https://wiki.archlinux.org/api.php?action=feedcontributions&user=Silversurfer&feedformat=atomArchWiki - User contributions [en]2024-03-29T06:27:50ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=OpenVPN/Bridge&diff=148963OpenVPN/Bridge2011-07-13T22:29:58Z<p>Silversurfer: </p>
<hr />
<div>[[Category:Networking (English)]]<br />
[[Category:VPN (English)]]<br />
<br />
'''TODO:''' check this now updated article for accuracy, readability and completeness<br />
<br />
This page describes multiple ways to create a network bridge on Arch Linux and host an OpenVPN server using a IP layer-2 based Ethernet bridge (TAP) rather than a IP layer-3 based IP tunnel (TUN). The general [[OpenVPN]] page describes setting up PAM authentication or OpenSSL security certificates in more detail.<br />
<br />
==Introduction==<br />
<br />
The [http://openvpn.net/index.php/open-source/documentation.html OpenVPN documentation pages] give a full overview of server-side and client-side options that OpenVPN supports. It is easier to set up OpenVPN in tunneling mode and control routing the traffic and it is generally advised to do so if it serves your purpose. However, some applications, such as Windows file sharing or Samba, rely on network broadcasts at the Ethernet level and benefit from believing they are physically located on the same subnet, and software bridging serves this purpose.<br />
<br />
==Installation==<br />
<br />
The first thing you want to do is install OpenVPN, the Linux bridging utilities and [[netcfg]].<br />
<pre><br />
pacman -S openvpn bridge-utils netcfg<br />
</pre><br />
<br />
==Configuration==<br />
<br />
Earlier versions of guides for OpenVPN provided by the OpenVPN team or various Linux packagers give example scripts for constructing a bridge when starting OpenVPN and destroying it when shutting OpenVPN down. <br />
<br />
However, this is a somewhat deprecated approach, since OpenVPN as of 2.1.1 defaults to not allowing itself to call external scripts or programs unless explicitly enabled to, for security reasons.<br />
<br />
Also, constructing the bridge is relatively slow compared to all other parts of the network initialization process. (In fact, so slow that dhcpcd will time out before the bridge is ready. See [[#Troubleshooting]].) Also, when restarting OpenVPN after configuration changes, there is no reason to rebuild a working bridge, interrupting all your other network applications. So, setting up a static bridge configuration as follows is one recommended method.<br />
<br />
===Bridge===<br />
<br />
Add a tap interface for OpenVPN to use in '''/etc/conf.d/openvpn-tapdev'''<br />
<pre><br />
#<br />
# /etc/conf.d/openvpn-tapdev<br />
#<br />
# Place openvpn-tapdev before network into your DAEMONS array<br />
# This will create permanent tap devices which you can use for bridging<br />
#<br />
# Example:<br />
# TAPDEVS="work home"<br />
# Will create two tap devices "work" and "home"<br />
#<br />
TAPDEVS="tap0"<br />
</pre><br />
<br />
Creating the bridge is not possible anymore with rc.conf since net-tools is deprecated. You are going to have to use [[netcfg]] instead.<br />
Go to /etc/network.d/ and copy the bridge example file:<br />
<pre><br />
cd /etc/network.d/<br />
cp examples/bridge openvpn_bridge<br />
</pre><br />
Now edit /etc/network.d/openvpn_bridge. It may look like this:<br />
<pre><br />
INTERFACE="br0"<br />
CONNECTION="bridge"<br />
DESCRIPTION="OpenVPN Bridge"<br />
BRIDGE_INTERFACES="eth0 tap0"<br />
IP='static'<br />
ADDR='192.168.11.1'<br />
GATEWAY='192.168.11.254'<br />
DNS=('192.168.11.254')<br />
</pre><br />
For more information, for example how to use DHCP instead, check the [[netcfg]] article.<br />
<br />
===Server===<br />
<br />
There are a few example server configurations located in '''/usr/share/openvpn/examples''' to look at.<br />
<br />
Here is a server configuration that uses dhcp, and some features only available since 2.1.1, saved as '''/etc/openvpn/server.conf'''<br />
<br />
{{Note|Setting '''multihome''' allows OpenVPN to listen on multiple interfaces with UDP but respond only on the one it first received a request from. Otherwise, if listening on multiple interfaces, OpenVPN may switch from one to the other during communication with a client, and clients would not accept packets originating from something other than the original endpoint. Lowering the value for '''script-security''' is necessary to write and invoke scripts that call external programs during OpenVPN operation}}<br />
<pre><br />
# /etc/openvpn/server.conf<br />
# 2009.12.31<br />
#<br />
# address to bind to, instead of all available<br />
;local 192.168.3.252<br />
# new features, as of v2.1.1<br />
#can listen on multiple ips over udp<br />
multihome<br />
# needed to allow internally called scripts like up/down<br />
# to call external programs like ifup, etc<br />
;script-security 2<br />
<br />
# tcp might work better on certain "dev tun" setups<br />
# but not for wrapping more tcp or further encrypted<br />
# streams, as that would be redundant, and very slow<br />
# "port 1194" and "proto udp" are defaults<br />
port 1194<br />
proto udp<br />
<br />
# could specify interface, like tap0 or tap1<br />
# or use up/down routing scripts to handle<br />
# more than one, if needed<br />
dev tap0<br />
<br />
# simple scripts<br />
# for adding/removing to tap<br />
;up "up.sh br0:0"<br />
;down "down.sh br0:0"<br />
<br />
# identical certificate on server & client<br />
ca config/keys/ca.crt<br />
<br />
# server's own cert/key<br />
cert config/keys/server.crt<br />
key config/keys/server.key # keep secret<br />
<br />
# for certificate handshake<br />
dh config/keys/dh1024.pem<br />
<br />
# no arguments will use this subnet's dhcp server<br />
# not openvpn dynamic/static assigment<br />
# either way is good, but if you know you're not conflicting<br />
# with any other IP addressing schemes on your subnet,<br />
# this is much faster<br />
# this directive expands to include "mode server" and "tls-server"<br />
# so including them elsewhere is redundant<br />
;server-bridge 192.168.3.252 255.255.255.0 192.168.3.1 192.168.3.16<br />
# like what dhcp does, reuses IPs<br />
;ifconfig-pool-persist ipp.txt<br />
<br />
# this one uses a dhcp server, server-side<br />
# potentially better for controlling ip addresses from one location<br />
# clients must support binding their dhcp client to their tap adapter<br />
server-bridge nogw # 'nogw' is optional<br />
<br />
# openvpn server routes client packets to each other itself<br />
# should happen anyway in 'dev tap' mode, but this saves time<br />
client-to-client<br />
<br />
# ping clients to auto close server side connection<br />
keepalive 10 60<br />
<br />
# 0 for server, 1 for client<br />
tls-auth config/keys/ta.key 0 # This file is secret<br />
<br />
# cryptographic cipher.<br />
;cipher BF-CBC # Blowfish (default)<br />
