DocLarge
Premium
join:2004-09-08
1 edit | OpenVpn: Who's Using It?
Just looking for a round of hands of people who are using Openvpn. This closet application has potential, but the majority of people posting here are looking for answers to commercial vpn products. My interest is peaked to see how Openvpn would fair "if" it were more easily understood (as with all things).
I, personally, am pulling my hair out with this thing even though Ozo was good enough to provide a configuration, along with Sooner Al also posting some config file info for the pocket pc side of the house. Read the pages, tried the configuration, bombed the connection...
I ain't making no progress with this, sample files or not. As a career hardware vpn/software vpn client kind of guy, this is pissing me off 
For any of you openvpn script kiddies trying get more supporters, please do my "non-understanding azz" and others the following:
1) Please post a "clean" client script here that "does not" have any encryption (no certificates, no keys); I'll explain later...
2)Post a "clean" server script here that "does not" have any encryption (no certificates, no keys either)
3) In these scripts, "assume" everyone is not network/systems administrator like the majority of us who post here, meaning "make the script easy enough for a new user to load and connect within an hour or less of configuring." So, REM out lines regarding "ethernet bridging" and the likes for greater ease of understanding. The majority of the people at home who would probably like to try openvpn "can't" because of the difficulty interpreting the scripting.
4) Al, could you re-edit your pocket pc script and make it clean (no encryption, no keys, no certificate, no bridging) so a first time openvpn noob can connect and understand the basics also? Pocketpc is my primary area of concentration at the moment because I "know" my clients would like such an option...
Explanation A "wide open" client/server script may make more sense to people wanting to try openvpn; once they can make the initial connection, "THEN" they can work on securing it. I'll never claim to be the most proficient at vpn's, but damn, just going through all those pages and config files was wearing me out...
Although a majority of my installations will continue to to be hardware vpn with known software clients, openvpn is pretty slick and worth the investigation...if you could just piece all of that information together (yep, tried the openvpn forum page, and it was down...).
I have no doubt openvpn is the "best thing since sliced bread" to all "eight" guys in the world using it right now Of course I'm embellishing a little... Openvpn (at first glance) and Linux appear to have a lot in common; a somewhat closed society of users wondering why it's not as widely used.
Openvpn has got skills, but I'm guessing a lot of people (including me) who would like to give it a try "don't" when it comes to scripting.
Little help here...
Doc |
|
OZO
Premium
join:2003-01-17
| While I'm watching with big interest this thread [PocketPC] - OpenVPN client for the PocketPC, I'm not expert at all with PocketPC configuration (never had one). But this thread should give you a good start.
Without any knowledge of PocketPC I'd suggest to start with a client running on a regular PC. By Doing so you eliminate configuration difficulties with server's part of the tunnel). Then I'd be easier to move to PocketPC (as SoonerAl  successfully did, and I'm taking the chance to thank him for the great experience that he shared with us )
Potential problem areas with OpenVPN (as I see it) are:
1. Generating certificates that authenticate user connections
2. Bridging TAP interface and LAN interface in server
3. Creating configuration files for both server and client
4. Forwarding 1194/UDP port to local server
Where do you experience difficulties?
Why do you need to set VPN without encryption? It may be possible (I've never been focused on that), but it's not practical. It's easy to generate those certificates (for authentication) and use encryption.
--
Keep it simple, it'll become complex by itself... |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
|  reply to DocLarge
The Static Key How-To is how I started...
»openvpn.net/static.html
Then I closely read the OpenVPN How-To and used this bridging page to further refine my config files so I could use bridging...
»openvpn.net/howto.html
»www.pavelec.net/adam/openvpn/bridge/
To get my final configuration working I simply modifed the sample config files for both the server and client which are available here...
»theillustratednetwork.mvps.org/O···VPN.html
As far as the PocketPC config file is concerned use the sample.ovpn and modify as needed or modify a working desktop/laptop client file by adding the ip-win32 line...Note that the developer has changed the ip-win32 line from the 18 April to the 1 May release...See the changes page and the known issues section...
