Addressing and DNS problems

[kiwijuice]

Bypass-dns option doesn't work.

[janjust]

the openvpn server can push out a new DNS server but the linux clients don't pick it up automatically; you'll need an openvpn plugin or script like 'update-resolv-conf' for that (or use NetworkManager, which also does it for you, IIRC)

[kiwijuice]

Ouch, didn't understand well.

On my client I use Network Manager, and it manages my dhcp and my resolv.conf.

or use NetworkManager, which also does it for you

Do I have to do anything ?
The problem is that, clients will be every OS, linux, windows, osx... so i will try update-resolv-conf.

EDIT : there's no resolv.conf to update on windows


I saw in /etc/openvpn server folder that there is a "update-resolv-conf". I will check that. Thanks again

[janjust]

you'd have to select the right option in the networkmanager to use the DNS server settings from the VPN.
to make sure it works, first edit the /etc/resolv.conf file by hand and check whether DNS then works - there's no need to install/update update-resolv-conf if that does not work first.

[kiwijuice]

Edit resolv.conf manually works.

In Network Manager, I suppose that the option to change is in "VPN" ? Because everything is grey, the VPN does not appear.

I tryed a little update-resolv-conf. It didn't work, i will try more tomorrow. Have a nice evening

[kiwijuice]

To fix the problem, i will indicate to client, to configurate their network cards without automatic DNS, by select, for exemple on network manager, "Automatic Address Lonely (DHCP)".

Like that, I can configure, linux, xp, and macos clients. Thanks to you

[janjust]

if you use

Code: Select all

push "dhcp-option DNS a.b.c.d"

the windows and tunnelblick clients will pick it up automatically.

Linux clients using NetworkManager can also be configured to pick them up , if your NetworkManager is new enough (0.8+).
The "default" NetworkManager-openvpn plugin with "IPv4 Settings: Automatic (VPN)" picks up the DNS servers supplied by my VPN server automatically.

[kiwijuice]

If we give the same client.crt and client.key to all our users, will that work ?

EDIT : i didn't see your message. I will try.

[janjust]

that is possible, but not advisable.
If you add

Code: Select all

duplicate-cn

to your server config you can re-use the same cert+key for all users, but you will also lose the ability to determine which client is doing what. You would also lose the ability to revoke the certificate for a particular client, should it be compromised (e.g. a laptop is stolen).

[kiwijuice]

Ok

to determine which client is doing what

That's not important because, users are students in computing, and will just mount homes via vpn and ldap authentification to access their files. Logs will be in ldap.

You would also lose the ability to revoke the certificate for a particular client, should it be compromised (e.g. a laptop is stolen).

But that's problematic.

I will understand more how certificating works, it's not clear in my mind.
Users can access to a server in sftp and ssh from their homes, maybe, put easy-rsa with "ca.crt" and let they make their own private/public keys with a script that automaticly copy *.crt on openvpn server...

EDIT :

Actually my server has : private/public keys of client and server. (server.crt server.key client.crt client.key) Logically if I remove client.key and server.crt, it will still work.
Client has : private/public keys of client only. (client.crt client.key) but it should have client.key and server.crt ?

So I think that my connexion is now only crypted and not signed... is there a test to know if the connexion is crypted or crypted and signed ?

[janjust]

if you're relying on ldap authentication then you can avoid using certificates altogether using

Code: Select all

client-cert-not-required

but then your only security is the username+password.

BTW, it's also possible to mount shares and run LDAP queries via SSH port forwarding, but that's off-topic

[kiwijuice]

Look up, i edited my post.

I do a VPN because my boss says me to do It's the lonely idea we have now, but we will have others to exploit the VPN by the future.

And I will not do an authentification ldap by the vpn. When VPN is connected, we will mount manually homes like stockage space, just to access files.

We will connect vpn's client on a VLAN "invited" so we don't know what we will make by future. For now, we just want to make it "mechanically operational".

[janjust]

Actually my server has : private/public keys of client and server. (server.crt server.key client.crt client.key) Logically if I remove client.key and server.crt, it will still work.
Client has : private/public keys of client only. (client.crt client.key) but it should have client.key and server.crt ?

So I think that my connexion is now only crypted and not signed... is there a test to know if the connexion is crypted or crypted and signed ?

the server needs:
* ca.crt
* server.crt
* server.key
the client needs
* ca.crt
* client.crt
* client.key

otherwise the openvpn server and client will simply refuse to start.
As long as you're using default (i.e. are NOT using 'cipher none') then your connections are encrypted and signed.
You can add more security using a 'tls-auth' key , which protects you from some DDoS type of attacks. However, as you are allowing random students to connect the secrecy of the 'tls-auth' key (which is static and shared by all clients) is not good - hence you might as well leave it out.

[kiwijuice]

I use tls-auth key

Ok, but, if i look this schema, it's not logic. I've made encryption, signing, with a lotus domino server for mail encryption, and client and server kept their own private key (*.key) and exchange their public keys (*.crt)...

Like that



That's to crypt and inverse to sign ?

Don't understand why, client and server kept their own .crt and .key.

EDIT : oh, that's ca.key and ca.crt which make that... ok, sorry.