You can set up eBox to support Road Warriors. That is, eBox working as a gateway and an OpenVPN server, which has a local area network (LAN) behind, letting clients connect to eBox from WAN (road warriors) in order to access the protected LAN via VPN service. The following figure could show a better picture:

Figure 18.1. Road warrior scenario

Our objective is to connect client 3 with the other two far away clients (1 and 2) and last two each other.

First, we need to create the Certification Authority and certificates for all elements present in the system, the OpenVPN server and the two away clients. Here, this eBox acts as well as Certification Authority.

Once we have the certificates, we should set up the OpenVPN server in eBox at Create new server. We should give it a name, a protocol/port pair, a certificate (which have recently created above) and a subnet to work with. The remainder elements can be set by default values. As we see, the OpenVPN server will be listening on all external interfaces, so we need to set at least one of eBox interfaces as external via Network → Interfaces . In our scenario only two interfaces are needed, an internal one for the LAN and an external one to work in Internet.

After creating the OpenVPN server, we should enable the service and save changes. Then, check out in Status that there is an OpenVPN server fully working.

Afterward, you should add advertised networks, which are those which authorised OpenVPN clients will be able to access. In order to achieve so, you need to have these advertised networks reachable. You can set them on editing the chosen OpenVPN server. In our scenario, you should add local network to make visible client 3 to other two clients.

Now it is high time to configure clients. An OpenVPN client may be configure using our bundles which are available in Servers table and click on Down arrow icon. Two Operating Systems bundles have been created, choose the one you use. If you are using a BSD-like environment such as MacOS™, choose Linux system. Choose those client certificate to give to the client and set the external IP address to the VPN clients must connect. eBox will try to guess it using an Internet Web service. If the selected system is Windows™, the OpenVPN installer for Win32 is included as well. It gives you an archive to be distributed to the client.

The bundle includes the configuration file and the required files to start the VPN connection. For instance, in Linux, just decompress the archive and run into the newly created directory the following command: openvpn --config filename. Now you have access to client 3 from two remote clients. Connecting each other remote clients is necessary to to set Allow client-to-client connections check-box within OpenVPN server configuration. In order to check the configuration is correct, you can see the routing table where advertised networks are added to tapX virtual interface.

This second scenario tries to picture a common use case for eBox. Two offices in different networks require to be connected through a private network. To do so, we are going to use eBox in both local networks as gateways and one as an OpenVPN client and another as a server. The following figure tries to make clearer the situation:

Figure 18.2. eBox OpenVPN server vs. eBox OpenVPN client

Our aim is to connect client 1 in LAN 1 with client 2 in LAN 2 as if they were under the same local network. Therefore we need to set up the OpenVPN server as we do in Section 18.2.1. However, just a pair of changes is needed setting on option Allow eBox-to-eBox tunnels to exchange routes among eBox machines and eBox-to-eBox-tunnel password to perform a little more secure environment among the two offices.

In order to configure eBox as OpenVPN client, we can do it at Create new client button within OpenVPN menu. We should set client's name and active. You may set the client configuration manually giving the required information or automatically using the bundle giving by the server as we have done in Section 18.2.1. The former requires the server service address, required certificates and server's tunnel password as well, and the latter this information is extracted automatically from the bundle. When you save changes, in status summary, you can see the new OpenVPN daemon in LAN 2 running as a client with the connection target to the other eBox within LAN 1.