You can set up eBox to support Road Warriors. That is, eBox working as a gateway and an OpenVPN server, which has a local area network (LAN) behind, letting clients connect to eBox from WAN (road warriors) in order to access the protected LAN via VPN service. The following figure could show a better picture:

Figure 17.1. Road warrior scenario

Our objective is to connect client 3 with the other two far away clients (1 and 2) and last two each other.

First, we need to create the Certification Authority and certificates for all elements present in the system, the OpenVPN server and the two away clients. Here, this eBox acts as well as Certification Authority.

Once we have the certificates, we should set up the OpenVPN server in eBox at Create new server. We should give it a name, a protocol/port pair, a certificate (which have recently created above) and a subnet to work with. The remainder elements can be set by default values. As we see, the OpenVPN server will be listening on all external interfaces, so we need to set at least one of eBox interfaces as external via Network → Interfaces . In our scenario only two interfaces are needed, an internal one for the LAN and an external one to work in Internet.

After creating the OpenVPN server, we should enable the service and save changes. Then, check out in Status that there is an OpenVPN server fully working.

Afterward, you should add advertised networks, which are those which authorized OpenVPN clients will be able to access. In order to achieve so, you need to have these advertised networks reachable. You can set them on editing the chosen OpenVPN server. In our scenario, you should add local network to make visible client 3 to other two clients.

Now it is high time to configure clients. An OpenVPN client can be configured with the following example file:

client

dev tap
# Under Status page, you can see the interface address and the port
# where OpenVPN is listening to
remote <iface_address> <port>
# Under Status page, you can see the protocol as well
proto <protocol>

####
# All certificates should be downloaded from eBox Certification
# Authority interface and then upload to the client machines.
# Each user certificate created should match with only one machine.
####

# CA certificate
ca <ca_cert_file>
# Client certificate
cert <client_cert_file>
# Client private key
key <client_private_key_file>

# Other options
comp-lzo
nobind

	  

This example configuration can be passed to OpenVPN daemon with the following command: openvpn --config filename. Now you have access to client 3 from two remote clients. Connecting each other remote clients is necessary to to set Allow client-to-client connections checkbox within OpenVPN server configuration. In order to check the configuration is correct, you can see the routing table where advertised networks are added to tapX virtual interface.

This second scenario tries to picture a common use case for eBox. Two offices in different networks need to be connected through a private network. To do so, we are going to use eBox in both local networks as gateways and one as an OpenVPN client and another as a server. The following figure tries to make clearer the situation:

Figure 17.2. eBox OpenVPN server vs. eBox OpenVPN client

Our aim is to connect client 1 in LAN 1 with client 2 in LAN 2 as if they were under the same local network. Therefore we need to set up the OpenVPN server as we do in Section 17.2.1. However, just one change is needed setting on option Allow eBox-to-eBox tunnels to exchange routes among eBox machines.

In order to configure eBox as OpenVPN client, we can do it at Create new client button within OpenVPN menu. We should set client's name, the OpenVPN server address and protocol/port pair and the corresponding certificates. You can obtain this information analogously to the one shown above. When you save changes, in status summary, you can see the new OpenVPN daemon in LAN 2 running as a client with the connection target to the other eBox within LAN 1.