Tuesday, December 15, 2009


Ok, so mentioned it briefly in another vanity tool that allows self-promotion 140 characters at a time, but I didn't get around to writing up anything on it here. Time to fix that.

At my orc place, we recently had a few folks move to Windows Vista (now 7) desktops at home. This was ok, until they attempted to connect to the VPN only to discover that it no longer worked. The problem is that Microsoft removed support for the MS-CHAPv1 protocol and only MS-CHAPv2 is available, but the VPN appliance we were using doesn't speak MS-CHAPv2. One option was to setup L2TP on the appliance, but that ended up being all kinds of fail due to some funky routing stuff that had to be preserved and was beyond my capabilities (the best I can do is smash the device with a hammer and swear a blood oath to track down all those responsible for producing it).

So. Fsck it all to hell. We started looking at Linux based solutions that could handle L2TP, and that's when I stumbled across OpenVPN (which supports Mac/Win/Lin). Easy enough to setup, but at the last minute got the added constraint that the solution should be generic enough that someone else could manage it (ie, the company could find a networking monkey to come in and make sense of it).

While getting ready to install it on an Ubuntu box, I noticed that they had "ebox-openvpn" and did some digging on that.

It turns out the eBox is one of those "appliance distros". It's based on ubuntu, and comes with a web config utility which seemed to satisfy the "normal people can use it" requirement. We ended up just downloading the distro that eBox offers up on their website and installing that without any major hassles.

eBox is actually a pretty cool little distro you should check out if you need a small intranet server for a hub office or a small, decentralized startup. It comes with not only a well laid out iptables system and OpenVPN, but also includes stuff like a mail virus/spam filter, file server, and ability to do the BC thing for active directory with samba/kerberos/ldap. Handiest of all, though, is that it's got a certificate management system that lets you setup your CA, and issue X.509 certs pretty easily.

There are some rough edges, though. Because it's an appliance distro, it's guilty of the same thing stuff like Plesk is guilty of. It considers its own internal database to be authoritative for all configurations on the system: if you hack a config file by hand, prepare for the changes to get blown away when the service or server is next restarted. That wouldn't be a problem, except for the fact that the web interface is by no means comprehensive when it comes to configuring the services. For example, we needed to add in some extra options to OpenVPN to tell it to force the client to set default route to the VPN, who the WINS and DNS servers, etc... fairly straightforward to do in the openvpn.conf, but there wasn't anyway to set those in eBox. Finally, my last gripe is that you have to "save" all changes before you can exit a config screen. This makes mass tweaking of the interface kind of tedious and slow going.

There was also a problem with the client openvpn package that ebox generated for us. The zip file had the right certificate, but the client didn't work. We ended up having to replace it with the .exe directly from openvpn's site.

As for solving the original problem, I'd suggest just nutting it up and learning how to deal with openvpn through it's config file. The config is actually pretty straightforward (and short). The main reason we decided to keep eBox installed and in place, however, was because of the certificate management feature and because we didn't want to spend anymore time re-installing a distro onto the server.

I'm not sure I'd recommend eBox for a large, more established network, but it definitely seems like the way to go if you need to get a small shop up and online in a couple of hours.

No comments: