init program against this > database. If you are able to use eurephiadm successfully, that's > a good start. F.ex. if you can run this command: > > $ eurephiadm users -l > > If you cannot do that, then you need to initialise your > installation using the eurephia_init program. This should all be > pretty well explained in the documentation. > > > kind regards, > > David Sommerseth > > >> -----Izvorno sporočilo----- From: David Sommerseth Sent: >> Wednesday, January 02, 2013 11:24 AM To: ap...@gm... Cc: >> eur...@li... Subject: Re: >> [eurephia-users] Please help, error: Could not register >> sessionkey > >> On 30/12/12 19:26, ap...@gm... wrote: >>> Hi > >>> I have instaled eurephia and have a problem with registering >>> user. > >>> Openvpn is working and users can connect if I disable plugin >>> in openvpn.config. > >>> With plugin enabled I get an error in openvpn log: > >>> [2012-12-30 18:24:30 CET] ** - FATAL - ** [0] >>> eDBregister_sessionkey: Error registering sessionkey into >>> openvpn_sessionkeys ** - FATAL - ** [0] Could not register >>> sessionkey [2012-12-30 18:24:30 CET] ** ERROR ** [0] >>> Could not update last access status for uid 2 [2012-12-30 >>> 18:24:30 CET] ** WARNING ** [0] Failed to cache password for >>> user 'user' [2012-12-30 18:24:30 CET] -- INFO -- [0] User >>> 'user' authenticated > >>> I could not find anything on internet what could help to solve >>> the error. > > >> Hi Toni, > >> Please read the following section carefully, especially the >> yellow/orange block. > >> <http://www.eurephia.net/documentation/eurephia/1.1/html/Administrators_Tutorial_and_Manual/chap-Administrators_Manual-ConfigOVPN_Chapter.html#id810951> > >> > > > > >> I don't know if you use chroot or not. But it might be that >> even though you don't use chroot, that openvpn/eurephia doesn't >> have the proper access to create the .jnl file as well. So >> please ensure openvpn/eurephia is allowed to create temporary >> files the directory where the database file resides. > >> Please keep us updated if this helped, and I'll make sure to >> update the documentation as well. > > >> kind regards, > >> David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlDtwtUACgkQDC186MBRfrpOiQCeLtArPjkSW9MhrrMus2rrAJIH 15gAnisHEwgvtvo7P89LxFOTaUUad7fE =Jo6/ -----END PGP SIGNATURE----- |
|
From: David S. <da...@us...> - 2013-01-09 12:08:24
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/01/13 17:00, ap...@gm... wrote: > Hi > > I am not using chroot. > > Regarding the problem about write permision I don't know to which > user set write permision to. OpenVPN drops root privileges after > initialization with command user nobody. I have database in > /var/lib/eurephia. > > Can you plese advise how to go further and correctly set write > permisions Please ensure that the /var/lib/eurephia directory is writeable for the user OpenVPN is running as. The database file must also be writeable for the OpenVPN user as well. So make sure that the ownership of both the directory and the database file are set accordingly. Also be sure that you have copied the eurephiadb-template to eurephiadb and have run the eurehpia_init program against this database. If you are able to use eurephiadm successfully, that's a good start. F.ex. if you can run this command: $ eurephiadm users -l If you cannot do that, then you need to initialise your installation using the eurephia_init program. This should all be pretty well explained in the documentation. kind regards, David Sommerseth > -----Izvorno sporočilo----- From: David Sommerseth Sent: > Wednesday, January 02, 2013 11:24 AM To: ap...@gm... Cc: > eur...@li... Subject: Re: [eurephia-users] > Please help, error: Could not register sessionkey > > On 30/12/12 19:26, ap...