Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
[root@localhost easy-rsa]# openvpn /etc/openvpn/easy-rsa/server.conf
Sun Sep 20 16:59:22 2009 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar 8 2007
Sun Sep 20 16:59:22 2009 Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file
Sun Sep 20 16:59:22 2009 Exiting
[root@localhost easy-rsa]#
Are you planning to log into the VPN server using MSN? Normally you would have the openvpn client (including software) wherein you specify the server name along with the port.
Regards,
--
Prasanta
No, I'll be using the VPN client but what I mean is that the port MSN uses must connect to the MSN server at some point on 1080? How can it do that if my VPN server does not have port 1080 open?
It will create a tunnel between the client and the server. The users logged in using VPN will be able to go out via the same rules that you have places for your LAN. In case from your LAN, MSN is blocked, the same will be true for VPN clients also.
It will create a tunnel between the client and the server. The users logged in using VPN will be able to go out via the same rules that you have places for your LAN. In case from your LAN, MSN is blocked, the same will be true for VPN clients also.
Regards,
--
Prasanta
But since I can't possibly know all the client ports and the software that they will be running, in order to allow a client to use the VPN, I would have to leave every port open on my server both outgoing and incoming. That's kind of dangerous.
[root@localhost easy-rsa]# openvpn /etc/openvpn/easy-rsa/server.conf
Sun Sep 20 16:59:22 2009 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar 8 2007
Sun Sep 20 16:59:22 2009 Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file
Sun Sep 20 16:59:22 2009 Exiting
[root@localhost easy-rsa]#
Nope, you don't need to open each and every port. When a client logs via VPN, services that are there in your LAN will only be accessible. As an example, in case you have blocked FTP for your LAN, user connected via VPN will not be able to use FTP.
Nope, you don't need to open each and every port. When a client logs via VPN, services that are there in your LAN will only be accessible. As an example, in case you have blocked FTP for your LAN, user connected via VPN will not be able to use FTP.
Regards,
--
Prasanta
So, could someone connected via VPN get into my SQL server and my server files?
I only want them to connect via VPN so they can have a country specific IP address. This is mainly for HTTP requests but there are some sites that the proxy server will not work for so they have to use VPN.
At present I have every outgoing port open so that would be okay but some servers respond on different ports incoming. How can a VPN be secure if many ports have to be open just for certain applications to work? If I have 100 clients using VPN, it is impossible for me to list all the different applications and ports that they could want to use, no? This then also opens up my server to someone trying to hack into it?
The sample server.conf file has lot of parameters in it. Just open the file and check the required files. In your case, the Diffie hellman parameters are missing and hence it is throwing out an error. Just create those along with the certificates, and then start.
Yes, anyone connected via VPN can access your whole LAN, until you have put on some access restrictions for VPN users. As you have said, you can not keep track of each and every application that the client is using and open the port simultaneously. That defeats the purpose using VPN. Normally, why will people use VPN? Most probable answer is to get data from the LAN and access things which are not accessible from the internet like the intranet website for an example. In case they want to use some application which you have restricted in your LAN, better ask them to log of from VPN and use their own Internet.
The sample server.conf file has lot of parameters in it. Just open the file and check the required files. In your case, the Diffie hellman parameters are missing and hence it is throwing out an error. Just create those along with the certificates, and then start.
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh dh1024.pem
Your server.conf is sitting at /etc/openvpn/easy-rsa/, while dh1024.pem is sitting in another location. Just move it to the former and it should start.
Your server.conf is sitting at /etc/openvpn/easy-rsa/, while dh1024.pem is sitting in another location. Just move it to the former and it should start.
Regards,
--
Prasanta
Sorry for all the questions.
No, that didn't help either.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.