This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM as VPN "Client"

Hey Guys!

I recently signed up for a VPN service. I want to have all the traffic from the device to go through the tunnel The service has .ovpn config files, as well as all the info I could need to set up a VPN connection, which I have downloaded. Now I have a bunch of .ovpn config files which are utterly useless.

On a side note, the #1 VPN feature request is something to convert the .ovpn to the (seemingly) proprietary .apc (or .epc) files:
UTM (Formerly ASG) Feature Requests: VPN (172 ideas)

There are a few posts indicating a script may be able to do so. I have downloaded it and run it. It never coimpletes properly, and the .apc file it spits out is always corrupted (or so say Sophos when I try to import it).

Now, I tried creating an SSL VPN Server, save the config file, and then tried to edit it; I couldn't seem to get it top open to be edited... If this is possible, please let me know how.

So... How do I set up this UTM to be an Open VPN client to another server whose settings I have no control over? All the Sophos guides I could find only mentioned creating the VPN server on one device, saving the config file, and using THAT on the "client" device. How can I just config the client device?

Is this even possible with the UTM 9 devices?

This thread was automatically locked due to age.

Parents

0 JW0914_01 over 9 years ago

Found OpenVPN backend script:

/var/mdw/scripts/openvpn


#!/bin/sh
#
# Copyright (C) 2015 Sophos Inc.
# For copyright information look at /doc/astaro-license.txt
# or http://www.astaro.com/doc/astaro-license.txt
#
# Maintainer: Heiko Hund 
#

CHROOT='/var/sec/chroot-openvpn'
OPENVPN='/usr/sbin/openvpn'
STARTPROC='/sbin/startproc'
KILLPROC='/sbin/killproc'
CHECKPROC='/sbin/checkproc'
TOUCH='/usr/bin/touch'
RM='/bin/rm'
GREP='/usr/bin/grep'
MOUNT='/bin/mount'
PERL='/usr/bin/perl'

NOSELFM='/etc/no-selfmonitor/openvpn'

test -x ${CHROOT}${OPENVPN} || exit 5

. /etc/rc.status

rc_reset

SERVICE='OpenVPN'
PID_FILE='/var/run/openvpn.pid'
CFG_DIR='/etc/openvpn'
CFG_FILE="$CFG_DIR/openvpn.conf"

# Make sure proc is mounted in chroot
$GREP ${CHROOT}/proc /proc/mounts >/dev/null 2>&1
if [ $? == 1 ] && [ $1 == 'start' ]; then
    $MOUNT -t proc proc ${CHROOT}/proc >/dev/null 2>&1 || rc_exit
fi

# Check if a client connection reference was given
if [ -n "$2" ] && [ "${2:0:4}" = 'REF_' ]; then
    SERVICE="OpenVPN client connection $2 "
    PID_FILE="/var/run/openvpn-client-${2}.pid"
    CFG_FILE="/etc/openvpn/client/${2}/config"
fi