»www.ziggurat29.com/OVPNPPCAlpha/changes.htm
»www.ziggurat29.com/OVPNPPCAlpha/···wnissues
Old...
ip-win32 ipai
New...
ip-win32 dynamic
...depending on what version your using...
FWIW department...
I have removed OpenVPN from my PCs and am back to using SSH. It just fits my personal needs better... With that said, OpenVPN is a great package...
--
"When all else fails, read the instructions..." |
|
DocLarge
Premium
join:2004-09-08
1 edit | reply to DocLarge
Thanks again for going over the specifics Al and Ozo.
The reason why I'm asking for scripts "without" encryption and the likes is because these scripts "are not" intended to be scripts people will be using on a permanent basis. These will literally be "beginner" scripts so people can make the "bare minimum" connection. Once they can do that, then they can start focusing on the more intricate functions of openvpn (keys, certificates, ethernet-bridging, etc...).
There's no point in trying to encrypt your traffic if you can't even "create" traffic to encrypt . Unless you've been scripting and are familiar with a lot of the terminology to include technolgy, there is almost "no chance" on a layman jumping in and learning openvpn. This is an excellent "poor man's vpn" if you're strapped on cash and additional resources. It's sort of like going from microsoft to Linux, or Unix (WTF!!?!?) If you don't do command line, ain't a lot of sh*t getting done on that day .
The idea I have is that a rank beginner who has a "clean" client script and a "clean" server script should be able to make an initial connection (provided the clean scripts are understandable for them) in under an hour; the next phase is gradually building to encryption (certificates, keys...). Following that, then they'll concentrate on scripting in ehthernet-bridging... The idea here is to build a level of progression instead of an "everybody in!!" tactic experienced users can deal with.
I'm going to give this another shot. Hopefully, a few more openvepn users will come out of the woodworks and throw their two cents worth in and help get some beginner's scripts together. What I've noticed is that although I can set up vpn from a harware and software client configuration standpoint (just finished configuring a successful site-to-site connection 15 mins ago) I'm having a "bitch" of a time fooling around with this openvpn script. I can only imagine how someone who doesn't mess with vpn's at all feels 
Doc |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
| reply to DocLarge
I might add that if you up the logging level to 4 and closely read the logs you can probably get a good clue to what problems are occuring, ie. set logging to verb 4 in both the client and server config files. I fixed two problems that way. Make sure you restart the OpenVPN service on the server after making changes to the server config file...
--
"When all else fails, read the instructions..." |
|
DocLarge
Premium
join:2004-09-08
| reply to DocLarge
Thanks Al
The biggest issue I'm having on the pocketpc front with openvpn is that my ppc is "not" seeing the config file (client.ovpn) ---- I made my file in notepad and changed it to the ovpn as instructed but when I go to connection manager on my ppc, it doesn't recognize it.
Doc |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
2 edits |  reply to DocLarge
Make sure you have the config file in the \Program Files\OpenVPN\config folder on the PPC. You can move or delete the included sample.ovpn file. I would move it to another folder.
If you use full path names in the config file make sure the path names in the config file are correct including the quotes...Note the use of double slashes...
Example...
"\\Program Files\\OpenVPN\\config\\ca.crt"
I always used WordPad on my desktop to modify the config files...
What Windows Mobile device are you trying to run the OpenVPN client on?
--
"When all else fails, read the instructions..." |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
| reply to DocLarge
Ok... Now I'm curious...
I am going to reinstall OpenVPN on both my XP Pro desktop, laptop and my iPAQ 5555 later today.
--
"When all else fails, read the instructions..." |
|
Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
 ·Comcast
| reply to DocLarge
Hiya Doc,
I came up opposite. I *started* with OpenVPN. My single goal was to tunnel into my home LAN from any connection in the world (when traveling, mostly) and to connect back out my home connection. All local hotspot traffic to be secured.