@gm... wrote: >> Hi > >> I have instaled eurephia and have a problem with registering >> user. > >> Openvpn is working and users can connect if I disable plugin in >> openvpn.config. > >> With plugin enabled I get an error in openvpn log: > >> [2012-12-30 18:24:30 CET] ** - FATAL - ** [0] >> eDBregister_sessionkey: Error registering sessionkey into >> openvpn_sessionkeys ** - FATAL - ** [0] Could not register >> sessionkey [2012-12-30 18:24:30 CET] ** ERROR ** [0] Could >> not update last access status for uid 2 [2012-12-30 18:24:30 >> CET] ** WARNING ** [0] Failed to cache password for user >> 'user' [2012-12-30 18:24:30 CET] -- INFO -- [0] User 'user' >> authenticated > >> I could not find anything on internet what could help to solve >> the error. > > > Hi Toni, > > Please read the following section carefully, especially the > yellow/orange block. > > <http://www.eurephia.net/documentation/eurephia/1.1/html/Administrators_Tutorial_and_Manual/chap-Administrators_Manual-ConfigOVPN_Chapter.html#id810951> > > > > > I don't know if you use chroot or not. But it might be that even > though you don't use chroot, that openvpn/eurephia doesn't have > the proper access to create the .jnl file as well. So please > ensure openvpn/eurephia is allowed to create temporary files the > directory where the database file resides. > > Please keep us updated if this helped, and I'll make sure to > update the documentation as well. > > > kind regards, > > David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlDtXaUACgkQDC186MBRfromegCfacvD8Rx/knfWFzKYPid2K6WP qnMAn2GmQC5guiFGNphwHJnnTlxr5Ffy =1R2r -----END PGP SIGNATURE----- |
|
From: David S. <da...@us...> - 2013-01-02 10:42:41
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 30/12/12 19:26, ap...@gm... wrote: > Hi > > I have instaled eurephia and have a problem with registering user. > > Openvpn is working and users can connect if I disable plugin in > openvpn.config. > > With plugin enabled I get an error in openvpn log: > > [2012-12-30 18:24:30 CET] ** - FATAL - ** [0] > eDBregister_sessionkey: Error registering sessionkey into > openvpn_sessionkeys ** - FATAL - ** [0] Could not register > sessionkey [2012-12-30 18:24:30 CET] ** ERROR ** [0] Could not > update last access status for uid 2 [2012-12-30 18:24:30 CET] ** > WARNING ** [0] Failed to cache password for user 'user' > [2012-12-30 18:24:30 CET] -- INFO -- [0] User 'user' > authenticated > > I could not find anything on internet what could help to solve the > error. > Hi Toni, Please read the following section carefully, especially the yellow/orange block. <http://www.eurephia.net/documentation/eurephia/1.1/html/Administrators_Tutorial_and_Manual/chap-Administrators_Manual-ConfigOVPN_Chapter.html#id810951> I don't know if you use chroot or not. But it might be that even though you don't use chroot, that openvpn/eurephia doesn't have the proper access to create the .jnl file as well. So please ensure openvpn/eurephia is allowed to create temporary files the directory where the database file resides. Please keep us updated if this helped, and I'll make sure to update the documentation as well. kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlDkCt4ACgkQDC186MBRfrphuwCeMoyYd6M/U87BBB24Q1aVdByX UnEAn3PDYmEuAxLporHf8XrFZ0rE4h4I =bLg+ -----END PGP SIGNATURE----- |
|
From: <ap...@gm...> - 2012-12-30 18:26:56
|
Hi I have instaled eurephia and have a problem with registering user. Openvpn is working and users can connect if I disable plugin in openvpn.config. With plugin enabled I get an error in openvpn log: [2012-12-30 18:24:30 CET] ** - FATAL - ** [0] eDBregister_sessionkey: Error registering sessionkey into openvpn_sessionkeys ** - FATAL - ** [0] Could not register sessionkey [2012-12-30 18:24:30 CET] ** ERROR ** [0] Could not update last access status for uid 2 [2012-12-30 18:24:30 CET] ** WARNING ** [0] Failed to cache password for user 'user' [2012-12-30 18:24:30 CET] -- INFO -- [0] User 'user' authenticated I could not find anything on internet what could help to solve the error. Regards, Toni -------------- next part -------------- An HTML attachment was scrubbed... |
|
From: David S. <da...@us...> - 2012-11-05 17:37:53