cipher AES-128-CBC # AES<br />
<br />
# compression is useful for xfer of<br />
# not already compressed files, like database<br />
# files, otherwise add needless overhead<br />
# comp-lzo [mode] ; yes|no|adaptive, adaptive default<br />
;comp-lzo<br />
<br />
# not needed yet<br />
;max-clients 100<br />
<br />
# drop root priveledges once connected<br />
# good idea, for servers running on linux<br />
user nobody<br />
group nobody<br />
<br />
# avoid accessing things you no longer can<br />
persist-key<br />
persist-tun<br />
<br />
# short status file showing current connections<br />
# rewritten every minute.<br />
status openvpn-status.log<br />
<br />
# use one or the other, useful for managing multiple<br />
# concurrent servers on a system<br />
;log openvpn.log<br />
;log-append openvpn.log<br />
<br />
# 0 is silent, except for fatal errors<br />
# 4 is reasonable for general usage<br />
# 5 and 6 can help to debug connection problems<br />
# 9 is extremely verbose<br />
verb 3<br />
<br />
# silence repeating messages past certain number, in log<br />
;mute 20<br />
</pre><br />
<br />
The following modules will be automatically loaded, but you could specify them by editing '''/etc/rc.conf'''<br />
<pre><br />
#...<br />
MODULES=(... tun bridge ...)<br />
#...<br />
</pre><br />
<br />
Now, add the following daemons to '''/etc/rc.conf'''<br />
{{Note|'''openvpn-tapdev''' must come before '''net-profiles'''}}<br />
<pre><br />
#...<br />
DAEMONS=(... openvpn-tapdev net-profiles openvpn ...)<br />
#...<br />
</pre><br />
<br />
===Client===<br />
<br />
The following is a matching '''client.ovpn''' for the options used in '''server.conf''' above, tested in Windows. <br />
{{Note|Windows supports authenticating via a dhcp server located on the OpenVPN server's side automatically because of how the TCP stack works on Windows; a Linux client may take more steps to get dhcp to work}}<br />
<pre><br />
# /%openvpn%/config/client.conf<br />
# 2009.12.31<br />
<br />
# defines order of certificate authentification<br />
# this directive expands to "pull" "tls-client"<br />
# so including them elsewhere is redundant<br />
client<br />
<br />
# type of server<br />
dev tap<br />
<br />
# windows needs tap name, if more than one<br />
;dev-node OpenVPN Bridge Connection<br />
<br />
# remote <hostname> [port] [proto]<br />
remote remote 1194 udp<br />
<br />
# only works for peers using the "remote" option<br />
# ok if the ip address for remote changes during session<br />
float<br />
# uses a random port client-side<br />
nobind<br />
<br />
# this is for laptops or internet conditions<br />
# where openvpn server hostname cannot be resolved easily,<br />
# or changes often, etc<br />
# infinte is the default, or value for seconds<br />
resolv-retry infinite<br />
<br />
# public<br />
ca keys/ca.crt<br />
cert keys/satellite.crt<br />
# private<br />
key keys/satellite.key<br />
# needed when specified in server<br />
# 0 = server, 1 = client<br />
tls-auth keys/ta.key 1<br />
<br />
# verify that the server has certificate field "server"<br />
# protects against certain attacks<br />
ns-cert-type server<br />
<br />
;cipher BF-CBC<br />
cipher AES-128-CBC<br />
<br />
# comp-lzo [mode] ; yes|no|adaptive, adaptive default<br />
;comp-lzo<br />
<br />
# try to preserve some states across restarts<br />
persist-key<br />
persist-tun<br />
<br />
verb 3<br />
</pre><br />
<br />
==Tips and Tricks==<br />
<br />
===Dynamically create and destroy the bridge===<br />
You may not always want a static bridge, as there may be cases that you don't always want OpenVPN on, and when off you would prefer not having the bridge in place. In that case you have multiple options to achieve this.<br />
<br />
====Option 1====<br />
<br />
Script for creating the bridge:<br />
<pre><br />
#!/bin/bash<br />
#################################<br />
# Set up Ethernet bridge on Linux<br />
# Requires: bridge-utils<br />
#################################<br />
<br />
# Define Bridge Interface<br />
br="br0"<br />
<br />
# Define list of TAP interfaces to be bridged,<br />
# for example tap="tap0 tap1 tap2".<br />
tap="tap0"<br />
<br />
# Define physical ethernet interface to be bridged<br />
# with TAP interface(s) above.<br />
eth="eth0"<br />
<br />
for t in $tap; do<br />
openvpn --mktun --dev $t<br />
done<br />
<br />
brctl addbr $br<br />
brctl addif $br $eth<br />
<br />
for t in $tap; do<br />
brctl addif $br $t<br />
done<br />
<br />
for t in $tap; do<br />
ifconfig $t 0.0.0.0 promisc up<br />
done<br />
<br />
ifconfig $eth 0.0.0.0 promisc up<br />
<br />
# If static ip:<br />
eth_ip="10.10.0.100"<br />
eth_netmask="255.255.255.0"<br />
eth_broadcast="10.10.0.255"<br />
gw="10.10.0.254"<br />
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast<br />
route add default gw $gw $br<br />
<br />
# If dynamic IP:<br />
;dhcpcd $br<br />
<br />
</pre><br />
<br />
Script for destroying the bridge:<br />
<br />
<pre><br />
#!/bin/bash<br />
####################################<br />
# Tear Down Ethernet bridge on Linux<br />
####################################<br />
<br />
# Define Bridge Interface<br />
br="br0"<br />
<br />
# Define list of TAP interfaces to be bridged together<br />
tap="tap0"<br />
<br />
ifconfig $br down<br />
brctl delbr $br<br />
<br />
for t in $tap; do<br />
openvpn --rmtun --dev $t<br />
done<br />
<br />
/etc/rc.d/network restart<br />
</pre><br />
<br />
====Option 2====<br />
<br />
{{Warning|This script doesn't always correctly report [FAIL] or [DONE] so output can't be relied upon and may be confusing. Also, it is very old and should probably be revisited and revised}}<br />
<br />
Replace '''/etc/rc.d/openvpn''' with<br />
<pre><br />
#!/bin/bash<br />
<br />
# /etc/rc.d/openvpn<br />
#<br />
# An init script to start and stop OpenVPN daemons<br />
<br />
. /etc/rc.conf<br />
. /etc/rc.d/functions<br />
<br />
openvpn_config_dir=/etc/openvpn<br />
<br />
make_bridge ()<br />
{<br />
#echo "# mkbr $1"<br />
# for example $1 = "br0" and<br />
# $br0 = ("br0 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255" eth1) <br />
eval brvar="(\"\${${1}[@]}\")"<br />
brdev=$1<br />
<br />
brctl addbr $brdev<br />
add_to_bridge ${brvar[1]} $brdev<br />
<br />
ifconfig ${brvar[0]}<br />
return $?<br />
}<br />
<br />
add_to_bridge ()<br />
{<br />
#echo "# addbr $1 $2"<br />
# for example $1=tap0 and $2=br0<br />
ifconfig $1 down >/dev/null 2>&1<br />
brctl addif $2 $1<br />
ifconfig $1 0.0.0.0 promisc up<br />
}<br />
<br />
destroy_bridge ()<br />
{<br />
eval brvar="(\"\${${1}[@]}\")"<br />
brdev=$1<br />
<br />
ifconfig $brdev down<br />
brctl delbr $brdev<br />
}<br />
<br />
make_vpn ()<br />
{<br />
#echo "# mkvpn $1"<br />
# for example $1 = vpn0 and<br />
# $vpn0 = ("default.conf" tap0 br0)<br />
eval vpnvar="(\"\${${1}[@]}\")"<br />