I settled on a WRT54G/OpenWrt base running OpenVPN server for my Win2000 notebook OpenVPN client and it's working well. The WRT is not my main router but connected as an AP. Most of my configuration is here: »forum.openwrt.org/viewtopic.php?id=5264
After playing with all the VPNs you're familiar with, and cursing their ability to do much after fighting NAT traversal, I'm really happy with the simplicity of OpenVPN running UDP. |
|
DocLarge
Premium
join:2004-09-08
1 edit | reply to DocLarge
@Al: I'm using a QTEK 2020i:
»www.smartdevicesdirect.com/produ···s_id=799
@Bill: Thanks for the info,
Unfortunately, all of that info in your link is "over" my head.
I'm trying to configure a "clean" basic install script for the server and client (to include pocket pc) as previously mentioned in order to get a grasp with the following criteria:
1) No Keys
2) No Certs
3) Basically "No" Encryption
Of course, I'm not planning on leaving such a configuration running on a permanent basis; this is just a "starter" script I'm after. Although I don't do scripting, and can follow a majority of spoken/written commands, openvpn is pissing me of because there seems to be 12 guys on the entire net who seem to know to use this thing, and dammit, I want to be one of 'em!
I checked out the static page Al mentioned earlier, to include previous suggestions, and my pocket pc connection "still" won't fire up. For each time I can't get openvpn to connect, I can turn around an connect with greenbow, linksys quickvpn, or set up a "site-to-site" connection in half the time, which is why I support traditional vpn configuration. However, tradition is not always best depending upon your circumstances, which is why I'm finally trying to get a grasp of openvpn.
Attention all devoted openvpn users, help make me and others believers...
Doc |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
1 edit | reply to DocLarge
I just reinstalled OpenVPN on my XP Pro desktop (the server), an XP Pro laptop and my iPAQ 5555 PocketPC. Connections from the two clients (ie. the laptop and PPC) work as advertised. I still have issues with the PPC client but I can log on to the server. I will leave it on my iPAQ for further testing as the developer releases new updated versions of the client. I need to take a closer look at the new release notes and change log. It may be something I have configured wrong, although that is hard to believe...
You might consider posting to the OpenVPN PocketPC Client forum for help. The developer hangs out there and he may have some suggestions...
»ovpn.sq7ro.net/ovpnforum/
I forgot to ask...anything in the log file on the PocketPC of interest?
--
"When all else fails, read the instructions..." |
|
DocLarge
Premium
join:2004-09-08 | reply to DocLarge
The log is generating "nuthin."
AAAAAARRRGH!!!!
Doc |
|
fcisler
Premium
join:2004-06-14
Riverhead, NY
| reply to DocLarge
DocLarge:
I understand what your getting at, but i think your going in the 100% wrong direction. You want to basically setup a VPN with NO security, get that working, then "patch" it.
Why not just do it the RIGHT way and learn it?
to me it would make NO SENSE to set it up, well, basically unsecured. If it were able to be done this way, most users would get it working and just leave it. As far as the certificates go, they are a PITA, but if you wish, i can provide you with some testing certs (i'll generate them using bogus info or any test info you'd like).
That being said, i use OpenVPN to some of my clients. On a 100mb network, using minimalistic hardware, i was able to achieve around 7-8 MB. If the hardware were more robust, i'm sure it could have saturated the line.
I'm in the process of putting finishing touches on my all-in-one solution. I currently have a couple business' with WRAPs and 1u servers. They love them, and they are rock solid. Only problem most people have is the certificates. My system will walk you through setting up the certificate authority (CA), server certificate (nothing more than a certificate with 'server' specified), Certificate Revoke List (CRL), and configuration. Deployment is very easy also, as i use SCP and one time passwords (skey) so that a client can download the certificate themselves.
With all this said, i suggest that if you REALLY are stuck and cannot get it setup....why not try a firewall distro with OpenVPN built in? How about pfsense ( »www.pfsense.com )? m0n0wall has a modified distro with openvpn (google or PM me for it). There are several others. Most will give you a nice GUI (usually web based) to configure OpenVPN. From there, you can see the config and understand better. |
|
DocLarge
Premium
join:2004-09-08
| reply to DocLarge
Thanks for the input fcisler...
