Beiträge von aaaskew

I was trying to debug an OpenMediaVault - OpenVPN (4.0.4) plugin issue and discovered that the server certificate was overritten with a client certificate under /etc/openvpn/pki/issued/<hostname>.crt

To reproduce, create a new client with a Common name set to the server hostname. This will overwrite the server certificate with the new client certificate and break all VPN connections.

Could a little error checking be added to the web interface to block this?

To fix, I had to uninstall/re-install the openvpn plugin and re-create all of the users.

Just to add a few comments about the script:

1. It is for 64-bit OMV installations only by the look of things. I changed the line:
wget http://download.virtualbox.org…1~Debian~wheezy_amd64.deb
to the 32-bit version and it appears to work ok on a 32-bit OMV.

2. I had issues with part of the script having run but not all. The script removes virtualbox-4.3 but not virtualbox-5.0. Maybe it should remove virtualbox-5.0 as well before it is re-added so that errors are not produced if there was a previous failure.

3. I had to change permissions (chown -R vbox:vboxusers /media/xx/VMs share) once installed. Then re-set the box php admin user password and re-import the virtual box machines. The permission problem might have been due to fresh install of OMV 2.1 when disk was from an OMV 0.4 installation though.

I have installed OMV 2.1 from scratch rather than upgrade from 0.4. Lots of good changes!

One of the options is to set the user home directories to be in a shared folder location. To do this a disk is added, file system created, mounted, a shared folder added for user home directories. Finally the option is enabled under user settings.

The issue is that shell scripts and executables stored in user home directories do not run. I have tracked this down the the /etc/fstab mount having a noexec option against the filesystem added by OpenMediaVault. This might be causing environment variable not to be loaded as well. Maybe this is the reason for the omv-extras remotedesktop plugin environment missing icons for normal users?

So, the question is:

Should OpenMediaVault remove the noexec mount point option for the filesystem to be used as a home directory location?

At the moment, I can see the option in the OpenMediaVault config.xml picks up a default list of options per filesystem type from /usr/share/php/openmediavault/globals.inc. For example $GLOBALS['OMV_FSTAB_MNTOPS_EXT4']. This is good for most file systems I assume, but should it also be the case for home directories?

At the moment I have hacked it by:
1. Remove noexec option from the OpenMediaVault config.xml options for the filesystem on which user home directories are stored
2. Run omv-mkconf fstab
3. Run mount -o remount /media/<filesystem> on which user home directories are stored

Is there a neater way of overriding the default for just one filesystem than editing config.xml manually?

I have not tested the shutdown but I believe communication works for me with the following:

1. Install the missing nut-snmp package on a root command line:

root@openmediavault:~# apt-get install nut-snmp

2. Configure NUT in OpenMediaVault:

UPS: Enable = True
Identifier = ups
Comment = Smart-UPS 1000INET
Driver configuration directives:

driver = snmp-ups
port = 192.168.0.15 (or whatever your UPS is)
mibs = apcc

Shutdown mode: USP reaches low battery

3. Look at details from UPS in OpenMediaVault:

Diagnostics > Services > UPS > Variables

battery.charge: 100.00
battery.charge.restart: 50
battery.date: 01/22/15
battery.packs: 0.00
battery.packs.bad: 0.00
battery.runtime: 7140.00
battery.runtime.low: 300
device.mfr: APC
device.model: SMART-UPS 1000
...

Good luck.

The current setup is to allow only for a OpenVPN server in client-to-LAN setup.

See my other posting that is to make OpenMediaVault OpenVPN a client in a client-to-LAN setup.

This post is to explain what to do to route two private networks together in a LAN-to-LAN setup:

I have done this manually and the changes are not big so it should be quite easy to add to the plugin:

Before setting up this solution note that some configuration changes are also required on other devices. These requirements should be listed in the plugin help some place.

