[clue-tech] VPN configuration questions to Jim Ockers

Jim Ockers ockers at ockers.net
Wed Mar 15 14:02:22 MST 2006 

Hi,

> Tell us about the configuration files.
> -- is it okay to use "tap" ?   Or is "tun" better ?

They are equally good, for small VPNs.  On Windows the tap device
is probably slightly better supported but tun should work too.
I've used tun on Windows and it works as expected.

> -- can "secret" be followed by any file name and extension or
> are the choices limited ?   Of course the file with the key has
>   to have the same name.

I use TLS (certificates) so I don't know about "secret" .  Maybe
read the man page or web page on that one.

> > I set up a configuration file on the client that looks like this:
> >      remote (remote server)
> >      dev tap
> >      ifconfig (client IP) (server IP)
> >      secret clientkey.txt
> >
> > ...with the static key found in a .txt file named clientkey.txt
> >
> > ...and the config file on the server looks like this:
> >      dev tap
> >      ifconfig (server IP) (client IP)
> >      secret clientkey.txt
> 
> -- Can one do without setting up a virtual TAP interface ?

I don't know what this means.  If you are going to use OpenVPN
you are going to have to let it create a VPN interface.  On my
system the interface is tap0, like so:

tap0      Link encap:Ethernet  HWaddr 00:FF:2E:56:2D:A6
          inet addr:172.30.0.2  Bcast:172.30.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Without the tap0 or tun0 interface the VPN will not work.

> -- The port 1194 is forwarded through NAT so that the correct
> server receives it.  I was trying to "log on" from the VPN
> client.

I still don't know what "log on" means.  Please paste in the
exact terminal output of the commands you typed to "log on."
Here is an example:

[root at linux root]# ssh 172.30.0.1
The authenticity of host '172.30.0.1 (172.30.0.1)' can't be established.
RSA key fingerprint is 2a:e8:e0:40:80:ca:d1:d4:10:67:82:20:ed:99:05:a2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.30.0.1' (RSA) to the list of known hosts.
root at 172.30.0.1's password:

That ssh command, combined with the IP address, constitutes a
"log on" event.  You should attempt to be equally specific about
what you are trying to do.

Here is my server config file:

[root at niamey openvpn]# cat vpn-server.conf
port 5000
proto udp
dev tap
ca vpn-ca.crt
cert vpn.crt
key vpn.key
dh dh1024.pem
ifconfig 172.30.0.1 255.255.0.0
server 172.30.0.0 255.255.0.0
client-to-client
duplicate-cn
keepalive 10 60
tls-auth ta.key 0 # This file is secret
comp-lzo
max-clients 1000
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 6
mute 20

Note that I went to the trouble of setting up a certificate
authority and creating keys etc.

Hope this helps,
Jim

-- 
Jim Ockers, P.Eng. (ockers at ockers.net)
Contact info: please see http://www.ockers.net/
_______________________________________________
CLUE-tech mailing list
CLUE-tech at cluedenver.org
http://cluedenver.org/mailman/listinfo/clue-tech

More information about the clue-tech mailing list