<br />
openvpn --mktun --dev ${vpnvar[1]} > /dev/null<br />
if [ "${vpnvar[2]}" != "" ]; then<br />
add_to_bridge ${vpnvar[1]} ${vpnvar[2]}<br />
fi<br />
<br />
openvpn --cd $openvpn_config_dir --daemon --config ${vpnvar[0]}<br />
return $?<br />
}<br />
<br />
destroy_vpn ()<br />
{<br />
eval vpnvar="(\"\${${1}[@]}\")"<br />
openvpn --rmtun --dev ${vpnvar[1]} > /dev/null<br />
return $?<br />
}<br />
<br />
case "$1" in<br />
start)<br />
stat_busy "Starting OpenVPN daemons"<br />
<br />
# enable IP forwarding<br />
echo 1 > /proc/sys/net/ipv4/ip_forward<br />
<br />
# create bridge(s)<br />
error=0<br />
for brconf in ${BRIDGES[@]}; do<br />
if echo $brconf | grep '^[^\!]' >/dev/null 2>&1; then<br />
make_bridge $brconf || error=1<br />
fi<br />
done<br />
<br />
# create vpn(s)<br />
for vpnconf in ${VPNS[@]}; do<br />
if echo $vpnconf | grep '^[^\!]' >/dev/null 2>&1; then<br />
make_vpn $vpnconf || error=1<br />
fi<br />
done<br />
<br />
if [ $error -eq 0 ]; then<br />
stat_done<br />
else<br />
stat_fail<br />
fi<br />
;;<br />
stop)<br />
stat_busy "Stopping OpenVPN daemons"<br />
<br />
killall `which openvpn` 2> /dev/null<br />
<br />
# destroy bridge(s)<br />
error=0<br />
for brconf in ${BRIDGES[@]}; do<br />
if echo $brconf | grep '^[^\!]' >/dev/null 2>&1; then<br />
destroy_bridge $brconf || error=1<br />
fi<br />
done<br />
<br />
# destroy vpn(s)<br />
for vpnconf in ${VPNS[@]}; do<br />
if echo $vpnconf | grep '^[^\!]' >/dev/null 2>&1; then<br />
destroy_vpn $vpnconf || error=1<br />
fi<br />
done<br />
<br />
if [ $error -eq 0 ]; then<br />
stat_done<br />
else<br />
stat_fail<br />
fi<br />
;;<br />
restart)<br />
$0 stop<br />
sleep 1<br />
$0 start<br />
;;<br />
*)<br />
echo $"Usage: $0 {start|stop|restart}"<br />
RETVAL=1<br />
esac<br />
</pre><br />
<br />
And then make the script executable.<br />
<pre><br />
chmod 755 /etc/rc.d/openvpn<br />
</pre><br />
<br />
====Option 3====<br />
<br />
You can create scripts OpenVPN can use with '''up''' and '''down''' options to create and destroy tap interfaces dynamically, rather than using the provided openvpn-tapdev daemon, to add more options when adding it to a bridge. Here are some generic ones; make sure they are executable.<br />
<br />
'''up.sh'''<br />
<pre><br />
#!/bin/bash -e<br />
<br />
BR=$1<br />
DEV=$2<br />
MTU=$3<br />
<br />
/sbin/ifconfig $DEV mtu $MTU promisc up<br />
/usr/sbin/brctl addif $BR $DEV<br />
<br />
exit 0<br />
</pre><br />
<br />
'''down.sh'''<br />
<pre><br />
#!/bin/bash -e<br />
<br />
BR=$1<br />
DEV=$2<br />
<br />
/usr/sbin/brctl delif $BR $DEV<br />
/sbin/ifconfig $DEV down<br />
<br />
exit 0<br />
</pre><br />
<br />
==Troubleshooting==<br />
<br />
Q: Why does starting the network [FAIL] ?<br />
<br />
A: If you followed the server.conf example above, it is because you are using dhcp on the bridge and setting up the bridge takes longer than dhcpcd is willing to wait. You can fix this by dropping the forwarding delay when adding the bridge to a lower number by adding the following line to '''/etc/rc.d/network'''<br />
<pre><br />
.. /usr/sbin/brctl addbr $br<br />
+ /usr/sbin/brctl setfd $br 5<br />
.. eval brifs="\$bridge_${br}"<br />
</pre><br />
<br />
==More Resources==<br />
<br />
[[OpenVPN]] | General page on configuring OpenVPN, including setting up authentication methods.<br />
----<br />
<br />
Any additions, clarifications, reorganizations, feedback etc. etc. are more than appreciated.<br />
<br />
----</div>Silversurferhttps://wiki.archlinux.org/index.php?title=OpenVPN&diff=148962OpenVPN2011-07-13T22:22:17Z<p>Silversurfer: insert category: Category:VPN (English)</p>
<hr />
<div>[[Category: Networking (English)]]<br />
[[Category:VPN (English)]]<br />
==Install==<br />
Install openvpn:<br />
pacman -S openvpn<br />
Also you may install [http://aur.archlinux.org/packages.php?ID=30584 ldap authentication module] from AUR.<br />
<br />
<br />
==Prepare OpenSSL data==<br />
Create certificates and keys. First copy /usr/share/openvpn/easy-rsa to /etc/openvpn/easy-rsa and cd there. Edit the file "vars" with the information you want, then source it. (note the single dot)<br />
. ./vars<br />
Clean up any previous keys:<br />
./clean-all<br />
<br />
Generate the certificates. build-ca creates the "certificate authority" key the key signing machine needs and the ca.crt certificate that the server and client both need. build-key-server (followed by your server name) creates certificate and private key for the server. build-dh creates the Diffie-Hellman pem file that the server needs. Don't enter a challenge password or company name when you set these up.<br />
./build-ca<br />
./build-key-server <server-name><br />
./build-dh<br />
<br />
build-key (followed by a common client name) creates the certificate for a client. You can build as many as you need for different clients.<br />
./build-key client1<br />
All certificates are stored in /etc/openvpn/easy-rsa/keys. If you mess up, you can start all over by doing a ./clean-all<br />
<br />
Copy the ca.crt, client1.crt and client1.key to client1, etc. over a secure connection.<br />
<br />
==Setting up the Server==<br />
Create empty conf file and store it in /etc/openvpn/openvpn.conf<br />
===Using PAM and passwords to authenticate===<br />
<pre><br />
port 1194<br />
proto udp<br />
dev tap<br />
ca /etc/openvpn/easy-rsa/keys/ca.crt<br />
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt<br />
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key<br />
dh /etc/openvpn/easy-rsa/keys/dh1024.pem<br />
server 192.168.56.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
;learn-address ./script<br />
client-to-client<br />
;duplicate-cn<br />
keepalive 10 120<br />
;tls-auth ta.key 0<br />
comp-lzo<br />
;max-clients 100<br />
;user nobody<br />
;group nobody<br />
persist-key<br />
persist-tun<br />
status /var/log/openvpn-status.log<br />
verb 3<br />
client-cert-not-required<br />
username-as-common-name<br />
plugin /usr/lib/openvpn/openvpn-auth-pam.so login<br />
</pre><br />
<br />
===Using certs to authenticate===<br />
<pre><br />
port 1194<br />
proto tcp<br />
dev tun<br />
<br />
ca /etc/openvpn/easy-rsa/keys/ca.crt<br />
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt<br />
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key<br />
dh /etc/openvpn/easy-rsa/keys/dh1024.pem<br />
<br />
server 10.8.0.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
keepalive 10 120<br />
comp-lzo<br />
user nobody<br />
group nobody<br />
persist-key<br />
persist-tun<br />
status openvpn-status.log<br />
verb 3<br />
<br />
log-append /var/log/openvpn<br />
status /tmp/vpn.status 10<br />
</pre><br />
<br />
===Routing traffic through the server===<br />
<br />
Append the following to your server's openvpn.conf configuration file:<br />
<pre><br />
push "dhcp-option DNS 192.168.1.1"<br />
