https://www.slackwiki.com/index.php?title=OpenVPN(EN)&feed=atom&action=history
OpenVPN(EN) - Revision history
2024-03-28T10:10:16Z
Revision history for this page on the wiki
MediaWiki 1.40.0
https://www.slackwiki.com/index.php?title=OpenVPN(EN)&diff=268&oldid=prev
Seekret: /* Configuring the Client */
2009-12-01T17:19:13Z
<p><span dir="auto"><span class="autocomment">Configuring the Client</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 17:19, 1 December 2009</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l402">Line 402:</td>
<td colspan="2" class="diff-lineno">Line 402:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Configuring the Client==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Configuring the Client==</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Edit the client.conf file <del style="font-weight: bold; text-decoration: none;">with vi </del>'''''vi /etc/openvpn/client.conf'''''</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Edit the client.conf file<ins style="font-weight: bold; text-decoration: none;">: </ins>'''''vi /etc/openvpn/client.conf'''''</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>## Config</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>## Config</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l477">Line 477:</td>
<td colspan="2" class="diff-lineno">Line 477:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1 </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1 </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Example==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Example==</div></td></tr>
</table>
Seekret
https://www.slackwiki.com/index.php?title=OpenVPN(EN)&diff=267&oldid=prev
Seekret: /* Configuring the Server */
2009-12-01T17:18:48Z
<p><span dir="auto"><span class="autocomment">Configuring the Server</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 17:18, 1 December 2009</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l267">Line 267:</td>
<td colspan="2" class="diff-lineno">Line 267:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Configuring the Server==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Configuring the Server==</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Edit the server.conf file <del style="font-weight: bold; text-decoration: none;">with vi </del>'''''vi /etc/openvpn/server.conf'''''</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Edit the server.conf file<ins style="font-weight: bold; text-decoration: none;">: </ins>'''''vi /etc/openvpn/server.conf'''''</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>## Mode Server</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>## Mode Server</div></td></tr>
</table>
Seekret
https://www.slackwiki.com/index.php?title=OpenVPN(EN)&diff=266&oldid=prev
Seekret: This is just an English version of the existing OpenVPN page.
2009-12-01T17:18:06Z
<p>This is just an English version of the existing OpenVPN page.</p>
<p><b>New page</b></p><div>[[Category:Server]]<br />
[[Category:Networking]]<br />
[[Category:Tutorials]]<br />
As a user-space VPN daemon, OpenVPN is compatible with with SSL/TLS, RSA Certificates and X509 PKI, NAT, DHCP, and TUN/TAP virtual devices.<br />
<br />
OpenVPN is not compatible with IPSec, IKE, PPTP, or L2TP.<br />
<br />
__TOC__<br />
== Installation ==<br />
<br />
Download source from [http://openvpn.net openvpn.net]<br />
<br />
Download verison 2.0<br />
<br />
install Lzo<br />
<pre><br />
tar zxvf lzo-1.08.tar.gz<br />
cd lzo-1-08.tar.gz<br />
./configure --prefix=/usr<br />
make ; make install-strip<br />
</pre><br />
install OpenVPN<br />
<pre><br />
tar zxvf openvpn-2.0.tar.gz<br />
cd openvpn-2.0<br />
./configure --prefix=/usr \<br />
--sysconfdir=/etc/openvpn \<br />
--enable-pthread \<br />
--enable-iproute2 \<br />
--with-ssl \<br />
--with-lzo-header=/usr/include \<br />
--with-lzo-lib=/usr/lib \<br />
--with-ifconfig \<br />
--with-route \<br />
--with-mem-check=dmalloc <br />
make ; make install-strip<br />
</pre><br />
== Configuration ==<br />
<br />
==Configuring Certificates==<br />
<br />
Save all certificates in '''''/etc/openvpn/certs'''''<br />
