Ubuntu Server Guide

Merge lp:~markthomas/serverguide/serverguide-review-22.1 into lp:~ubuntu-core-doc/serverguide/saucy

  1. serverguide-review-22.1
  2. Merge into saucy
Proposed by Mark Thomas
Status: Merged
Merged at revision: 152
Proposed branch: lp:~markthomas/serverguide/serverguide-review-22.1
Merge into: lp:~ubuntu-core-doc/serverguide/saucy
Diff against target: 137 lines (+40/-10)
1 file modified
serverguide/C/vpn.xml (+40/-10)
To merge this branch: bzr merge lp:~markthomas/serverguide/serverguide-review-22.1
Reviewer Review Type Date Requested Status
Peter Matulis Approve
Review via email: mp+173628@code.launchpad.net

Description of the change

This is an update to the OpenVPN page for the Ubuntu Server Guide, Saucy ed.

Minor enhancements to the Windows section:
- two installers are no longer necessary
- if not using user authentication, some of the options caused problems. This has been clarified.

Minor enhancements to server section:
- PAM module name and location have been updated.
- easy-rsa is now a separate package

Minor enhancements to client section:
- The key/cert file names produced with the easy-rsa script in the example did not match those in the template config file used. This has been clarified.

Tunnelblick section has not been tested--I do not have the means to test this.

All instances of /etc/init.d/networking restart have been replaces with "restart networking"
All instances of /etc/init.d/openvpn restart have been replaced with "service openvpn restart"

To post a comment you must log in.
Revision history for this message
Peter Matulis (petermatulis) wrote :

So no upstart for openvpn yet?

Revision history for this message
Peter Matulis (petermatulis) wrote :

"- PAM module name and location have been updated."

I don't see any reference to PAM in your edit.

Revision history for this message
Doug Smythies (dsmythies) wrote :

I do not understand these comments:

"All instances of /etc/init.d/networking restart have been replaces with "restart networking"
All instances of /etc/init.d/openvpn restart have been replaced with "service openvpn restart""

With respect to the actual differences listed.

For the differences line 70 and 71, isn't the actual problem the typo where "network" should be "networking". Using "sudo service networking restart" would be consistent with the rest of the serverguide, that has just been changed over the last few revisions to consistently use "sudo service bla bla" throughout.

Revision history for this message
Mark Thomas (markthomas) wrote :

> So no upstart for openvpn yet?

Nothing in /etc/init.

Revision history for this message
Mark Thomas (markthomas) wrote :

> "- PAM module name and location have been updated."
>
> I don't see any reference to PAM in your edit.

Yes, it looks like that somehow wasn't saved/was reverted. I'll update with the new library path. Not sure how that happened.

Revision history for this message
Mark Thomas (markthomas) wrote :

> For the differences line 70 and 71, isn't the actual problem the typo where
> "network" should be "networking". Using "sudo service networking restart"
> would be consistent with the rest of the serverguide, that has just been
> changed over the last few revisions to consistently use "sudo service bla bla"
> throughout.

If that will be more consistent, I will implement that change.

lp:~markthomas/serverguide/serverguide-review-22.1 updated
151. By Mark Thomas <markthomas@ubuntu>

Reviewing sub-chapter 22.1, round 2

Revision history for this message
Peter Matulis (petermatulis) wrote :