push "redirect-gateway def1"<br />
</pre><br />
Change "192.168.1.1" to your external DNS IP address.<br />
<br />
Use an iptable for NAT forwarding:<br />
<pre><br />
echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE<br />
</pre><br />
<br />
If all is well, make the changes permanent:<br />
<br />
Edit /etc/conf.d/iptables and change IPTABLES_FORWARD=1<br />
<br />
<pre><br />
/etc/rc.d/iptables save<br />
</pre><br />
<br />
==Setting up the Client==<br />
===Password authentication===<br />
<pre><br />
client<br />
dev tap<br />
proto udp<br />
remote <address> 1194<br />
resolv-retry infinite<br />
nobind<br />
persist-tun<br />
comp-lzo<br />
verb 3<br />
auth-user-pass passwd<br />
ca ca.crt<br />
</pre><br />
<br />
passwd file (referenced by auth-user-pass) must contain two lines:<br />
* first line - username<br />
* second - password<br />
<br />
<br />
===Certs authentication===<br />
<pre><br />
client<br />
remote <MYSERVER> 1194<br />
dev tun<br />
proto tcp<br />
resolv-retry infinite<br />
nobind<br />
persist-key<br />
persist-tun<br />
verb 2<br />
ca ca.crt<br />
cert client1.crt<br />
key client1.key<br />
comp-lzo<br />
</pre><br />
Copy three files from server to remote computer. <br />
ca.crt<br />
client1.crt<br />
client1.key<br />
<br />
Install the tunnel/tap module:<br />
<pre><br />
# sudo modprobe tun<br />
</pre><br />
<br />
To have the '''tun''' module loaded automatically at boot time add it to the Modules line in /etc/rc.conf<br />
<br />
===DNS===<br />
The DNS servers used by the system are defined in '''/etc/resolv.conf'''. Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc...) However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side. To achieve this in a sensible way, install '''openresolv''', which makes it possible for more than one program to modify resolv.conf without stepping on each-other's toes. Before continuing, test openresolv by restarting your network connection and ensuring that resolv.conf states that it was generated by "resolvconf", and that your DNS resolution still works as before. You shouldn't need to configure openresolv; it should be automatically detected and used by your network system.<br />
<br />
Next, save the following script at '''/usr/share/openvpn/update-resolv-conf''':<br />
<pre><br />
#!/bin/bash<br />
#<br />
# Parses DHCP options from openvpn to update resolv.conf<br />
# To use set as 'up' and 'down' script in your openvpn *.conf:<br />
# up /etc/openvpn/update-resolv-conf<br />
# down /etc/openvpn/update-resolv-conf<br />
#<br />
# Used snippets of resolvconf script by Thomas Hood <jdthood@yahoo.co.uk><br />
# and Chris Hanson<br />
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.<br />
#<br />
# 05/2006 chlauber@bnc.ch<br />
#<br />
# Example envs set from openvpn:<br />
# foreign_option_1='dhcp-option DNS 193.43.27.132'<br />
# foreign_option_2='dhcp-option DNS 193.43.27.133'<br />
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'<br />
<br />
[ -x /usr/sbin/resolvconf ] || exit 0<br />
<br />
case $script_type in<br />
<br />
up)<br />
for optionname in ${!foreign_option_*} ; do<br />
option="${!optionname}"<br />
echo $option<br />
part1=$(echo "$option" | cut -d " " -f 1)<br />
if [ "$part1" == "dhcp-option" ] ; then<br />
part2=$(echo "$option" | cut -d " " -f 2)<br />
part3=$(echo "$option" | cut -d " " -f 3)<br />
if [ "$part2" == "DNS" ] ; then<br />
IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"<br />
fi<br />
if [ "$part2" == "DOMAIN" ] ; then<br />
IF_DNS_SEARCH="$part3"<br />
fi<br />
fi<br />
done<br />
R=""<br />
if [ "$IF_DNS_SEARCH" ] ; then<br />
R="${R}search $IF_DNS_SEARCH<br />
"<br />
fi<br />
for NS in $IF_DNS_NAMESERVERS ; do<br />
R="${R}nameserver $NS<br />
"<br />
done<br />
echo -n "$R" | /usr/sbin/resolvconf -a "${dev}.inet"<br />
;;<br />
down)<br />
/usr/sbin/resolvconf -d "${dev}.inet"<br />
;;<br />
esac<br />
</pre><br />
<br />
Next, add the following lines to your OpenVPN client configuration file:<br />
<pre><br />
script-security 2<br />
up /usr/share/openvpn/update-resolv-conf<br />
down /usr/share/openvpn/update-resolv-conf<br />
</pre><br />
<br />
Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection.<br />
<br />
==Connecting to the Server==<br />
You need to start the service on the server<br />
<pre><br />
/etc/rc.d/openvpn start<br />
</pre><br />
You can add it to rc.conf to make it permanet.<br />
<br />
On the client, in the home directory create a folder that will hold your OpenVPN client config files along with the '''.crt'''/'''.key''' files. Assuming your OpenVPN config folder is called '''.openvpn''' and your client config file is '''vpn1.conf''', to connect to the server issue the following command:<br />
<pre><br />
cd ~/.openvpn && sudo openvpn vpn1.conf<br />
</pre></div>Silversurferhttps://wiki.archlinux.org/index.php?title=Pulse_Connect_Secure&diff=148961Pulse Connect Secure2011-07-13T22:19:23Z<p>Silversurfer: add category Category:VPN (English)</p>
<hr />
<div>[[Category: Networking (English)]]<br />
[[Category:VPN (English)]]<br />
=HOWTO instructions=<br />
<br />
Here's what I did to connect to the Juniper VPN at my company:<br />
<br />
References:<br />
[http://www.gentoo-wiki.info/HOWTO_Juniper_SSL_Network_Connect_VPN Gentoo Wiki Archives]<br />
<br />
#Get [http://www.archlinux.org/packages/search/?q=jre JRE]<br />
#Get the really old GCC libs<br />
##Either with [https://aur.archlinux.org/packages.php?ID=27768 gcc3] and [https://aur.archlinux.org/packages.php?ID=2299 gcc2]<br />
##If you're lazy like me or just can't get it to produce the super-old libstdc++-libc6.2-2.so.3, just steal the whole lib-compat from gentoo with this PKGBUILD:<br />
# Contributor: Clement Siuchung Cheung <clement.cheung@umich.edu><br />
pkgname=lib-compat<br />
pkgver=1.4.1<br />
pkgrel=1<br />
pkgdesc="Gentoo lib compat for old programs only available in binary"<br />
arch=(x86)<br />
url="http://www.gentoo.org/"<br />
source=(ftp://ftp.ibiblio.org/pub/linux/distributions/gentoo/distfiles/${pkgname}-${pkgver}.tar.bz2)<br />
md5sums=('ec4a4528295b5879ad055e44c4a6d463')<br />
<br />
build() {<br />
cd $startdir/src/${pkgname}-${pkgver}/x86<br />
<br />
# Install /lib files<br />
mkdir -p $startdir/pkg/lib<br />
mv ld-linux.so.1* $startdir/pkg/lib<br />
<br />
# Install /usr/lib files<br />
mkdir -p $startdir/pkg/usr/lib<br />
mv *.so* $startdir/pkg/usr/lib<br />
<br />
# Fix files<br />
cd $startdir/pkg/usr/lib<br />
mv -f libstdc++-libc6.2-2.so.3 libstdc++-3-libc6.2-2-2.10.0.so<br />
ln -s libstdc++-3-libc6.2-2-2.10.0.so libstdc++-libc6.2-2.so.3<br />
mv -f libstdc++-libc6.1-1.so.2 libstdc++-2-libc6.1-1-2.9.0.so<br />
ln -s libstdc++-2-libc6.1-1-2.9.0.so libstdc++-libc6.1-1.so.2<br />
ln -s libstdc++.so.2.8.0 libstdc++.so.2.8<br />
ln -s libstdc++.so.2.7.2.8 libstdc++.so.2.7.2<br />
ln -s libg++.so.2.7.2.8 libg++.so.2.7.2<br />