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, Today the Fedora EPEL packages for Red Hat Enterprise Linux 5 and 6, including Scientific Linux and CentOS, got pushed into the stable EPEL trees. This means that installation on these platforms are now far simpler. Just install the Fedora EPEL repository, and the rest is 'yum install' operations. For more information, see the Download page: <http://www.eurephia.net/?download> If there are any issues, don't hesitate getting in touch! kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlCX+VwACgkQDC186MBRfrqPdACgiwlfwxP2697pXIcSXfg9V2++ OzYAnRZnQxAKj6+Skz+Xs0JfHT6uxY8L =/ko7 -----END PGP SIGNATURE----- |
|
From: David S. <da...@us...> - 2012-10-09 09:40:51
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 eurephia v1.1.0 is finally released. Download it here: <http://www.eurephia.net/?download> This is the first major release since v1.0.1. The v1.1 code base has been tested for a long time and has proven itself rock solid. So instead of squeezing more features into the v1.1 release, let's push out what we got. Important changes are: * Support for TUN mode * SQLite3 database driver overhauled, improved error handling and reporting * SQLite3 admin reports will now use the local time zone instead of UTC/GMT * efw-iptables driver improved with new API for communication from eurephia-auth * Documentation updates * Enhanced build checks on newer Linux platforms * Several bug fixes in eurephiadm and eurephia_init Fedora packages are being prepared and Fedora EPEL packages for Red Hat Enterprise Linux, Scientific Linux and CentOS are in the pipe as well. Users and administration documentation in HTML: <http://www.eurephia.net/documentation/eurephia/1.1/html/Administrators_Tutorial_and_Manual/> Users and administration documentation as PDF: <http://www.eurephia.net/documentation/eurephia/1.1/pdf/Administrators_Tutorial_and_Manual/eurephia-1.1-Administrators_Tutorial_and_Manual-en-GB.pdf> The developer documentation can be found here: <http://www.eurephia.net/doxygen/eurephia-devel/> kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlBz7L0ACgkQDC186MBRfroskACfWdQZKHnKFd6guzOkhTFlK+EP LyUAnAse/r4Td+4/Ii9aGBULOcnDXrnj =wWDu -----END PGP SIGNATURE----- |
|
From: Mumuney A. <abd...@go...> - 2012-05-16 12:08:52
|
Thanks alot. you have made my day. On to reading OpenVPN. Regards On Wed, May 16, 2012 at 12:47 PM, David Sommerseth <da...@re...>wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 16/05/12 13:36, Mumuney Abdlquadri wrote: > > Thanks a lot David sommerseth, > > > > I could have posted on OpenVPN forum but it is difficult to sign > > up. > > Click on "New User Registration" here: > <https://community.openvpn.net/pwm/private/Login> > > > Just to be clear; you are saying I can use OpenVPN to make sure > > only computers from a particular firm can connect to a web > > application hosted on a VPS. > > Well, that is one of the use cases a VPN can provide yes. The concept > of VPN is to create a secure network between computers and networks > over a insecure link (the Internet). > > <http://en.wikipedia.org/wiki/VPN> > > So a VPN solution will by nature restrict access to network resources > to only those with the VPN access. At least as long the firewalls are > properly configured. > > > kind regards, > > David Sommerseth > > > > On Wed, May 16, 2012 at 12:17 PM, David Sommerseth > > <da...@re... <mailto:da...@re...>> wrote: > > > > On 16/05/12 12:00, Mumuney Abdlquadri wrote: > >> Hi all, > > > >> Great work and product you have here. > > > >> I am new to network admin but not a dullard anyway. I am a > >> software developer. > > > >> I have a web app hosted on a VPS for law firms and wish to > >> secure it so only computers from the firm can connect to the web > >> app. I thought a VPN would do the trick. I made further search > >> and found OpenVPN. > > > >> My question are; > > > >> Is my assumption to use OpenVPN correct > > > >> If no what options do I have? > > > > eurephia is an extension to OpenVPN. OpenVPN itself provides the > > VPN tunnel, but the default authentication in OpenVPN is limited > > to certificates only. The eurephia plug-in enhances the > > authentication in OpenVPN by providing username/password