Solved

Openvpn questions

Posted on 2011-09-20
15
607 Views
Last Modified: 2012-05-12
Hi,

I managed to make an openvpn-connection  from behind proxy as well as 3G. TCP is activated on server as well as on client and works pretty well.
However I do have some additional questions I would like to have an answer to in this ticket:

*Is Webadmin page (see below) also possible for Synology NAS?
http://openvpn.net/index.php/access-server/docs/admin-guides/143-how-to-configure-openvpn-as-with-admin-web-ui.html
I can ssh to my nas, but how to continue to install the webadmin?

*Which traffic to route for client: just want Internet and my home addresses to be routed, work network should stay at work of course? iow = best practises

*how much traffic maintaining such a tunnel takes?

*in logfile: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
How to disable this correctly?

Thanks,
J.
0
Comment
Question by:janhoedt
  • 10
  • 4
15 Comments
 
LVL 10

Expert Comment

by:simonlimon
ID: 36572599
Hm,

I think you can't access webadmin due to your browser proxy settings.

Can you add an exception for this website, can you try disabling the proxy in IE or your browser of choice :)?
Or you can add an exception for the website in your browser of choice?

In IE this is:

- Internet Options,
- Connections,
- Lan Settings
- Advanced, add exception on the bottom restart browser.

0
 

Author Comment

by:janhoedt
ID: 36572706
No, there is no proxy in between. I tried it on my lan at home. There is no webpage admin. Probably it is not implemented, I would like to do so.
0
 

Author Comment

by:janhoedt
ID: 36572817
I might have to open the port for openvpn admin page on my NAS (within iptables)?
Don't now directly how to do that, this is server config, admin should run on 1195 ....

SETTINGS SERVER:
-----------------
DS> vi openvpn.conf
push "route 192.168.1.0 255.255.255.0"
push "route 172.16.1.0 255.255.255.0"
dev tun

management 127.0.0.1 1195

server 172.16.1.0 255.255.255.0


dh /usr/local/synovpn/etc/openvpn/keys/dh1024.pem
ca /usr/local/synovpn/etc/openvpn/keys/ca.crt
cert /usr/local/synovpn/etc/openvpn/keys/server.crt
key /usr/local/synovpn/etc/openvpn/keys/server.key

max-clients 5

comp-lzo

persist-tun
persist-key

verb 3


#log-append /var/log/openvpn.log

keepalive 10 60
reneg-sec 0

plugin /usr/local/synovpn/lib/radiusplugin.so /usr/local/synovpn/etc/openvpn/rad
client-cert-not-required
username-as-common-name
duplicate-cn
proto tcp
~



auth-user-pass
0
 

Author Comment

by:janhoedt
ID: 36572839
It's firewall on Synolgy! However, don't know how to change it.


DS> telnet 127.0.0.1 1195
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 36573060
"management 127.0.0.1 1195"

Could this mean this service is only listening on the localhost?

Could you replace 127.0.0.1 with 0.0.0.0 - all IPs

0
 

Author Comment

by:janhoedt
ID: 36573136
When I connect to the ip of the NAS, I get connection refused so its listening on that port.
The output you request doesn't do anything.


DS> telnet 0.0.0.0 - all IPs
BusyBox v1.16.1 (2011-09-04 02:18:34 CST) multi-call binary.
0
 

Author Comment

by:janhoedt
ID: 36573185
When I put the ip of the NAS instead of 127.0.0.1 and restart, go to the ip:1995 via webbrowser, I get this:

>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
ERROR: unknown command, enter 'help' for more options
ERROR: unknown command, enter 'help' for more options
ERROR: unknown command, enter 'help' for more options
ERROR: unknown command, enter 'help' for more options
ERROR: unknown command, enter 'help' for more options
ERROR: unknown command, enter 'help' for more options
ERROR: unknown command, enter 'help' for more options
ERROR: unknown command, enter 'help' for more options
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 10

Expert Comment

by:simonlimon
ID: 36573480
So to be clear, when you start the tunnel, you cannot access the Openvpn admin remotely, with the original settings?

With regard to the error, could you post the line that you changed?
0
 

Author Comment

by:janhoedt
ID: 36573503
Correct.

I changed this: management 127.0.0.1 1195
to this management ipofmynas 1195
Note: apparently the NAS runs iptables

Couldn't it be the adminpage should be installed extra?
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 36573509
I am not sure I understand this correctly:

*Which traffic to route for client: just want Internet and my home addresses to be routed, work network should stay at work of course? iow = best practises
You are connecting to the to office Openvpn or to home openvpn from the office? Are you using Openvpn bridged or tunneled?

*how much traffic maintaining such a tunnel takes?
I think there are only a few pings, unless you have mapped drives connected from the client to the NAS. Traffic will be greater then.
0
 

Author Comment

by:janhoedt
ID: 36573687
*Client: for testing purposes, I'm currently connected from office to home vpn (openvpn), I'm not sured if I use it bridged or tunneled, it's the default I use
0
 
LVL 5

Expert Comment

by:hvillanu
ID: 36583800
Hi,

By default the management access are only to the local address (127.0.0.1) if you want to access remotely without compromise your server security change the listening IP to an address of the vpn tunnel.
I recomend that use a fixed ip instead dynamic (at least at your vpn-client config) so you and only you have a valid ip to manage the server.

Also open the ports on firewalls to reach it

-hope helps
0
 

Author Comment

by:janhoedt
ID: 36585361
Openvpn works great, except for the management of the openvpn. No firewall is blocking since no firewall appears to be active on NAS (there is on my router). Same result when I connect on LAN instead of openvpn.
Please advise.
0
 

Accepted Solution

by:
janhoedt earned 0 total points
ID: 36717223
Adding tcp-client and setting proxy to manual solved the issue.
0
 

Author Closing Comment

by:janhoedt
ID: 36902190
Nobodoy provided answer.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now