rm -f libstdc++.so.2.9.dummy libstdc++.so.2.9.0<br />
rm -f libsmpeg-0.4.so.0.dummy<br />
}<br />
<br />
#Get the smelly old Motif libs<br />
##Install lesstif. Then symlink to fool the system that it's motif like they say in the Gentoo wiki.<br />
##Sadly I wasn't able to get it work through the openmotif route because our openmotif package is too new and will give you libXm.so.4 instead of libXm.so.3. Add your instructions here if you manage to get this work.<br />
#Get the su work. They use xterm to ask for root password to do the install. So do either of the following:<br />
##Install [http://www.archlinux.org/packages/extra/i686/xterm/ xterm]<br />
##Setup your user to be able to su without password (google for the instructions)<br />
#Do "sudo modprobe tun". You'll need to do it every time before you connect. So you might want to setup the tun module to be autoloaded at start up to save you time and trouble.<br />
<br />
=Troubleshooting=<br />
<br />
There are many things that can go wrong. Please share your experience here if there's something non-obvious that wasted you weeks to track down so that others can save their time. ;-)<br />
<br />
==It keeps saying password incorrect==<br />
First of all, make sure the username and password is actually correct. ;-) Check caps lock, etc. If you swear it's correct and it still says incorrect, that means the POST request to the Juniper IVE box "somehow" failed.<br />
<br />
The [https://addons.mozilla.org/en-US/firefox/addon/966 Tamper Data] addon for Firefox can be used to debug. Try changing the fields in the headers.<br />
<br />
One thing that had me scratching my head for months is incorrect charset. Juniper IVE apparently does not support UTF-8. For some reasons, my "intl.charset.default" setting in "about:config" for Firefox is UTF-8, causing my POST request to have *ONLY* UTF-8 in the charset. Setting it to ISO-8859-1 fixes the problem. Also double check "intl.accept_charsets". You can have UTF-8, Chinese and European charsets all you want. But make sure you have ISO-8859-1 as fallback. Use the Tamper Data addon to make sure you really are accepting ISO-8859-1 in the HTTP header.<br />
<br />
Another thing is the useragent must be "Firefox", not "Bon Echo". You may need to change this under "general.useragent.extra.firefox" in about:config.<br />
<br />
==I can login but Network Connect won't launch==<br />
#Check your JRE<br />
#Go to ".juniper_networks/network_connect" in your home directory.<br />
#Check that ncsvc is setuid root. Fix it if not.<br />
#ldd ncsvc and see if there're any missing libraries<br />
#Follow instructions [http://www.juniperforum.com/index.php/topic,2043.0.html here] to run it from command line. Use the "-L 5" switch to log everything, use strace as root, etc. Peek at ncsvc.log and see if there's anything wrong.<br />
<br />
==Network Connect launched but the VPN doesn't work==<br />
Run "route" or "ip route" and see if the route is there. Network connect has a diagnosis tool in the GUI. You can also checks the logs (also available in the GUI).<br />
<br />
If it initially works but stops working later on, see caveat below.<br />
<br />
=Caveats=<br />
/etc/resolv.conf will get overwritten every once in a while by DHCPCD so your VPN will stop working eventually. If that happens, just restart Network Connect. There's no known solution to the problem but I do find a discussion on Redhat bugs website about this. We need to somehow teach DHCPCD the concept of merging configs and being a good neighbor...<br />
<br />
Until then, restart the connection every once in a while, save /etc/resolv.conf somewhere or somehow whip up some super-clever script yourself to restore the VPN settings every time your DHCP lease is renewed.<br />
<br />
=Alternative Method=<br />
<br />
Another method to get Juniper VPN to work for 64 bit Arch linux is suggested for your reference. I use this method to connect to my university's vpn network. <br />
<br />
The key reference:<br />
http://wireless.siu.edu/install-ubuntu-64.htm<br />
<br />
Basics<br />
<br />
The key issue is that 64 bit java plugin do not work with the Juniper software. (firefox, sun java jre)<br />
<br />
One way to do it is to install an alternative version of java and link the java plugin for the firefox manually. This saves us from the trouble of having to deal with the chroot environment as suggested in other sites. <br />
<br />
These are the steps I follow:<br />
<br />
I have firefox and sun java jre installed. I assume the system is 64 bit Arch linux. <br />
<br />
1.) install xterm:<br />
<br />
pacman -S xterm<br />
<br />
2.) install a custom 64 bit java<br />
<br />
go to http://www.java.com/en/download<br />
select the Linux x64 verson<br />
<br />
Decide on a location for the installation, extract the binary and put it in the desired location, and make the binary executable with<br />
chmod +x << binary >>. <br />
<br />
Finally run it to install java. <br />
<br />
3.) install the customized 32 bit java<br />
<br />
again, go to http://www.java.com/en/download<br />
this time, select Linux(self-extracting) option<br />
<br />
Extract the new binary to the same location created above, make it executable, and run the binary. It will ask you whether you want to replace the files to 32 bit, '''Type "A" to overwrite all the 64-bit files with the 32-bit ones.'''<br />
<br />
4.) link the library<br />
<br />
the relevant library for firefox is libnpjp2.so, to link it, <br />
<br />
ln -s << location of java you installed above >>/lib/amd64/libnpjp2.so /usr/lib/mozilla/plugins/libnpjp2.so<br />
<br />
The newest firefox 5 does look at /usr/lib/mozilla/plugins for plugins, instead of the ~/.mozilla/plugins in the previous versions.</div>Silversurferhttps://wiki.archlinux.org/index.php?title=PPTP_Client&diff=148960PPTP Client2011-07-13T22:18:51Z<p>Silversurfer: add category Category:VPN (English)</p>
<hr />
<div>[[Category:VPN (English)]]<br />
<br />
pptpclient is a program implementing the Microsoft PPTP protocol. As such, it can be used to connect to a Microsoft VPN network provided by a school or workplace.<br />
<br />
== Installing PPTPClient ==<br />
<br />
pptpclient is provided by the pptpclient package and can be installed by running:<br />
<br />
# pacman -S pptpclient<br />
<br />
== Configure ==<br />
<br />
To configure pptpclient you will need to collect the following information from your network administrator:<br />
<br />
* The IP or hostname of the VPN server<br />
* The name you wish to use for the tunnel.<br />
* The authentication (Windows) domain name. This is not provided or needed for certain networks.<br />
* The username you will use to connect.<br />
* The password you will use to connect.<br />
<br />
=== Edit The Options File ===<br />
<br />
