Author: daniel
Tested on: SME server v7.0
Date: 06.12.2006
Release: 1.0-3

1. OpenVPN Server Configuration

Fresh Installation (skip this part if you are upgrading)

Step 1: Download the contrib and the dependencies

Step 2: Install the rpms

Step 3: Configure the daemon

Now, with your web browser, go in the server-manager -> OpenVPN-Server-Bridge You will be asked for some informations and when you click on apply, all the necessary certificates will generated.

Now you can enable the service and change some configuration. Don’t forget to enter a valid address range or the daemon won’t start. You will also have to choose an authentication method. The next chapter deals with this.Then you just have to save, the service should be ready a few second later.

Upgrading from 1.0xx (skip this part if you’ve done a fresh installation)

Step 1: Download and upgrade the contrib

Step 2: Restart the service

With your Web browser, go in the server-manager->openvpn-Server-Bridge and just click on the apply link.

Upgrading from beta5 (skip this part if you’ve done a fresh installation)

Step 1: Download the contrib:

note: the rpm for the upgrade is called smeserver-openvpn-bridge-fws-1.0-1update.noarch.rpm, it’s the same as the smeserver-openvpn-bridge-fws-1.0-1.noarch.rpm, but it doesn’t reset the parameters to the default one

Step 2: install the rpm

Step 3: Upgrade to the latest

Step 4: Restart the service

With your Web browser, go in the server-manager->openvpn-Server-Bridge and just click on the apply link.

2° Authentication method

The following chapter will explain the different authentication method. If you choose a method which need login/password (1, 3 or 4), you must enable VPN access for the user you want (server-manager->users) or they won’t be able to login.

 method 1: No certificate, just login/password This methid is not very secure. If you choose this, you realy should use strong passwords for every user having VPN access. The advantage of this method is to be very simple, just enable the VPN access in the users page. You can generate a certificate if you want to see a sample configuration file.

 method 2: One certificate per client, no login asked This method allows you to set one certificate per client. There’s no login/password ask. You can generate certificate with specific IP, the client who use it will have the choosen IP.

 method 3: One certificate for all the client, login/password asked This is the way the users were authenticate in earlier releases (beta 1, 2 and 3). You generate just one certificate (let the field IP blanck) that you copy on all your client. Then, they will be prompt for their login/password. This provide a medium security.

 method 4: One certificate per client, login/password asked This is the recommended authentication method: you generate one certificate per client (with a fixed IP if you want). For each client, the common name of his certificate must be the same as his login. (there’s no verification for now but I’m working on it)

3° Client configuration

for windows 2K/XP clients, download the openvpn GUI at http://openvpn.se/files/install_pac... and install it.

Then go in the certificate manager and click on the corresponding display link. In this page, you can download the ca.crt, client.crt, client.key and ta.key files. Put these files in the C:\Program Files\OpenVPN\config folder and create a new text file called VPN.ovpn (in the same C:\Program_Files\OpenVPN\config folder). Copy the generated config in this file and save it.

The Client installation is now complete and the user will be prompted upon login for the username and passwords (if you choosed an authentication method which needs a login/password).

If you see a problem in this how-to, please mail me daniel@firewall-services.com