We’ve been deploying OpenVPN installs for a few years now and ever since the administration of the OpenVPN concentrators was something our customers never really liked. For once there is the Certificate Authority and the user management. The scripts provided by the OpenVPN developers, named ’’easy-rsa’’, are nice but not very user-friendly. For another there is always the wish, to see which users are currently connected to the VPN and how much data they shove around.

At the end of last year, I looked around to find a different solution for handling the certificates and the users. While there are some tools out there, none of them really did it. The features we were looking for:

• Easy handling of certificates and users
• Being able to control the VPN Servers and see what was happening

Ain’t a big list. Wanting to handle the Certificate Authority (CA) meant for us, that it had to be a stand-alone application and not a webfrontend on the OpenVPN Servers. Why? Very simple: In most places it is a requirement, that the CA may not be connected permanently to the network or at least not be on the same host who grants access based on certificates that are issued with this CA. The CA needs to be protected. Furthermore I did not want to offer our customers a set of applications to use with the vpn servers, but only one application that would fullfill all their needs in regards to the OpenVPN concentrators.

We came up with what we call the ’’bytemine manager’‘. The ’’bytemine manager’’ is a stand-alone java-based desktop application. Why java you ask? For one very simple reason: it allows you to use the application almost anywhere. Yes, there are tons of possiblities to achieve the same thing with other languages, but java was from our perspective the most simplest one. Mono was another idea, but there is no stable mono environment for OpenBSD, and of course, we wanted to use the application for ourselves on OpenBSD.

Currently we’ve tested the ’’bytemine manager’’ on the following platforms:

• various Windows flavours (XP, Vista)
• various Linux Distributions (Ubuntu, Fedora, Debian)
• OpenBSD

As long as you have access to a Java 6 runtime environment, you should be on the safe side. All libraries needed, are bundled with the application. The contents of the application (certificates, users, configuration data) is stored in a sqlite database.

Coming back to the features of the ’’bytemine manager’’. Currently it brings the following features along:

• user and certificate management
• synchronisation of users and certificates to multiple OpenVPN servers
• import of existing user and certificate data from existing OpenVPN installations
• management of users and certificates stored in LDAP
• users can be assigned independently to servers
• display of currently connected users per server
• display of usage data per user
• termination of connections
• modular design – various modules can be used independently of each other

Users and certificate data is synchronised from within the application to the vpn concentrators via ssh. Of course the application supports the use of ssh keys, so you don’t even have to use password authentication, makes it even more safe. All communication with the vpn servers is done over the ssh connections. The manager application also allows filesystem- and ldap-based export of the user- and certificate-data.

So this is already quite a lot. One of the neat features is, that the ’’bytemine manager’’ is not only for use with out bytemine openbsd appliance, but can be used with any OpenVPN server. The only requirement is, that if you want to use the controlcenter, you will need at least OpenVPN 2.1rc14, since that version introduced the unix domain socket for the management interface. For security reasons, we decided not to support the cleartext telnet interface. However, the socket-wrapper interface, will be covered in an upcoming blog article by Holger.

More (german) information on the bytemine manager, can be found on the corresponding product page.

There is a trial version of the application available: bytemine-manager-1.0.1-trial.zip.

In the course of releasing version 1.1 of our bytemine openbsd appliance, we’d like to tell you about some details.

The bytemine openbsd appliance ships with a nice written manual which covers lots of configuration topics. Following OpenBSD’s good practices to write documentation for every file, we wrote man pages for every program and file we added on top of the OpenBSD default installation.

Let’s move on to the first boot of our new appliance.

The bytemine openbsd appliance comes with a pre-installed operating system, however there are certain details, we cannot decide for our users and customers during the installation. That’s where ba-firstboot(8) enters the stage.

The ba-firstboot(8) program will run during the very first boot and will ask you questions like the machine hostname, network interface configuration, nameserver configuration, smarthost for the MTA, timezone and some more stuff. After answering the questions and another reboot, your machine should be ready to be used.

Don’t panic. You can configure the bytemine openbsd appliance just like a regular OpenBSD system if you want. We just added some convenience to get the system up and running.

Learn about the bytemine openbsd appliance system.

A good starting point for learning about our additions to a regular OpenBSD system is the bytemine-appliance(8) manpage. It will explain the first boot configuration, the system startup options and will provide links to other man pages.

So far for the first steps. Following articles will highlight some more details and components.

Have fun!

It’s been couple months since we announced the bytemine appliance and back when we announced the hardware, we said, it is the building block for a new product line. Here comes the next step!

The bytemine openbsd appliance!

It is built on OpenBSD 4.5 and includes a whole lot of additions, such as:

• ba-update(8) – a software-updater to update your installation with security- and bugfix updates provided by bytemine
• an extended bootloader to support the LCD
• software to make use of the LCD from within the operating system
  • lcdssd(8) to display status information
  • lcdexec(8) to interact with the keypad and execute commands from the keypad
  • mlcd(8), lcdinfo(8) and lcdalert(8) to display various data on the display
• rescue.rd – a rescue system which can be booted via the keypad
• printed manual and documentation of all extensions in man-pages

Through the above mentioned “ba-update” command you can easily update the appliance to always have the latest updates we release.

And for the german folks, here is a poster we did for the bytemine openbsd appliance release bbq last thursday:

The first 1/12th of the year is almost already over, time we surface here again. Lot’s of things already happend since the 25th CCC congress.

Right after starting into the new year, the inner circle of the company had a meeting up at the north sea. For three days we went to a small town, St. Peter-Ording, to lay out the next year. Be sure, lot’s of good things are up on the horizon (besides awesome sunrays).

Not only grew our team right into the middle of january by another unix engineer (more on that in a later post), but you will be able to meet us at various trade shows and experience with us the launching of new services and products. The first one came right with the new year, we now offer officially what we’ve done for years: 24/7 unix support at an affordable rate.

Today I got the confirmation of the first talk I will be giving this year, it will be at IT Underground. I will give an overview of how you can work even more secure with your OpenBSD laptop. Showing of the new crypto RAID discipline Marco Peereboom and others have added to softraid(4), quick setting up of IPsec networks with ipsecctl(8) and ipsec.conf(5) as well as openvpn, to just name a few of the things I will cover.

Right before IT Underground we will be at Chemnitzer Linux-Tage, showing off one of our new products! Be sure to meet us there!

Team bytemine will attend the Kieler Linux und Open Source Tage which will happen at the 10th and 11th of October 2008. We will have a booth where we’re going to present some of our products and services. Felix Kronlage will give a talk titled “Commercial deployment of OpenBSD-based products”. At our booth we will also have OpenBSD CDs and T-Shirt merchandise available to help fund the OpenBSD project.

So if you’d like to see the talk or just like to have a chat with some byteminers, we’re looking forward to see you at the conference and our booth.