checks > > which needs to match the client certificate the user is using. > > > >> If yes, Can someone please assist me with what I need to do make > >> OpenVPN work in my use case? > > > > I would start with this How-to first, to get to know OpenVPN > > first. > > < > http://openvpn.net/index.php/open-source/documentation/miscellaneous/static-key-mini-howto.html > > > > > > Then I would read carefully through this how-to, and expand your > > first setup to include PKI/TLS features (CA, certificates and key > > files) > > > > <http://openvpn.net/index.php/open-source/documentation/howto.html> > > > > Or you can get yourself a copy of this excellent book: > > <http://www.packtpub.com/openvpn-2-cookbook/book> > > > > This book can guide you through different configuration scenarios. > > > > When you have gotten this far, that you have a working OpenVPN > > config using certificates and key files, then you can extend that > > by adding eurephia - to make things even tighter. > > > > > > kind regards, > > > > David Sommerseth > > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk+zk9wACgkQIIWEatLf4Hcy2gCgwe8v1EhUZw/XkOhIsNSf25s7 > fy4AoIttjFCrHLGa3sR9n5y05NXF9nyZ > =+2Z4 > -----END PGP SIGNATURE----- > -------------- next part -------------- An HTML attachment was scrubbed... |
|
From: David S. <da...@re...> - 2012-05-16 11:47:55
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 16/05/12 13:36, Mumuney Abdlquadri wrote: > Thanks a lot David sommerseth, > > I could have posted on OpenVPN forum but it is difficult to sign > up. Click on "New User Registration" here: <https://community.openvpn.net/pwm/private/Login> > Just to be clear; you are saying I can use OpenVPN to make sure > only computers from a particular firm can connect to a web > application hosted on a VPS. Well, that is one of the use cases a VPN can provide yes. The concept of VPN is to create a secure network between computers and networks over a insecure link (the Internet). <http://en.wikipedia.org/wiki/VPN> So a VPN solution will by nature restrict access to network resources to only those with the VPN access. At least as long the firewalls are properly configured. kind regards, David Sommerseth > On Wed, May 16, 2012 at 12:17 PM, David Sommerseth > <da...@re... <mailto:da...@re...>> wrote: > > On 16/05/12 12:00, Mumuney Abdlquadri wrote: >> Hi all, > >> Great work and product you have here. > >> I am new to network admin but not a dullard anyway. I am a >> software developer. > >> I have a web app hosted on a VPS for law firms and wish to >> secure it so only computers from the firm can connect to the web >> app. I thought a VPN would do the trick. I made further search >> and found OpenVPN. > >> My question are; > >> Is my assumption to use OpenVPN correct > >> If no what options do I have? > > eurephia is an extension to OpenVPN. OpenVPN itself provides the > VPN tunnel, but the default authentication in OpenVPN is limited > to certificates only. The eurephia plug-in enhances the > authentication in OpenVPN by providing username/password checks > which needs to match the client certificate the user is using. > >> If yes, Can someone please assist me with what I need to do make >> OpenVPN work in my use case? > > I would start with this How-to first, to get to know OpenVPN > first. > <http://openvpn.net/index.php/open-source/documentation/miscellaneous/static-key-mini-howto.html> > > Then I would read carefully through this how-to, and expand your > first setup to include PKI/TLS features (CA, certificates and key > files) > > <http://openvpn.net/index.php/open-source/documentation/howto.html> > > Or you can get yourself a copy of this excellent book: > <http://www.packtpub.com/openvpn-2-cookbook/book> > > This book can guide you through different configuration scenarios. > > When you have gotten this far, that you have a working OpenVPN > config using certificates and key files, then you can extend that > by adding eurephia - to make things even tighter. > > > kind regards, > > David Sommerseth > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+zk9wACgkQIIWEatLf4Hcy2gCgwe8v1EhUZw/XkOhIsNSf25s7 fy4AoIttjFCrHLGa3sR9n5y05NXF9nyZ =+2Z4 -----END PGP SIGNATURE----- |
