Solved

Openvpn questions

Posted on 2011-09-20
15
610 Views
Last Modified: 2012-05-12
Hi,

I managed to make an openvpn-connection  from behind proxy as well as 3G. TCP is activated on server as well as on client and works pretty well.
However I do have some additional questions I would like to have an answer to in this ticket:

*Is Webadmin page (see below) also possible for Synology NAS?
http://openvpn.net/index.php/access-server/docs/admin-guides/143-how-to-configure-openvpn-as-with-admin-web-ui.html
I can ssh to my nas, but how to continue to install the webadmin?

*Which traffic to route for client: just want Internet and my home addresses to be routed, work network should stay at work of course? iow = best practises

*how much traffic maintaining such a tunnel takes?

*in logfile: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
How to disable this correctly?

Thanks,
J.
0
Comment
Question by:janhoedt
  • 10
  • 4
15 Comments
 
LVL 10

Expert Comment

by:simonlimon
ID: 36572599
Hm,

I think you can't access webadmin due to your browser proxy settings.

Can you add an exception for this website, can you try disabling the proxy in IE or your browser of choice :)?
Or you can add an exception for the website in your browser of choice?

In IE this is:

- Internet Options,
- Connections,
- Lan Settings
- Advanced, add exception on the bottom restart browser.

0
 

Author Comment

by:janhoedt
ID: 36572706
No, there is no proxy in between. I tried it on my lan at home. There is no webpage admin. Probably it is not implemented, I would like to do so.
0
 

Author Comment

by:janhoedt
ID: 36572817
I might have to open the port for openvpn admin page on my NAS (within iptables)?
Don't now directly how to do that, this is server config, admin should run on 1195 ....

SETTINGS SERVER:
-----------------
DS> vi openvpn.conf
push "route 192.168.1.0 255.255.255.0"
push "route 172.16.1.0 255.255.255.0"
dev tun

management 127.0.0.1 1195

server 172.16.1.0 255.255.255.0


dh /usr/local/synovpn/etc/openvpn/keys/dh1024.pem
ca /usr/local/synovpn/etc/openvpn/keys/ca.crt
cert /usr/local/synovpn/etc/openvpn/keys/server.crt
key /usr/local/synovpn/etc/openvpn/keys/server.key

max-clients 5

comp-lzo

persist-tun
persist-key

verb 3


#log-append /var/log/openvpn.log

keepalive 10 60
reneg-sec 0

plugin /usr/local/synovpn/lib/radiusplugin.so /usr/local/synovpn/etc/openvpn/rad
client-cert-not-required
username-as-common-name
duplicate-cn
proto tcp
~



auth-user-pass
0
 

Author Comment

by:janhoedt
ID: 36572839
It's firewall on Synolgy! However, don't know how to change it.


DS> telnet 127.0.0.1 1195
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 36573060
"management 127.0.0.1 1195"

Could this mean this service is only listening on the localhost?

Could you replace 127.0.0.1 with 0.0.0.0 - all IPs

0
 

Author Comment

by:janhoedt
ID: 36573136
When I connect to the ip of the NAS, I get connection refused so its listening on that port.
The output you request doesn't do anything.


DS> telnet 0.0.0.0 - all IPs
BusyBox v1.16.1 (2011-09-04 02:18:34 CST) multi-call binary.
0
 

Author Comment

by:janhoedt
ID: 36573185
When I put the ip of the NAS instead of 127.0.0.1 and restart, go to the ip:1995 via webbrowser, I get this:

>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
ERROR: unknown command, enter 'help' for more options
ERROR: unknown command, enter 'help' for more options
ERROR: unknown command, enter 'help' for more options
ERROR: unknown command, enter 'help' for more options
ERROR: unknown command, enter 'help' for more options
ERROR: unknown command, enter 'help' for more options
ERROR: unknown command, enter 'help' for more options
ERROR: unknown command, enter 'help' for more options
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 10

Expert Comment

by:simonlimon
ID: 36573480
So to be clear, when you start the tunnel, you cannot access the Openvpn admin remotely, with the original settings?

With regard to the error, could you post the line that you changed?
0
 

Author Comment

by:janhoedt
ID: 36573503
Correct.

I changed this: management 127.0.0.1 1195
to this management ipofmynas 1195
Note: apparently the NAS runs iptables

Couldn't it be the adminpage should be installed extra?
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 36573509
I am not sure I understand this correctly:

*Which traffic to route for client: just want Internet and my home addresses to be routed, work network should stay at work of course? iow = best practises
You are connecting to the to office Openvpn or to home openvpn from the office? Are you using Openvpn bridged or tunneled?

*how much traffic maintaining such a tunnel takes?
I think there are only a few pings, unless you have mapped drives connected from the client to the NAS. Traffic will be greater then.
0
 

Author Comment

by:janhoedt
ID: 36573687
*Client: for testing purposes, I'm currently connected from office to home vpn (openvpn), I'm not sured if I use it bridged or tunneled, it's the default I use
0
 
LVL 5

Expert Comment

by:hvillanu
ID: 36583800
Hi,

By default the management access are only to the local address (127.0.0.1) if you want to access remotely without compromise your server security change the listening IP to an address of the vpn tunnel.
I recomend that use a fixed ip instead dynamic (at least at your vpn-client config) so you and only you have a valid ip to manage the server.

Also open the ports on firewalls to reach it

-hope helps
0
 

Author Comment

by:janhoedt
ID: 36585361
Openvpn works great, except for the management of the openvpn. No firewall is blocking since no firewall appears to be active on NAS (there is on my router). Same result when I connect on LAN instead of openvpn.
Please advise.
0
 

Accepted Solution

by:
janhoedt earned 0 total points
ID: 36717223
Adding tcp-client and setting proxy to manual solved the issue.
0
 

Author Closing Comment

by:janhoedt
ID: 36902190
Nobodoy provided answer.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco 800 Internet Uptime 3 97
SSL RA VPN 7 103
Google Authenticator instead of RSA tokens for VPN access? 13 91
Hyper-V 2012 and VPN on 2012 R2 breaking virtual switch 9 44
Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now