Example LAN 1 with OpemMediaVault OpenVPN server:
ADSL router: 192.168.0.1
OpenMediaVault: 192.168.0.20 (fixed address)

Example LAN 2 with OpemMediaVault OpenVPN server:
ADSL router: 192.168.100.254
OpenMediaVault: 192.168.100.200 (fixed address)

--- For the ADSL router/gateway on the OpenVPN 'server' network ---
1. Get a fixed IP address on the internet or setup a Dynamic DNS FQDN so that clients can find the server (this is true of the existing setup)
2. Port forward UDP port 1194 to the OpenMediaVault server or other port and protocol if this has been changed (this is true of the existing setup)
3. Add a static route to the router's table for the client's network (all traffic for 192.168.100.0/24 should go to our local OpenMediaVault 'server' 192.168.0.20)

--- For the ADSL router/gateway on the OpenVPN 'client' network ---
1. Add a static route to the router's table for the server's network (all traffic for 192.168.0.0/24 should go to our local OpenMediaVault 'client' 192.168.100.200)

If it is not possible to add a static route to the ADSL routers then this can be done on each other machine within the private networks that needs to speak to the other network although this can be tedious.

--- For the OpenVPN 'server' ---
1. Add the following options to the Extra settings as part of the OpenVPN General settings:

client-config-dir ccd
route 192.168.100.0 255.255.255.0

2. mkdir /etc/openvpn/ccd
3. Create a VPN user added to the vpnusers group called 'client' in my case
4. Create a VPN client certificate for the LAN-to-LAN client.
5. Create a file in the /etc/openvpn/ccd directory called 'client' with the following text:

iroute 192.168.100.0 255.255.255.0

All of this allows the OpenVPN server to know that when this client is connected all traffic to the whole 192.168.100.0 network should be sent over the link and not just to the machine connecting.

--- For the OpenVPN 'client' ---
Based on the OpenVPN client setup I have in the previous posting:
1. Extract OpenVPN client zip file content to /etc/openvpn directory
2. Add to the bottom of the client.conf file:

# Network setup scripts
script-security 2
up config.script
down config.script

3. Copy the existing /etc/openvpn/nat.sh script and call it config.script
4. Edit the config.script file:

- Change the 'ROUTE=$(omv_config_get "//services/openvpn/vpn-route")' line to 'ROUTE="192.168.100.0 / 255.255.255.0"'
- Delete the '$(iptables ${IPTBLARG} POSTROUTING -t nat -s ${!route_network}/${!route_netmask} ${DESTNET} -j MASQUERADE)' line.

5. update-rc.d openvpn enable
6. invoke-rc.d openvpn start

Provided the server configuration has not been done on the OpenMediaVault that is being run as a client then the omv.conf will not be present so enabling the openvpn service will just magically run as a client.

To also support a client sending a username/password as well as the certificate:
1. Turn this on in the OpenVPN server
2. Modify the 'auth-user-pass' line in the client.conf file to 'auth-user-pass client.login'
3. Create a client.login file in the /etc/openvpn directory along with all of the other files with content:

username
password

These changes run OpenVPN as a client on OpenMediaVault and also turn on IP forwarding and change the routing table so that the local network is accessible to the OpenVPN server network.

All of these changes could be made in the plugin by adding extra settings to OpenVPN server side to allow for the entry of a client network IP and subnet mask and the ZIP file with these changes would already contain everything required.

For those interested in using OpenMediaVault as an OpenVPN client rather than server, this is not too difficult to do manually. It would be interesting to make this available via the plugin but in the meantime the following might be of interest:

1. Extract OpenVPN client zip file content to /etc/openvpn directory
3. update-rc.d openvpn enable
2. invoke-rc.d openvpn start

Provided the server configuration has not been done in the OpenMediaVault that is being run as a client then the omv.conf will not be present so enabling the openvpn service will just magically run as a client.

To also support a client sending a username/password as well as the certificate:
1. Turn this on in the OpenVPN server
2. Modify the 'auth-user-pass' line in the client.conf file to 'auth-user-pass client.login'
3. Create a client.login file in the /etc/openvpn directory along with all of the other files with content:
username
password

I have yet to confirm this fully but I believe that the OpenMediaVault Rsync server configuration will not support sending user and group information to other clients because of the 'use chroot = yes' parameter in the rsyncd.conf file.

When running rsync on another machine to pull data off an OpenMediaVault and you want to preserve user and group information (or use the Archive option), it might be worth adding 'use chroot = no' to the OpenMediaVault Rsync -> Modules -> Extra options.

See the http://www.samba.org/ftp/rsync/rsyncd.conf.html use chroot section for more information.