|
»
»
« Return to Thread: vpnc or openvpn
Re: vpnc or openvpn
by Robert G. Brown
::
Rate this Message:
On Tue, 11 Mar 2008, Michael Ansel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>> On Mon, 10 Mar 2008, Michael Ansel wrote:
>>
>>> So, in the interest of all Duke-Linux users, is there any University
>>> policy preventing us from setting up an openvpn server that uses the
>>> Kerberos to authenticate users? Maybe set a bandwidth cap so you don't
>>> top your personal 5G upload limit? Or, set one up, and then convince the
>>> University to sanction it and remove the upload limit...
>
>
> Okay, so hard at work trying to figure this one out, but not exactly
> sure where to go. I'm trying to eliminate client-side certificates and
> only use a local authentication module (currently set to allow any
> user/pass, but that can be replaced with pam-krb5). However, something
> is failing at the final routing stage (after I'm all connected). I can
> ping 10.8.0.1, but nothing else. I'm turning the firewall back on for
> now, so you won't be able to connect to my box, but if somebody wants to
> work on it tomorrow, I'll be happy to open the VPN port up for you to
> check it out.
Client side certs or preshared keys are your friend -- they are one of
the only good things about ipsec (mixed in with the many, many bad
things, like the fact that a bug crashes the kernel and an exploit gives
the cracker an instant root shell). There's a cute little article here:
http://www.linux.com/feature/48330?page=2
that reviews many of them, and touts the significant benefits of having
an actual client that can be wrapped up with certificates. Remember,
Duke CAN arrange to distribute the certificates through a netid-secured
channel.
rgb
> Thanks, and hope we can get this set up and working soon!
>
> Michael
>
>
>
> Server config (server.ovpn): http://pastebin.com/m597d6e5
> Server commandline: openvpn --auth-user-pass-verify /bin/true via-file
> - --config server.ovpn
>
> Client commandline: openvpn --client --auth-user-pass --dev tap --ca
> /home/mra13/ca.crt --remote michael-nas.dorm.duke.edu --comp-lzo
> route del default ; route add default 10.8.0.10
> 10.8.0.10 is the remote end of the PTP link according to the client output.
>
> Server Output:
> Tue Mar 11 01:34:01 2008 152.3.66.208:1194 MULTI: bad source address
> from client [152.3.66.208], packet dropped
> ....
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iQEVAwUBR9YbUXlxmnp6j2qxAQIDgAf7By4Jh2I/jY9+GRVlsyADSju0nRs7kJ+C
> liqwaoRaKIbSalQdYukOrngYLnkBuipiKwwhDNfUBkpvxehAk/4oN6PyR7iELLPW
> xCrNNm6XvsH79Imv/BP9+f4vwzX3YqVcWg5Noh53VxEZvAPKvCzRWXZFeYff39dC
> ySBdJCHe7DCp8826SSMzkqDfrehXww3lq8KD3uyjOO7cXSe9/qvLzP4XlyoOSr9n
> gjGrA7Of+/5C9y2yaEQYSkGIr0dsXyLYiDg0hC0N9CWfGLJo8z5oRyXiffzNtNuv
> 5qf+dmKcChS0Eu1cBSq/XJ5jvV2gHeLXNB3JcSu8cQSKR93lFC0YjQ==
> =85fj
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dulug mailing list
> Dulug@...
> https://lists.dulug.duke.edu/mailman/listinfo/dulug
>
--
Robert G. Brown Phone(cell): 1-919-280-8443
Duke University Physics Dept, Box 90305
Durham, N.C. 27708-0305
Web: http://www.phy.duke.edu/~rgb
Book of Lilith Website: http://www.phy.duke.edu/~rgb/Lilith/Lilith.php
Lulu Bookstore: http://stores.lulu.com/store.php?fAcctID=877977
_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>> On Mon, 10 Mar 2008, Michael Ansel wrote:
>>
>>> So, in the interest of all Duke-Linux users, is there any University
>>> policy preventing us from setting up an openvpn server that uses the
>>> Kerberos to authenticate users? Maybe set a bandwidth cap so you don't
>>> top your personal 5G upload limit? Or, set one up, and then convince the
>>> University to sanction it and remove the upload limit...
>
>
> Okay, so hard at work trying to figure this one out, but not exactly
> sure where to go. I'm trying to eliminate client-side certificates and
> only use a local authentication module (currently set to allow any
> user/pass, but that can be replaced with pam-krb5). However, something
> is failing at the final routing stage (after I'm all connected). I can
> ping 10.8.0.1, but nothing else. I'm turning the firewall back on for
> now, so you won't be able to connect to my box, but if somebody wants to
> work on it tomorrow, I'll be happy to open the VPN port up for you to
> check it out.
Client side certs or preshared keys are your friend -- they are one of
the only good things about ipsec (mixed in with the many, many bad
things, like the fact that a bug crashes the kernel and an exploit gives
the cracker an instant root shell). There's a cute little article here:
http://www.linux.com/feature/48330?page=2
that reviews many of them, and touts the significant benefits of having
an actual client that can be wrapped up with certificates. Remember,
Duke CAN arrange to distribute the certificates through a netid-secured
channel.
rgb
> Thanks, and hope we can get this set up and working soon!
>
> Michael
>
>
>
> Server config (server.ovpn): http://pastebin.com/m597d6e5
> Server commandline: openvpn --auth-user-pass-verify /bin/true via-file
> - --config server.ovpn
>
> Client commandline: openvpn --client --auth-user-pass --dev tap --ca
> /home/mra13/ca.crt --remote michael-nas.dorm.duke.edu --comp-lzo
> route del default ; route add default 10.8.0.10
> 10.8.0.10 is the remote end of the PTP link according to the client output.
>
> Server Output:
> Tue Mar 11 01:34:01 2008 152.3.66.208:1194 MULTI: bad source address
> from client [152.3.66.208], packet dropped
> ....
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iQEVAwUBR9YbUXlxmnp6j2qxAQIDgAf7By4Jh2I/jY9+GRVlsyADSju0nRs7kJ+C
> liqwaoRaKIbSalQdYukOrngYLnkBuipiKwwhDNfUBkpvxehAk/4oN6PyR7iELLPW
> xCrNNm6XvsH79Imv/BP9+f4vwzX3YqVcWg5Noh53VxEZvAPKvCzRWXZFeYff39dC
> ySBdJCHe7DCp8826SSMzkqDfrehXww3lq8KD3uyjOO7cXSe9/qvLzP4XlyoOSr9n
> gjGrA7Of+/5C9y2yaEQYSkGIr0dsXyLYiDg0hC0N9CWfGLJo8z5oRyXiffzNtNuv
> 5qf+dmKcChS0Eu1cBSq/XJ5jvV2gHeLXNB3JcSu8cQSKR93lFC0YjQ==
> =85fj
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dulug mailing list
> Dulug@...
> https://lists.dulug.duke.edu/mailman/listinfo/dulug
>
--
Robert G. Brown Phone(cell): 1-919-280-8443
Duke University Physics Dept, Box 90305
Durham, N.C. 27708-0305
Web: http://www.phy.duke.edu/~rgb
Book of Lilith Website: http://www.phy.duke.edu/~rgb/Lilith/Lilith.php
Lulu Bookstore: http://stores.lulu.com/store.php?fAcctID=877977
_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug
« Return to Thread: vpnc or openvpn
| Free embeddable forum powered by Nabble | Forum Help |
