Welcome, Guest. Please login or register.
Did you miss your activation email?
Saturday 16 November 2024, 11:30:29 pm

Login with username, password and session length

CLICK HERE for the The official Endian Roadmap and Issue tracker
14258 Posts in 4377 Topics by 6515 Members
Latest Member: hulteends
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  [SOLVED] EFW 2.5.1-HOWTO config OPENVPN in way to access office LAN from home PC
0 Members and 2 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: [SOLVED] EFW 2.5.1-HOWTO config OPENVPN in way to access office LAN from home PC  (Read 60798 times)
bingel
Full Member
***
Offline Offline

Posts: 11


« on: Friday 21 September 2012, 02:00:35 am »

I'm trying to configure OpenVPN on my Endian firewall 2.5.1 located in my office and my OpenVPN client located in my home.

Here, step by step, my EFW SERVER configuration:

SERVER CONFIGURATION > GLOBAL SETTINGS:

- OpenVPN server enabled [Yes]
- Bridged [No]
- VPN subnet: [255.255.255.248/29]


ACCOUNTS:

- Username: [myuser]
- Password: [mypwd]
- no other check-boxes flagged and no other data entered on this section


ADVANCED > ADVANCED SETTINGS:

- Port: 1194
- Protocol: UDP
- no other check-boxes flagged and no other data entered on this section


ADVANCED > GLOBAL PUSH OPTIONS:

- no check-boxes flagged and no data entered on this section (all disabled)


ADVANCED > AUTHENTICATION SETTINGS:

- PSK
- no other check-boxes flagged and no other data entered on this section



Here, step by step, my configuration file for the CLIENT installed on PC in my home:

Code:
client
dev tap
proto udp
remote MY.OFFICE.WAN.IP
resolv-retry infinite
nobind
persist-key
persist-tun
ca MY_CERTIFICATE.pem
auth-user-pass
comp-lzo

Help me please to understand what is wrong or missing. Thanks in advance.


PS: I read that you need to set the rules for the VPN firewall. If so, how is it done?
Logged
jbtaylor79
Jr. Member
*
Offline Offline

Posts: 3


« Reply #1 on: Friday 21 September 2012, 06:45:47 am »

The entry box VPN subnet can be a little misleading. you want to put your VPN network CIDR notation there. For example: I have entered [10.2.2.0/24]

hope that helps. if not i will post my full configuration.

-J
Logged
bingel
Full Member
***
Offline Offline

Posts: 11


« Reply #2 on: Friday 21 September 2012, 09:24:34 am »

I will try, however if you will post your full configuration (server, client and vpn firewall), it surely will be appreciated.

PS: did you set any rule for VPN firewall? Is your EFW version 2.5.1?
Logged
jbtaylor79
Jr. Member
*
Offline Offline

Posts: 3


« Reply #3 on: Friday 21 September 2012, 01:48:40 pm »

Endian version 2.5.1 Community

Endian networks
 - GREEN = 192.168.10.0/24
 - BLUE = 192.168.11.0/24
 - ORANGE = 192.168.12.0/24
---------------------------------------------------------------------
OpenVPN COnfiguration
------------------------------------------------------------------------
OPENVPN
 - NOT bridged
 - VPN Subnet = 10.2.2.0/24
 
OpenVPN Account Setup
 - Direct all clients through server - [not checked]
 - push only global options to this client [checked]
 - push routes to blue and orange - [both checked]

static ip address: [10.2.2.2/24]

push nameserver and domain - [both not checked]

OpenVPN advanced settings
 - 1194 / UDP
 - Block DHCP - [NOT CHECKED]
 - dont block traffic - [checked]
 - allow multiple - [not checked]

Global push options:
 - push these networks - enabled - [0.0.0.0/1 & 128.0.0.0/1] (based on this post: htttp://www*efwsupport*com/index.php?topic=2989.0
 - push nameserver - enabled - [192.168.10.1]
 - push domain - enabled - [localdomain]
-----------------------------------------------------------------------------------
VPN Firewall Configuration
--------------------------------------------------------------------------------------
source = user
destination = GREEN, BLUE, ORANGE, OPENVPN SERVER
Service = <ANY>
Policy = Allow w/ IPS
enabled = checked
--------------------------------------------------------------------------------

Again, with this configuration I can access all the network resources, fileshares, printers, webpages, etc., on the GREEN and BLUE networks, but not the ORANGE. I am still trying to figure that one out. However, I can access the Web GUI by going to <htttps:// 192.168.12.1:10443>.