|
From: Mumuney A. <abd...@go...> - 2012-05-16 11:36:36
|
Thanks a lot David sommerseth, I could have posted on OpenVPN forum but it is difficult to sign up. Just to be clear; you are saying I can use OpenVPN to make sure only computers from a particular firm can connect to a web application hosted on a VPS. I just need to read wide. Starting ... Thanks Regards. On Wed, May 16, 2012 at 12:17 PM, David Sommerseth <da...@re...>wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 16/05/12 12:00, Mumuney Abdlquadri wrote: > > Hi all, > > > > Great work and product you have here. > > > > I am new to network admin but not a dullard anyway. I am a > > software developer. > > > > I have a web app hosted on a VPS for law firms and wish to secure > > it so only computers from the firm can connect to the web app. I > > thought a VPN would do the trick. I made further search and found > > OpenVPN. > > > > My question are; > > > > Is my assumption to use OpenVPN correct > > > > If no what options do I have? > > eurephia is an extension to OpenVPN. OpenVPN itself provides the VPN > tunnel, but the default authentication in OpenVPN is limited to > certificates only. The eurephia plug-in enhances the authentication > in OpenVPN by providing username/password checks which needs to match > the client certificate the user is using. > > > If yes, Can someone please assist me with what I need to do make > > OpenVPN work in my use case? > > I would start with this How-to first, to get to know OpenVPN first. > < > http://openvpn.net/index.php/open-source/documentation/miscellaneous/static-key-mini-howto.html > > > > Then I would read carefully through this how-to, and expand your first > setup to include PKI/TLS features (CA, certificates and key files) > > <http://openvpn.net/index.php/open-source/documentation/howto.html> > > Or you can get yourself a copy of this excellent book: > <http://www.packtpub.com/openvpn-2-cookbook/book> > > This book can guide you through different configuration scenarios. > > When you have gotten this far, that you have a working OpenVPN config > using certificates and key files, then you can extend that by adding > eurephia - to make things even tighter. > > > kind regards, > > David Sommerseth > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk+zjOAACgkQIIWEatLf4He2uwCgqz/nPicxNvu1Rm2y+eUtS8CE > vzIAoKjC12KJfTuYyWIojVJGHbLybhA/ > =Juq/ > -----END PGP SIGNATURE----- > -------------- next part -------------- An HTML attachment was scrubbed... |
|
From: David S. <da...@re...> - 2012-05-16 11:18:07
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 16/05/12 12:00, Mumuney Abdlquadri wrote: > Hi all, > > Great work and product you have here. > > I am new to network admin but not a dullard anyway. I am a > software developer. > > I have a web app hosted on a VPS for law firms and wish to secure > it so only computers from the firm can connect to the web app. I > thought a VPN would do the trick. I made further search and found > OpenVPN. > > My question are; > > Is my assumption to use OpenVPN correct > > If no what options do I have? eurephia is an extension to OpenVPN. OpenVPN itself provides the VPN tunnel, but the default authentication in OpenVPN is limited to certificates only. The eurephia plug-in enhances the authentication in OpenVPN by providing username/password checks which needs to match the client certificate the user is using. > If yes, Can someone please assist me with what I need to do make > OpenVPN work in my use case? I would start with this How-to first, to get to know OpenVPN first. <http://openvpn.net/index.php/open-source/documentation/miscellaneous/static-key-mini-howto.html> Then I would read carefully through this how-to, and expand your first setup to include PKI/TLS features (CA, certificates and key files) <http://openvpn.net/index.php/open-source/documentation/howto.html> Or you can get yourself a copy of this excellent book: <http://www.packtpub.com/openvpn-2-cookbook/book> This book can guide you through different configuration scenarios. When you have gotten this far, that you have a working OpenVPN config using certificates and key files, then you can extend that by adding eurephia - to make things even tighter. kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+zjOAACgkQIIWEatLf4He2uwCgqz/nPicxNvu1Rm2y+eUtS8CE vzIAoKjC12KJfTuYyWIojVJGHbLybhA/ =Juq/ -----END PGP SIGNATURE----- |