All good. Thanks for helping.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'serverguide/C/vpn.xml'
2--- serverguide/C/vpn.xml 2013-04-26 03:32:19 +0000
3+++ serverguide/C/vpn.xml 2013-07-10 16:39:26 +0000
4@@ -32,7 +32,7 @@
5 To install <application>openvpn</application> in a terminal enter:
6 </para>
7 <screen>
8-<command>sudo apt-get install openvpn</command>
9+<command>sudo apt-get install openvpn easy-rsa</command>
10 </screen>
11
12 </sect2>
13@@ -72,7 +72,7 @@
14
15 <screen>
16 <command>mkdir /etc/openvpn/easy-rsa/</command>
17-<command>cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/</command>
18+<command>cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/</command>
19 </screen>
20
21 <para>
22@@ -85,6 +85,10 @@
23 export KEY_CITY="Winston-Salem"
24 export KEY_ORG="Example Company"
25 export KEY_EMAIL="steve@example.com"
26+export KEY_CN=MyVPN
27+export KEY_NAME=MyVPN
28+export KEY_OU=MyVPN
29+
30 </programlisting>
31
32 <para>
33@@ -259,6 +263,14 @@
34 </programlisting>
35
36 <para>
37+Also, make sure you specify the key file names you copied from the server
38+ </para>
39+<programlisting>
40+ca ca.crt
41+cert client1.crt
42+key client1.key
43+</programlisting>
44+ <para>
45 Now start the OpenVPN client:
46 </para>
47
48@@ -320,6 +332,9 @@
49 Check your syslog, e.g. grep -i vpn /var/log/syslog
50 </para></listitem>
51 <listitem><para>
52+Check that you have specified the keyfile names correctly in client.conf and server.conf.
53+ </para></listitem>
54+ <listitem><para>
55 Can the client connect to the server machine? Maybe a firewall is blocking access? Check syslog on server.
56 </para></listitem>
57 <listitem><para>
58@@ -333,7 +348,6 @@
59 </para></listitem>
60 </itemizedlist>
61
62-
63 </sect2>
64 <sect2 id="openvpn-advanced-config" status="review">
65 <title>Advanced configuration</title>
66@@ -457,7 +471,7 @@
67 Useful if you have centralized authentication with e.g. Kerberos.
68 </para>
69 <programlisting>
70-plugin /usr/lib/openvpn/openvpn-auth-pam.so login
71+plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
72 </programlisting>
73
74 <note> <para>
75@@ -526,7 +540,7 @@
76 At this point you need to restart networking. Be prepared that this might not work as expected and that you will lose remote connectivity. Make sure you can solve problems having local access.
77 </para>
78 <screen>
79-<command>sudo service network restart</command>
80+<command>sudo service networking restart</command>
81 </screen>
82
83 </sect4>
84@@ -605,6 +619,9 @@
85 <programlisting>
86 dev tap
87 ;dev tun
88+ca ca.crt
89+cert client1.crt
90+key client1.key
91 </programlisting>
92
93 <para>
94@@ -667,7 +684,7 @@
95 add the OpenVPN's server
96 name as the 'Gateway', set 'Type' to 'Certificates (TLS)', point 'User Certificate'
97 to your user certificate, 'CA Certificate' to your CA certificate and 'Private Key'
98-to your private key file. Use the advanced button to enable compression or other
99+to your private key file. Use the advanced button to enable compression (e.g. comp-lzo), dev tap, or other
100 special settings you set on the server. Now try to establish your VPN.
101 </para>
102
103@@ -706,9 +723,8 @@
104 <title>OpenVPN with GUI for Win 7</title>
105
106 <para>
107-First download and install the latest <ulink url="http://www.openvpn.net/index.php/open-source/downloads.html">OpenVPN Windows Installer</ulink>. OpenVPN 2.2.1 was the latest when this was written.
108-Additionally download an alternative Open VPN Windows GUI. The OpenVPN MI GUI from <ulink url="http://openvpn-mi-gui.inside-security.de">http://openvpn-mi-gui.inside-security.de</ulink> seems to be a nice one for Windows 7.
109-Download the latest version. 20110624 was the latest version when this was written.
110+First download and install the latest <ulink url="http://www.openvpn.net/index.php/open-source/downloads.html">OpenVPN Windows Installer</ulink>. OpenVPN 2.3.2 was the latest when this was written.
111+As of this writing, the management GUI is included with the Windows binary installer.
112 </para>
113
114 <para>
115@@ -740,7 +756,21 @@
116 management-hold
117 management-query-passwords
118 auth-retry interact
119-</programlisting>
120+; Set the name of the Windows TAP network interface device here
121+dev-node MyTAP
122+
123+</programlisting>
124+<para>
125+Note: If you are not using user authentication and/or you want to run the service without user interaction, comment out the following options:
126+</para>
127+<programlisting>
128+auth-user-pass
129+auth-retry interact
130+management 127.0.0.1 1194
131+management-hold
132+management-query-passwords
133+</programlisting>
134+<para>You may want to set the Windows service to "automatic".</para>
135
136 </sect3>
137 <sect3 id="openvpn-client-openwrt" status="review">

Subscribers

People subscribed via source and target branches