With your favorite text editor open /etc/ppp/options.pptp. This file enables a lot of security for your VPN connection by default. If you have trouble connecting to your network, you can relax the options down. At minimum, your options.pptp file should contain:<br />
<br />
<pre><br />
lock<br />
noauth<br />
nobsdcomp<br />
nodeflate<br />
</pre><br />
<br />
=== Edit the Chap-Secrets File ===<br />
<br />
Next, open or create the /etc/ppp/chap-secrets file. We will be storing your password in this file, so make sure that the permissions are set such that no-one besides root can read this file. The file should have the following format:<br />
<br />
<pre><br />
<DOMAIN>\\<USERNAME> PPTP <PASSWORD> *<br />
</pre><br />
<br />
Or, if your connection does not require a domain:<br />
<br />
<pre><br />
<USERNAME> PPTP <PASSWORD> *<br />
</pre><br />
<br />
Simply replace each bracketed term in the samples with the appropriate value. Note that if your password contains a special character such as "$" you should place the password in double-quotes.<br />
<br />
=== Name Your Tunnel ===<br />
<br />
With your favorite text editor create a /etc/ppp/peers/<TUNNEL> file, where <TUNNEL> is the name you wish to use for your VPN connection. The file should look like this:<br />
<br />
<pre><br />
pty "pptp <SERVER> --nolaunchpppd"<br />
name <DOMAIN>\\<USERNAME><br />
remotename PPTP<br />
require-mppe-128<br />
file /etc/ppp/options.pptp<br />
ipparam <TUNNEL><br />
</pre><br />
<br />
{{Note|As before, if your connection does not require a domain, omit "<DOMAIN>\\" from the file you create}}<br />
<br />
{{Note|remotename, PPTP is used to find <PASSWORD> in the Chap-Secrets File.}}<br />
<br />
Where <SERVER> the remote address of the VPN server, <DOMAIN> is the domain your user belongs to, <USERNAME> is the name you will use to connect to the server, and <TUNNEL> is the name of the connection.<br />
<br />
{{Note|If you do not need MPPE support, you should remove the require-mppe-128 option from this file and from /etc/ppp/options.pptp}}<br />
<br />
== Making Your Connection ==<br />
<br />
To make sure that everything is configured properly, as root execute:<br />
<br />
# pon $TUNNEL debug dump logfd 2 nodetach<br />
<br />
If everything has been configured correctly, the pon command should not terminate. Once you are satisfied that it has connected to can terminate the command.<br />
<br />
{{Note|As an additional verification you can run ifconfig -a and ensure that a new device ppp0 is available}}<br />
<br />
To connect to your tunnel normally, simply execute:<br />
<br />
# pon <TUNNEL><br />
<br />
Where <TUNNEL> is the name of the tunnel you established earlier. Note that this command should be run as root.<br />
<br />
=== Routing ===<br />
<br />
Once you have connected to your VPN you should be able to interact with anything available on the VPN server. To access anything on the remote network, you need to add a new route to your routing table.<br />
<br />
{{Note|Depending on your configuration you may need to re-add the routing information every time you connect to your VPN}}<br />
<br />
For more information on how add routes you can read this article, which has many more examples: [http://pptpclient.sourceforge.net/routing.phtml PPTP Routing Howto]<br />
<br />
==== Selective Routing ====<br />
<br />
For me, packets with a destination of my VPN's network should be routed through the VPN connection. To do this you create the route:<br />
<br />
# route add -net 192.168.10.0 netmask 255.255.255.0 dev ppp0<br />
<br />
This will route all the traffic with the destination of 192.168.10.xxx through your VPN connection.<br />
<br />
==== Route All Traffic ====<br />
<br />
It may be desirable to route all traffic through your VPN connection. You can do this by running:<br />
<br />
# route add default dev ppp0<br />
<br />
{{Note|Routing all traffic through the VPN can result in slower over all connection speed }}<br />
<br />
== Disconnecting ==<br />
<br />
To disconnect from your VPN simply execute:<br />
<br />
# poff <TUNNEL><br />
<br />
Where <TUNNEL> is the name of your connection.<br />
<br />
== Making A VPN Daemon and Connecting On Boot==<br />
<br />
You can create a simple daemon for your VPN connection by creating an appropriate rc.d script:<br />
<br />
{{Note|As always <TUNNEL> is the name of your tunnel. <ROUTING COMMAND> is the command you use to add the appropriate route to the route table.}}<br />
<br />
<pre><br />
#!/bin/bash<br />
<br />
. /etc/rc.conf<br />
. /etc/rc.d/functions<br />
<br />
DAEMON=<TUNNEL>-vpn<br />
ARGS=<br />
<br />
[ -r /etc/conf.d/$DAEMON ] && . /etc/conf.d/$DAEMON<br />
<br />
<br />
case "$1" in<br />
start)<br />
stat_busy "Starting $DAEMON"<br />
pon <TUNNEL> updetach persist &> /dev/null && <ROUTING COMMAND> &>/dev/null<br />
if [ $? = 0 ]; then<br />
add_daemon $DAEMON<br />
stat_done<br />
else<br />
stat_fail<br />
exit 1<br />
fi<br />
;;<br />
stop)<br />
stat_busy "Stopping $DAEMON"<br />
poff MST &>/dev/null<br />
if [ $? = 0 ]; then<br />
rm_daemon $DAEMON<br />
stat_done<br />
else<br />
stat_fail<br />
exit 1<br />
fi<br />
;;<br />
restart)<br />
$0 stop<br />
sleep 1<br />
$0 start<br />
;;<br />
*)<br />
echo "usage: $0 {start|stop|restart}" <br />
esac<br />
</pre><br />
<br />
<br />
Note that we call pon in the script with two additional commands: updetach and persist. The argument updetach makes pon block until the connection has been established. The other argument persist, makes the network automatically reconnect in the event of a failure. To connect at boot add @<TUNNEL>-vpn to the end of your DAEMONS array in rc.conf.<br />
<br />
== Remarks ==<br />
<br />
You can find more information about configuring pptpclient at their website: [http://pptpclient.sourceforge.net/ pptpclient website]. The contents of this article where adapted from their Ubuntu How-To which also provides some hints on how to do things such as connecting on boot. These examples should be easy to adapt into daemons or other scripts to help automate your configuration.</div>Silversurferhttps://wiki.archlinux.org/index.php?title=Openswan_L2TP/IPsec_VPN_client_setup&diff=148959Openswan L2TP/IPsec VPN client setup2011-07-13T22:18:07Z<p>Silversurfer: changed the category VPN</p>
<hr />
<div>[[Category:Networking (English)]]<br />
[[Category:VPN (English)]]<br />
{{i18n|L2TP/IPsec VPN client setup}}<br />
<br />
L2TP/IPsec is a secure Virtual Private Network solution that is well supported on many different platforms.<br />
<br />
This article aims to describe in a HOWTO like fashion how to configure and use a L2TP/IPsec client on Arch Linux. This article will cover the installation and setup of several software packages. One of the packages is only available in the AUR, so knowledge of how to build and install AUR packages on your system is required, as I will not cover how to do that.<br />
<br />