|
From: Mumuney A. <abd...@go...> - 2012-05-16 10:01:09
|
Hi all, Great work and product you have here. I am new to network admin but not a dullard anyway. I am a software developer. I have a web app hosted on a VPS for law firms and wish to secure it so only computers from the firm can connect to the web app. I thought a VPN would do the trick. I made further search and found OpenVPN. My question are; Is my assumption to use OpenVPN correct If no what options do I have? If yes, Can someone please assist me with what I need to do make OpenVPN work in my use case? Thanks for your time. Regards. -------------- next part -------------- An HTML attachment was scrubbed... |
|
From: Renaud <ma...@no...> - 2012-04-12 18:35:31
|
Dear all, I'm a new user of europhia plugin and thank you for this excellent solution ! Your solution is really powerful for a sysadmin and it's really easy to manage the rights for each user or group of users. However in my final installation I plan to create a web gui to permit a selfcare for my finals users. To do it I'd to know if it's possible to create a user with an empty password (bad) or send the password in a non-interactive way to eurephiadm ? Or maybe another solution than eurephiadm for provisioning the database ? Thanks for your help, Renaud |
|
From: Leandro R. <lea...@dm...> - 2011-09-29 18:16:21
|
Dear David, Thanks for your quick response, I can not figure out how to begin my migration plan to get eurephia working. First: I need to upgrade from openvpn 2.1.1 to 2.2.0 Then install eurephia. I have clients connected 24/7 , how can I upgrade on centos ? is it possible to do it without interrupting service ? Thanks, Leo. On 21/09/11 13:08, David Sommerseth wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 21/09/11 17:25, Leandro Roggerone wrote: >> Hello dear all, >> I was thinking about adding a little bit more security to my vpn access, >> then I found Eurephia. >> We are using a Linux Centos 64bit system with openvpn access. >> >> Here begins my issue: >> I checked the openvpn --version command, and it seems I don't have the >> required plugin. >> I would like to know if is there any step by step migration plan for >> this situation, my concern is that I can not leave my server users >> without access while I make some tests or fine tuning. >> It came to my minds some questions: >> >> Is it possible to install a newer version of openvpn with the required >> plugin without stop working the one that is already on production? >> Having two diferent version of openvpn working at the same time on the >> same server wouldn generate any conflicts ? >> Any ideas on how to preceed whit this ? >> >> I was thinking about installing an alternative version, test eurephia >> and, after testing ... migrate. > To make the path shorter, install OpenVPN 2.2. That version is ready for > eurephia. I'm not sure if 2.2.1 has been packaged in EPEL for RHEL/CentOS > 5.x ... but I believe it is ready for RHEL/CentOS 6.x. > > For a test environment, it is possible to run two different OpenVPN > instances in parallel, by running it manually. Just grab the latest > OpenVPN source code (v2.2.1) and compile that one. Then from the source > tree you just start OpenVPN with ./openvpn ... Set up a separate tun/tap > device in a separate VPN subnet and use a separate TCP/UDP port. That way > the running OpenVPN instance will not interfere in any ways. (I'm doing > this myself when testing out stuff) > > For eurephia, you can do a complete and proper install and make your test > configuration use a normal production