I've got IPCOP and MonoWall sitting on the back burner right now because my interest is peaked with OpenVpn right now due to the capability to run it on a pocket pc. For right now openvpn is my obsession...
Doc |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
| said by DocLarge :Thanks for the input fcisler... I've got IPCOP and MonoWall sitting on the back burner right now because my interest is peaked with OpenVpn right now due to the capability to run it on a pocket pc. For right now openvpn is my obsession... Doc I am sticking with OpenVPN... It works very well for me...
I am still having problems with the PocketPC client but that is not a big deal for me just a nice to have if it ever works... I'm more concerned with secure remote access to my home LAN using my laptop...
--
"When all else fails, read the instructions..." |
|
fcisler
Premium
join:2004-06-14
Riverhead, NY
1 edit | reply to DocLarge
DocLarge:
Did you read my post at all?
m0n0wall has openvpn built in
Also a very nice GUI to configure it...see shots
From there, set it up how you like, then examine the config file and see how it's done.
If you are not so inclined, how about you post your config and exactly what isn't working? I'm sure i can give you a hand with the config part, as the first time i setup OpenVPN it was standalone. Only thing i really can't help with is anything other than certificate authentication. I've never even looked into other methods.
Like i said previously, PM me if you would like some test certificates, or the command line of how to create your own.
EDIT: don't know why the second pic is so large. Also, m0n0wall does not have openvpn build in. A core member of the team keeps a OpenVPN enabled version on paralell track with the current version. It's a little tough to find, PM me if interested. |
|
DocLarge
Premium
join:2004-09-08
| reply to DocLarge
I did read your post fcisler and maybe I didn't clarify myself as I should have the first time; Monowall isn't an option. The whole point of this exercise is to have VPN handled "minus the use of hardware."
I'm in the pursuit of "script driven" vpn only. Another option on deck is SSL eplorer.
I'll give you a ping here due to my curiousity about it (openvpn). I'm convinced this is a "script kiddie" application with merits...
Doc |
|
Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
·Comcast
4 edits | Doc, I'm not sure OpenVPN can run 1) With no encryption. 2) peer-to-peer. It's like driving a car but don't start the engine.
Here's my config files with all encryption/authentication and logging removed. The virtual tap interface needs to be created on both ends and these assume they are named "tap0".
said by SERVER.OVPN :
port (PickAGoodOne)
proto udp
dev tap0
said by CLIENT.OVPN :
client
dev tap0
proto udp
remote (serveraddress) (serverport)
resolv-retry infinite
Did you try something like this? If I get a chance this weekend I'll give it a try but I suspect it'll crash with no certificates or keys defined. |
|
DocLarge
Premium
join:2004-09-08
| reply to DocLarge
Thanks Bill..
That's "EXACTLY" what I was looking for. SoonerAl has also provided relevant information (as usual ) in another post so I've got plenty of weekend fodder.
I've got another friend of mine who has had his eye on a "script based" vpn for usage also, and I've told him about openvpn; he said he tried this before also but all the scripting to make it functional was too much of an azz. These bare scripts are "perfect." If anything crashes, then we'll know we need to progress with configuring the encryption and then whatever else comes next. The certificates are made in the RSA folder, right?
I'll have to check the site for the right link...
The one thing I'm running into is that when save and call my file "client.ovpn" it's not being recognized on my ppc. I'm going to try it on a client first (as SoonerAl suggested) before trying to remodify the script for my ppc (take one step back).
Thanks again, Bill_MI... |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
1 edit | reply to DocLarge
I am going to run some additional tests again with the 3 May release as soon as my wife heads to town...
I also will play around with my server config file if that release still does not allow me access to my home LAN...
Will update later today...
Doc...
FYI, I posted a message on the OpenVPN Client for the PocketPC forum about the issue your seeing with the device not recognizing your config file. Hopefully the developer will have some ideas...
Later...
--
"When all else fails, read the instructions..." |
|