---------------------------------------------------------------------------------
OpenVPN client Config
--------------------------------------------------------------------------------
client
dev tap
proto udp
remote MY_DYNDNS_ADDRESS 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca MY_CERTIFICATE_FILE_FROM_ENDIAN_OPENVPN_SERVER.pem
auth-user-pass
comp-lzo
verb 3
Logged
bingel
Full Member
***
Offline Offline

Posts: 11


« Reply #4 on: Friday 21 September 2012, 07:23:57 pm »

Thank you very much.
As soon as I will get a free moment, I'll try

PS: I think, but not sure, ORANGE and BLUE are disabled on my server. I suppose I'll have to change some settings
Logged
bingel
Full Member
***
Offline Offline

Posts: 11


« Reply #5 on: Monday 24 September 2012, 09:22:14 pm »

Configuration tried. It doesn't run.

I also tried a few variations but nothing to do

192.168.10.1 is your green ip address?
Logged
bingel
Full Member
***
Offline Offline

Posts: 11


« Reply #6 on: Tuesday 25 September 2012, 05:55:25 am »

Configuration retried this evening at home with more time.
Now it works but in "advanced settings" I had to remove network "0.0.0.0/1" from pushing.

I think I can clean my configuration even more (i.e. disabling "namesarver pushing" which I don't need)

Differences between my network and yours and summary of changes done in my configuration (for reminders and for helping other people in same situation):

- I have only two zones: red and green
- In "account setup" I do not have a check-box for pushing routes to blue and orange because, as just said, I have only two zones (green and red)
- My nameserver (for pushing) is 192.168.1.254 corresponding with ip I assigned to my green ethernet card (but I think I could remove this setting, as I already said, because I think I don't need it ...tomorrow I will try). Your is: 192.168.10.1 (each user can use a different address). EDIT: I've just tried and removing this setting does not affect vpn connection
- To let my vpn to work I had to remove network "0.0.0.0/1" from pushing (in advanced settings).


Despite my bad English I hope I was clear enough.
Logged
bingel
Full Member
***
Offline Offline

Posts: 11


« Reply #7 on: Tuesday 25 September 2012, 06:01:56 am »

It remains to solve only one problem: from home pc, although I'm able to ping it, I'm not able to access endian firewall nor via web neither via ssh.


EDIT: solved adding a pair of rules in FIREWALL > SYSTEM ACCESS:

1) for enabling SSH access on EndianFW (for any PC connected via VPN):

Code:
- source address [empty]
- source interface [VPN]
- service port [SSH]
- protocol [TCP]
- port [22]
- action [ALLOW with IPS]
- position [first]  #not important
- Enabled [ON]  #obviously


2) for enabling WEB access on EndianFW (for any PC connected via VPN):

Code:
- source address [empty]
- source interface [VPN]
- service port [User defined]
- protocol [TCP]
- port [10443]
- action [ALLOW with IPS]
- position [After rule #1]  #but really not important
- Enabled [ON]  #obviously
Logged
bingel
Full Member
***
Offline Offline

Posts: 11


« Reply #8 on: Wednesday 26 September 2012, 07:18:52 am »

To avoid entering a username and password each time you connect, you can follow these guides. I tested them and they run:

- https://endian.zendesk.com/entries/21292467-how-to-manage-ca-server-and-client-certificates-with-easy-rsa-for-openvpn
- https://endian.zendesk.com/entries/21295816-how-to-configure-endian-utm-appliance-to-use-openvpn-certificate-authentication
- https://endian.zendesk.com/entries/21295696-how-to-configure-windows-openvpn-client-with-certificate-authentication
- https://endian.zendesk.com/entries/21285883-how-to-configure-linux-openvpn-client-with-certificate-authentication
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.063 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com