====== VPN - Starting the VPN client =====

===== Launching OpenVPN =====

==== Firewall ====

Set the appropriate [[wiki:network_mana:firewall|Firewall]] rules to accept OpenVPN traffic:
<code iptables /etc/firewall.d/10_openvpn.rules>
*filter
# OpenVPN ports
-A INPUT  -p udp -m udp --sport 1194 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
COMMIT
</code>

Or disable the firewall (only during test phase!) with:
<code bash>/etc/init.d/firewall stop</code>

==== Start OpenVPN ====

Put the OpenVPN main configuration file on the gateway and launch it with (replace with the appropriate file name):
<code bash>openvpn --config /user/client-openvpn.conf 2>&1 | logger &</code>

Check that OpenVPN client is well launched on your gateway:
<code bash>
ps | grep [o]penvpn
31342 root      4700 S    openvpn --config /user/client-openvpn.conf</code>

Check with the ''ifconfig'' command that the ''vpn0'' interface is now active.

Once everything is working, you can add initialization scripts to enable the VPN automatically. Don't forget to enable the firewall again if it was disabled.

===== Launching IPsec / strongSwan =====

==== Firewall ====

Set the appropriate [[wiki:network_mana:firewall|Firewall]] rules to accept IPsec traffic:

<code iptables /etc/firewall.d/10_ipsec.rules>
*filter
# OpenVPN ports
-A INPUT  -p udp -m udp --sport  500 -j ACCEPT
-A OUTPUT -p udp -m udp --dport  500 -j ACCEPT
-A INPUT  -p udp -m udp --sport 4500 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 4500 -j ACCEPT
COMMIT
</code>

Or disable the firewall (only during test phase!) with:
<code bash>/etc/init.d/firewall stop</code>

==== Start ipsec ====

Two TKM daemons can be used:

  * If the ''/etc/ipsec.secrets'' file is used, and the P12 file is stored as clear in the filesystem: use ''charon''
  * If the ''/etc/ipsec.secrets'' file is empty, and the secrets and P12 files are stored ciphered in the TrustZone: use ''charon-tkm''

To do so, either add the ''<nowiki>--daemon charon</nowiki>'' or ''<nowiki>--daemon charon-tkm</nowiki>'' to the command line, or set the ''DAEMON_NAME'' environment variable to the desired value. For example, if the TrustZone is used:

<code bash>
export DAEMON_NAME=charon-tkm

# or, alternatively
ipsec start <other ipsec options...> --daemon charon-tkm
</code>

If the TrustZone is not used, here is how the VPN should be started:

<code bash>
export DAEMON_NAME=charon

# or, alternatively
ipsec start <other ipsec options...> --daemon charon
</code>

To troubleshoot, the ''<nowiki>--nofork</nowiki>'' switch can be added to the command line. This will prevent the daemon from forking, and will log all output to the console (instead of syslog).

Once everything is working, you can add initialization scripts to enable the VPN automatically. Don't forget to enable the firewall again.