case "$1" in
    start)
        echo -n "Starting $SERVICE "
        OPTIONS="--config $CFG_FILE --writepid $PID_FILE"
        "$0" status "$2" >/dev/null ||
                $STARTPROC -f -W $CHROOT$PID_FILE -c $CHROOT $OPENVPN $OPTIONS
        $RM -f $NOSELFM
        rc_status -v
        ;;
    stop)
        echo -n "Shutting down $SERVICE "
        $TOUCH $NOSELFM
        $KILLPROC -p "${CHROOT}${PID_FILE}" -g -c $CHROOT -TERM $OPENVPN
        rc_status -v
        ;;
    force-stop)
        echo -n "Shutting down all OpenVPN instances "
        $TOUCH $NOSELFM
        for pid_file in ${CHROOT}/var/run/openvpn*.pid; do
            $KILLPROC -p "$pid_file" -c $CHROOT -TERM $OPENVPN
            if [ "$?" -ne 0 ]; then
                break
            fi
        done
        rc_status -v
        ;;
    try-restart)
        "$0" status "$2" >/dev/null &&  "$0" restart "$2"
        rc_status
        ;;
		    try-restart)
        "$0" status "$2" >/dev/null &&  "$0" restart "$2"
        rc_status
        ;;
    restart)
        "$0" stop "$2"
        "$0" start "$2"
        rc_status
        ;;
    force-reload)
        echo -n "Reloading $SERVICE "
        "$0" stop "$2"  &&  "$0" start "$2"
        rc_status
        ;;
    reload)
        ;;
    status)
        echo -n "Checking for $SERVICE "
        $CHECKPROC -k -p "${CHROOT}${PID_FILE}" -c $CHROOT $OPENVPN
        rc_status -v
        ;;
    dhgen)
        $PERL -we '
            use Fcntl qw(:flock);
            use POSIX qw(setsid nice);
            my $bits = shift || 2048;
            my $outdir = shift || "/tmp";
            sub error { print shift() . "\n"; exit 1; }
            error "Unsupported DH parameter size, must be 1024|2048|3072|4096"
                unless $bits =~ /^(1024|2048|3072|4096)$/;
            fork and exit;
            setsid;
            umask 0;
            chdir "/";
            my $lockfile = "/var/lock/ovpn_dhgen_$bits.lock";
            open my $lock_fh, ">$lockfile"
                or error "Could not open lockfile $lockfile: $!";
            error "Generation of local $bits bit DH parameters is already in progress"
                unless flock $lock_fh, LOCK_EX|LOCK_NB;
            print "Starting generation of local DH parameters ($bits bit) in background\n";
            nice 19;
            open STDIN, "/dev/null";
            open STDERR, ">/dev/null";
            system qq(/usr/bin/openssl dhparam -out "${outdir}/dh${bits}.local.pem" $bits)
        ' "$2" "${CHROOT}${CFG_DIR}"
        ;;
    *)
        echo "Usage: $0 {start|stop|force-stop|status|try-restart|restart|force-reload|reload|dhgen } [client connection]"
        exit 1
        ;;
esac

rc_exit

[SIZE="1"]The below statements won't work due to Sophos' implementation of confd, see this post[/SIZE]
I have some testing to do, however I would assume one could run multiple servers via creating a variable and inputting that variable into CFG_FILE="$CFG_DIR/$ConfigVariable"

I would also assume you could place a client config in place of the server config at: CFG_FILE="$CFG_DIR/openvpn.conf". Additional editing of commands would still need to occur for a client setup

Note CFG_FILE="/etc/openvpn/client/${2}/config"

[SIZE="1"]**DISCLAIMER: Making any changes via the command line interface [cli] results in the loss of support and warranty for paid licensees**[/SIZE]

Reply

0 JW0914_01 over 9 years ago

Found OpenVPN backend script:

/var/mdw/scripts/openvpn


#!/bin/sh
#
# Copyright (C) 2015 Sophos Inc.
# For copyright information look at /doc/astaro-license.txt
# or http://www.astaro.com/doc/astaro-license.txt
#
# Maintainer: Heiko Hund 
#

CHROOT='/var/sec/chroot-openvpn'
OPENVPN='/usr/sbin/openvpn'
STARTPROC='/sbin/startproc'
KILLPROC='/sbin/killproc'
CHECKPROC='/sbin/checkproc'
TOUCH='/usr/bin/touch'
RM='/bin/rm'
GREP='/usr/bin/grep'
MOUNT='/bin/mount'
PERL='/usr/bin/perl'

NOSELFM='/etc/no-selfmonitor/openvpn'

test -x ${CHROOT}${OPENVPN} || exit 5

. /etc/rc.status

rc_reset

SERVICE='OpenVPN'
PID_FILE='/var/run/openvpn.pid'
CFG_DIR='/etc/openvpn'
CFG_FILE="$CFG_DIR/openvpn.conf"

# Make sure proc is mounted in chroot
$GREP ${CHROOT}/proc /proc/mounts >/dev/null 2>&1
if [ $? == 1 ] && [ $1 == 'start' ]; then
    $MOUNT -t proc proc ${CHROOT}/proc >/dev/null 2>&1 || rc_exit
fi

# Check if a client connection reference was given
if [ -n "$2" ] && [ "${2:0:4}" = 'REF_' ]; then
    SERVICE="OpenVPN client connection $2 "
    PID_FILE="/var/run/openvpn-client-${2}.pid"
    CFG_FILE="/etc/openvpn/client/${2}/config"
fi

case "$1" in
    start)
        echo -n "Starting $SERVICE "
        OPTIONS="--config $CFG_FILE --writepid $PID_FILE"
        "$0" status "$2" >/dev/null ||
                $STARTPROC -f -W $CHROOT$PID_FILE -c $CHROOT $OPENVPN $OPTIONS
        $RM -f $NOSELFM
        rc_status -v
        ;;
    stop)
        echo -n "Shutting down $SERVICE "
        $TOUCH $NOSELFM
        $KILLPROC -p "${CHROOT}${PID_FILE}" -g -c $CHROOT -TERM $OPENVPN
        rc_status -v
        ;;
    force-stop)
        echo -n "Shutting down all OpenVPN instances "
        $TOUCH $NOSELFM
        for pid_file in ${CHROOT}/var/run/openvpn*.pid; do
            $KILLPROC -p "$pid_file" -c $CHROOT -TERM $OPENVPN
            if [ "$?" -ne 0 ]; then
                break
            fi
        done
        rc_status -v
        ;;
    try-restart)
        "$0" status "$2" >/dev/null &&  "$0" restart "$2"
        rc_status
        ;;
		    try-restart)
        "$0" status "$2" >/dev/null &&  "$0" restart "$2"
        rc_status
        ;;
    restart)
        "$0" stop "$2"
        "$0" start "$2"
        rc_status
        ;;
    force-reload)
        echo -n "Reloading $SERVICE "
        "$0" stop "$2"  &&  "$0" start "$2"
        rc_status
        ;;
    reload)
        ;;
    status)
        echo -n "Checking for $SERVICE "
        $CHECKPROC -k -p "${CHROOT}${PID_FILE}" -c $CHROOT $OPENVPN
        rc_status -v
        ;;
    dhgen)
        $PERL -we '
            use Fcntl qw(:flock);
            use POSIX qw(setsid nice);
            my $bits = shift || 2048;
            my $outdir = shift || "/tmp";
            sub error { print shift() . "\n"; exit 1; }
            error "Unsupported DH parameter size, must be 1024|2048|3072|4096"
                unless $bits =~ /^(1024|2048|3072|4096)$/;
            fork and exit;
            setsid;
            umask 0;
            chdir "/";
            my $lockfile = "/var/lock/ovpn_dhgen_$bits.lock";
            open my $lock_fh, ">$lockfile"
                or error "Could not open lockfile $lockfile: $!";
            error "Generation of local $bits bit DH parameters is already in progress"
                unless flock $lock_fh, LOCK_EX|LOCK_NB;
            print "Starting generation of local DH parameters ($bits bit) in background\n";
            nice 19;
            open STDIN, "/dev/null";
            open STDERR, ">/dev/null";
            system qq(/usr/bin/openssl dhparam -out "${outdir}/dh${bits}.local.pem" $bits)
        ' "$2" "${CHROOT}${CFG_DIR}"
        ;;
    *)
        echo "Usage: $0 {start|stop|force-stop|status|try-restart|restart|force-reload|reload|dhgen } [client connection]"
        exit 1
        ;;
esac

rc_exit

Note CFG_FILE="/etc/openvpn/client/${2}/config"

[SIZE="1"]**DISCLAIMER: Making any changes via the command line interface [cli] results in the loss of support and warranty for paid licensees**[/SIZE]

Children

No Data