This guide is primarly for clients connecting to a Windows Server machine. It uses some setting that are specific to the Microsoft implementation of L2TP/IPsec.<br />
<br />
==Installation==<br />
<br />
Execute the following commands as a superuser to install the required software packages to setup the VPN connection.<br />
<br />
#pacman -S xl2tpd<br />
#pacman -U http://repo.x-demon.org/archlinux/os/i686/openswan-2.6.31-1-i686.pkg.tar.xz<br />
<br />
Some additional software dependencies may be required and will be discovered during dependency resolution if required.<br />
<br />
==Configuration==<br />
===OpenSwan===<br />
<br />
Edit {{Filename|/etc/[[ipsec.conf]]}}: It should contain the following lines:<br />
<pre><br />
config setup<br />
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12<br />
nat_traversal=yes<br />
protostack=netkey<br />
oe=no<br />
# Replace eth0 with your network interface<br />
plutoopts="--interface=eth0"<br />
conn L2TP-PSK<br />
authby=secret<br />
pfs=no<br />
auto=add<br />
keyingtries=3<br />
dpddelay=30<br />
dpdtimeout=120<br />
dpdaction=clear<br />
rekey=yes<br />
ikelifetime=8h<br />
keylife=1h<br />
type=transport<br />
# Replace IP address with your local IP (private, behind NAT IP is okay as well)<br />
left=192.168.1.101<br />
leftnexthop=%defaultroute<br />
leftprotoport=17/1701<br />
# Replace IP address with your VPN server's IP<br />
right=68.68.32.79<br />
rightprotoport=17/1701<br />
</pre><br />
This file contains the basic information to establish a secure IPsec tunnel to the VPN server. It enables NAT Traversal for if your machine is behind a NATing router(most people are), and various other options that are necessary to connect correctly to the remote IPsec server. The next file contains your PSK for the server.<br />
<br />
Create the file {{Filename|/etc/[[ipsec.secrets]]}}: It should contain the following line:<br />
<br />
<pre><br />
192.168.1.101 68.68.32.79 : PSK "'''your_pre_shared_key'''"<br />
</pre><br />
<br />
Remember to replace the local (192.168.1.101) and remote (68.68.32.79) IP addresses with the correct numbers for your location. The pre shared key will be supplied by the VPN provider and will need to be placed in this file in cleartext form.<br />
<br />
At this point the IPsec configuration is complete and we can move on to the L2TP configuration.<br />
<br />
===xl2tpd===<br />
<br />
Edit {{Filename|/etc/xl2tpd/[[xl2tpd.conf]]}}: It should resemeble the following:<br />
<br />
<pre><br />
[lac vpn-connection]<br />
lns = 68.68.32.79<br />
ppp debug = yes<br />
pppoptfile = /etc/ppp/options.l2tpd.client<br />
length bit = yes<br />
</pre><br />
<br />
This file configures xl2tpd with the connection name, server IP address(which again, please remember to change to your servers address) and various options that will be passed to pppd once the tunnel is set up.<br />
<br />
Now modify {{Filename|/etc/ppp/[[options.l2tpd.client]]}}:<br />
<br />
<pre><br />
ipcp-accept-local<br />
ipcp-accept-remote<br />
refuse-eap<br />
require-mschap-v2<br />
noccp<br />
noauth<br />
idle 1800<br />
mtu 1410<br />
mru 1410<br />
defaultroute<br />
usepeerdns<br />
debug<br />
lock<br />
connect-delay 5000<br />
name '''your_vpn_username'''<br />
password '''your_password'''<br />
</pre><br />
<br />
Place your assigned username and password for the VPN server in this file. Alot of these options are for interoperability with Windows Server L2TP servers.<br />
<br />
This concludes the configuration of the applicable software suites to connect to a L2TP/IPsec server. To start the connection do the following:<br />
<br />
<pre><br />
/etc/rc.d/openswan start<br />
/etc/rc.d/xl2tpd start<br />
ipsec auto --up L2TP-PSK<br />
echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control<br />
</pre><br />
<br />
At this point the tunnel is up and you should be able to see the interface for it if you type:<br />
<br />
#ifconfig<br />
<br />
You should see a pppX device that represent the tunnel. Right now, nothing is going to get routed through it. You need to add some routing rules to make it work right:<br />
==Routing==<br />
===Routing traffic to a single IP address through the tunnel===<br />
This is as easy as adding a routing rule to your kernel table:<br />
<br />
#route add xxx.xxx.xxx.xxx gw yyy.yyy.yyy.yyy eth0<br />
<br />
Replace xxx.xxx.xxx.xxx with the specific ip address of the server that you wish to communicate with through the tunnel, then replace yyy.yyy.yyy.yyy with the remote IP your PPP connection. The remote IP of a PPP connection can be discovered by issuing:<br />
<br />
#ifconfig<br />
<br />
and reading the P-t-P address for the PPP interface that corresponds to your tunnel.<br />
<br />
===Routing all traffic through the tunnel===<br />
This is a lot more complex, but all your traffic will travel through the tunnel. Start by adding a special route for the actual VPN server through your current gateway:<br />
<br />
#route add 68.68.32.79 gw 192.168.1.1 eth0<br />
<br />
This will ensure that once the default gateway is changed to the ppp interface that your network stack can still find the VPN server by routing around the tunnel. If you miss this step you will lose connectivity to the Internet and the tunnel will collapse. Now add a default route that routes to the PPP remote end:<br />
<br />
#route add default gw yyy.yyy.yyy.yyy eth0<br />
<br />
The remote PPP end can be discovered by following the step in the previous section. Now to ensure that ALL traffic is routing through the tunnel, delete the original default route:<br />
<br />
#route delete default gw 192.168.1.1 eth0<br />
<br />
To restore your system to the previous state, you can reboot or reverse all of the above steps.<br />
<br />
==Tips and Tricks==<br />
<br />
===Script start up and shut down===<br />
<br />
You can create some scripts either in your home directory or elsewhere(remember where you put them) to bring up the tunnel then shut it back down.<br />
<br />
First, a utility script to automatically discover PPP distant ends: getip.sh<br />
<br />
<pre><br />
#!/bin/bash<br />
<br />
/sbin/ifconfig $1 | grep "P-t-P" | gawk -F: '{print $2}' | gawk '{print $1}'<br />
</pre><br />
<br />
Next, the script to bring the tunnel up. This will replace the default route, so all traffic will pass via the tunnel: startvpn.sh<br />
<br />
<pre> <br />
#!/bin/bash<br />
<br />
/etc/rc.d/openswan start<br />
sleep 2 #delay to ensure that IPsec is started before overlaying L2TP<br />
/etc/rc.d/xl2tpd start<br />
/usr/sbin/ipsec auto --up L2TP-PSK <br />
/bin/echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control <br />
sleep 2 #delay again to make that the PPP connection is up.<br />
PPP_GW_ADD=`./getip.sh ppp0`<br />
<br />
route add 68.68.32.79 gw 192.168.1.1 eth0<br />
route add default gw $PPP_GW_ADD<br />
route delete default gw 192.168.1.1<br />