environment directly. A eurephia > install is not intrusive in any way and will not make and changes to your > currently working OpenVPN setup. > > And some good news: I noticed that a recent enough CMake is now a part of > RHEL/CentOS 5.7, so if you still are on the 5.x platform, update to 5.7 and > you'll be ready to compile it. I will try to get eurephia into EPEL for > RHEL/CentOS in the near future too. > > > kind regards, > > David Sommerseth > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk56DBUACgkQDC186MBRfrp8zgCfZ0q++H2ORiSHES8ufnG+ZHH6 > WXUAoKfkGdygu8o5dp2Mt86dfpYjslxn > =m3wr > -----END PGP SIGNATURE----- > |
|
From: David S. <da...@us...> - 2011-09-21 16:09:02
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 21/09/11 17:25, Leandro Roggerone wrote: > Hello dear all, > I was thinking about adding a little bit more security to my vpn access, > then I found Eurephia. > We are using a Linux Centos 64bit system with openvpn access. > > Here begins my issue: > I checked the openvpn --version command, and it seems I don't have the > required plugin. > I would like to know if is there any step by step migration plan for > this situation, my concern is that I can not leave my server users > without access while I make some tests or fine tuning. > It came to my minds some questions: > > Is it possible to install a newer version of openvpn with the required > plugin without stop working the one that is already on production? > Having two diferent version of openvpn working at the same time on the > same server wouldn generate any conflicts ? > Any ideas on how to preceed whit this ? > > I was thinking about installing an alternative version, test eurephia > and, after testing ... migrate. To make the path shorter, install OpenVPN 2.2. That version is ready for eurephia. I'm not sure if 2.2.1 has been packaged in EPEL for RHEL/CentOS 5.x ... but I believe it is ready for RHEL/CentOS 6.x. For a test environment, it is possible to run two different OpenVPN instances in parallel, by running it manually. Just grab the latest OpenVPN source code (v2.2.1) and compile that one. Then from the source tree you just start OpenVPN with ./openvpn ... Set up a separate tun/tap device in a separate VPN subnet and use a separate TCP/UDP port. That way the running OpenVPN instance will not interfere in any ways. (I'm doing this myself when testing out stuff) For eurephia, you can do a complete and proper install and make your test configuration use a normal production environment directly. A eurephia install is not intrusive in any way and will not make and changes to your currently working OpenVPN setup. And some good news: I noticed that a recent enough CMake is now a part of RHEL/CentOS 5.7, so if you still are on the 5.x platform, update to 5.7 and you'll be ready to compile it. I will try to get eurephia into EPEL for RHEL/CentOS in the near future too. kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk56DBUACgkQDC186MBRfrp8zgCfZ0q++H2ORiSHES8ufnG+ZHH6 WXUAoKfkGdygu8o5dp2Mt86dfpYjslxn =m3wr -----END PGP SIGNATURE----- |
|
From: Leandro R. <lea...@dm...> - 2011-09-21 15:45:35
|
Hello dear all, I was thinking about adding a little bit more security to my vpn access, then I found Eurephia. We are using a Linux Centos 64bit system with openvpn access. Here begins my issue: I checked the openvpn --version command, and it seems I don't have the required plugin. I would like to know if is there any step by step migration plan for this situation, my concern is that I can not leave my server users without access while I make some tests or fine tuning. It came to my minds some questions: Is it possible to install a newer version of openvpn with the required plugin without stop working the one that is already on production? Having two diferent version of openvpn working at the same time on the same server wouldn generate any conflicts ? Any ideas on how to preceed whit this ? I was thinking about installing an alternative version, test eurephia and, after testing ... migrate. Thanks in advance. Leo. |