</pre><br />
<br />
Finally, the shutdown script, it simply reverses the process: stopvpn.sh<br />
<br />
<pre><br />
#!/bin/bash<br />
<br />
/usr/sbin/ipsec auto --down L2TP-PSK<br />
/bin/echo "d vpn-connection" > /var/run/xl2tpd/l2tp-control<br />
/etc/rc.d/xl2tpd stop<br />
/etc/rc.d/openswan stop<br />
<br />
route delete 68.68.32.79 gw 192.168.1.1 eth0<br />
route add default gw 192.168.1.1<br />
</pre><br />
<br />
===AUR link for the OpenSwan package===<br />
<br />
OpenSwan can be found on the AUR at:<br />
<br />
* http://aur.archlinux.org/packages.php?ID=31826<br />
<br />
==External links==<br />
<br />
* http://openswan.org/<br />
* http://www.xelerance.com/software/xl2tpd/<br />
* http://strongvpn.com/forum/viewtopic.php?pid=1844/<br />
<br />
==Acknowledgements==<br />
<br />
I would like to thank phaoost from the StrongVPN forums for his initial guide to setup L2TP/IPsec on Linux, for without, this article would certainly not be possible.</div>Silversurferhttps://wiki.archlinux.org/index.php?title=Hamachi&diff=148958Hamachi2011-07-13T22:09:53Z<p>Silversurfer: introduction, wikipedia link, proprietary software</p>
<hr />
<div>[[Category:Networking (English)]]<br />
<br />
=Introduction=<br />
[http://en.wikipedia.org/wiki/Hamachi_%28software%29 Hamachi] is a proprietary (closed source) freeware VPN software. With Hamachi you can organize two or more computers with an Internet connection into their own virtual network for direct secure communication.<br />
<br />
=External Links=<br />
<br />
'''Hamachi public networks for popular Games : [http://www.hamachi.cz www.hamachi.cz]'''<br />
<br /><br />
English translate : '''[http://www.eng.hamachi.cz www.eng.hamachi.cz]'''<br />
<br /><br />
Individual help : '''[http://www.forum.hamachi.cz www.Forum.hamachi.cz]'''<br />
<br />
=Initial Configuration=<br />
<br />
To run Hamachi you need /dev/net/tun. <br />
<br />
This is created by the tun module. As root run,<br />
<pre><br />
modprobe tun<br />
</pre><br />
<br />
Or you can manually create /dev/net/tun by running...<br />
<pre><br />
mkdir /dev/net<br />
mknod /dev/net/tun c 10 200<br />
</pre><br />
<br />
Also, make sure to add the "tun" modules to rc.conf so that /dev/net/tun is created next time your computer turns on.<br />
<br />
<pre><br />
MODULES=(... ... ... ... ... tun ... ... ...)<br />
</pre><br />
<br />
=Download And Install Hamachi=<br />
==From the AUR==<br />
Hamachi is available in the AUR, [http://aur.archlinux.org/packages.php?do_Details=1&ID=3709&O=0&L=0&C=0&K=hamachi&SB=&SO=&PP=25&do_MyPackages=0&do_Orphans=0&SeB=nd here].<br />
<br />
Download the package, untar it, and run...<br />
<br />
<pre><br />
makepkg<br />
</pre><br />
<br />
in the hamachi directory that is created.<br />
<br />
<br />
Then add the package with...<br />
<br />
<pre><br />
pacman -A hamachi-(package version)<br />
</pre><br />
<br />
<br />
Now as root run...<br />
<pre><br />
tuncfg<br />
</pre><br />
<br />
<br />
Finally, run hamachi-init<br />
<pre><br />
hamachi-init<br />
</pre><br />
<br />
==Manual installation==<br />
Or you can get it manually.<br />
<br />
Head to [http://files.hamachi.cc/linux/ hamachi.cc] and download their linux client.<br />
<br />
Untar it <br />
<pre><br />
tar zxvf hamachi-x.x.x-x.tar.gz<br />
</pre><br />
<br />
Compile:<br />
<pre><br />
cd hamachi-x.x.x-x<br />
make install<br />
</pre><br />
<br />
And run tunecfg<br />
<pre><br />
cd tuncfg<br />
./tuncfg<br />
</pre><br />
<br />
Run hamachi-init<br />
<pre><br />
$hamachi-init<br />
</pre><br />
And thats the installation.<br />
<br />
==Version 2 beta==<br />
<br />
Version 2 of the Linux Hamachi client exists, and is currently in beta. It is available from the AUR under the name <pre>logmein-hamachi</pre> Or from [https://secure.logmein.com/US/labs/ the labs page on the hamachi website].<br />
<br />
=Running Hamachi=<br />
Start up the (matt) daemon<br />
<pre><br />
$hamachi start<br />
</pre><br />
Now you have a whole bunch of commands at your disposal. These are in no particular order, and are fairly self explanitory. <br />
<br />
<pre><br />
$hamachi set-nick bob<br />
$hamachi login<br />
$hamachi create my-net secretpassword<br />
$hamachi go-online my-net<br />
$hamachi list<br />
$hamachi go-offline my-net<br />
</pre><br />
<br />
To get a list of all the commands just run:<br />
<pre><br />
$hamachi ?<br />
</pre><br />
<br />
'''Note:''' Make sure you change the status of the channel(s) you are in to online if you want to perform any network actions on computers in there.<br />
<br />
==As a Daemon==<br />
<br />
You can run hamachi as a daemon this way:<br />
<br />
Copy your configuration to ''/root'' directory:<br />
<br />
<pre><br />
cp -R ~/.hamachi /root/<br />
</pre><br />
<br />
Create a script in ''/etc/rc.d/'' called ''hamachi'' using your preferred editor:<br />
<br />
<pre><br />
. /etc/rc.conf<br />
. /etc/rc.d/functions<br />
<br />
DAEMON=/usr/bin/hamachi<br />
NAME=hamachi<br />
DESC="Hamachi VPN client"<br />
PID_FILE=/var/run/daemons/hamachi<br />
<br />
case "$1" in<br />
start)<br />
#Check for running tuntap, start when not running<br />
ck_daemon tuntap && /etc/rc.d/tuntap start<br />
stat_busy "Starting $DESC"<br />
$DAEMON -c /root/.hamachi $1 > /dev/null<br />
if [ $? -gt 0 ]; then<br />
stat_fail<br />
else<br />
add_daemon $NAME<br />
stat_done<br />
fi<br />
;;<br />
stop)<br />
stat_busy "Stopping $DESC"<br />
[ -f $PID_FILE ] && $DAEMON -c /root/.hamachi $1 > /dev/null<br />
if [ $? -gt 0 ]; then<br />
stat_fail<br />
else<br />
rm_daemon $NAME<br />
stat_done<br />
fi<br />
;;<br />
restart)<br />
$0 stop<br />
$0 start<br />
;;<br />
*)<br />
echo "usage: $0 {start|stop|restart}"<br />
;;<br />
esac<br />
exit 0<br />
</pre><br />
<br />
Remeber to add ''hamachi'' to your ''daemons'' array in ''/etc/rc.conf'', it should be put after ''tuntap''.<br />
<br />
And don't forget to: <br />
<br />
<pre><br />
chmod +x /etc/rc.d/hamachi<br />
</pre><br />
<br />
=GUI=<br />
Various GUI frontends to hamachi are available in the AUR.<br />
<br />
For hamachi 1:<br />
<br />
*haguichi (Gtk2, mono)<br />
*ghamachi (Gtk2)<br />
*hamachi-hui (Gtk2)<br />
<br />
For hamachi 2 beta:<br />
<br />
*quamachi (Qt4)<br />
<br />
=Troubleshooting=<br />
==If Hamachi times out soon after launch==<br />
If hamachi stops working after a short period of time it can be that the client is timing out. Create ~/.hamachi/config and add the following to it:<br />
<br />
<pre><br />
KeepAlive 10<br />
</pre><br />
<br />
==If you have problem connecting to some hosts==<br />
Check if they are using Hamachi2, if that is the case then it's a known issue in Hamachi2 client connecting to the Hamachi linux client.<br />
<br />
==If ''/etc/init.d/logmein-hamachi'' is not found==<br />
Replace this with ''/etc/rc.d/logmein-hamachi''.</div>Silversurfer