<pre><br />
This is a small RSA key management package,<br />
based on the openssl command line tool, that<br />
can be found in the easy-rsa subdirectory<br />
of the OpenVPN distribution.<br />
<br />
These are reference notes. For step<br />
by step instructions, see the HOWTO:<br />
<br />
http://openvpn.net/howto.html<br />
<br />
INSTALL<br />
<br />
1. Edit vars.<br />
2. Set KEY_CONFIG to point to the openssl.cnf file<br />
included in this distribution.<br />
3. Set KEY_DIR to point to a directory which will<br />
contain all keys, certificates, etc. This<br />
directory need not exist, and if it does,<br />
it will be deleted with rm -rf, so BE<br />
CAREFUL how you set KEY_DIR.<br />
4. (Optional) Edit other fields in vars<br />
per your site data. You may want to<br />
increase KEY_SIZE to 2048 if you are<br />
paranoid and don't mind slower key<br />
processing, but certainly 1024 is<br />
fine for testing purposes. KEY_SIZE<br />
must be compatible across both peers<br />
participating in a secure SSL/TLS<br />
connection.<br />
5 . vars<br />
6. ./clean-all<br />
7. As you create certificates, keys, and<br />
certificate signing requests, understand that<br />
only .key files should be kept confidential.<br />
.crt and .csr files can be sent over insecure<br />
channels such as plaintext email.<br />
8. You should never need to copy a .key file<br />
between computers. Normally each computer<br />
will have its own certificate/key pair.<br />
<br />
BUILD YOUR OWN ROOT CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY<br />
<br />
1. ./build-ca<br />
2. ca.crt and ca.key will be built in your KEY_DIR<br />
directory<br />
<br />
BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional)<br />
<br />
1. ./build-inter inter<br />
2. inter.crt and inter.key will be built in your KEY_DIR<br />
directory and signed with your root certificate.<br />
<br />
BUILD DIFFIE-HELLMAN PARAMETERS (necessary for<br />
the server end of a SSL/TLS connection).<br />
<br />
1. ./build-dh<br />
<br />
BUILD A CERTIFICATE SIGNING REQUEST (If<br />
you want to sign your certificate with a root<br />
certificate controlled by another individual<br />
or organization, or residing on a different machine).<br />
<br />
1. Get ca.crt (the root certificate) from your<br />
certificate authority. Though this<br />
transfer can be over an insecure channel, to prevent<br />
man-in-the-middle attacks you must confirm that<br />
ca.crt was not tampered with. Large CAs solve this<br />
problem by hardwiring their root certificates into<br />
popular web browsers. A simple way to verify a root<br />
CA is to call the issuer on the telephone and confirm<br />
that the md5sum or sha1sum signatures on the ca.crt<br />
files match (such as with the command: "md5sum ca.crt").<br />
2. Choose a name for your certificate such as your computer<br />
name. In our example we will use "mycert".<br />
3. ./build-req mycert<br />
4. You can ignore most of the fields, but set<br />
"Common Name" to something unique such as your<br />
computer's host name. Leave all password<br />
fields blank, unless you want your private key<br />
to be protected by password. Using a password<br />
is not required -- it will make your key more secure<br />
but also more inconvenient to use, because you will<br />
need to supply your password anytime the key is used.<br />
NOTE: if you are using a password, use ./build-req-pass<br />
instead of ./build-req<br />
5. Your key will be written to $KEY_DIR/mycert.key<br />
6. Your certificate signing request will be written to<br />
to $KEY_DIR/mycert.csr<br />
7. Email mycert.csr to the individual or organization<br />
which controls the root certificate. This can be<br />
done over an insecure channel.<br />
8. After the .csr file is signed by the root certificate<br />
authority, you will receive a file mycert.crt<br />
(your certificate). Place mycert.crt in your<br />
KEY_DIR directory.<br />
9. The combined files of mycert.crt, mycert.key,<br />
and ca.crt can now be used to secure one end of<br />
an SSL/TLS connection.<br />
<br />
SIGN A CERTIFICATE SIGNING REQUEST<br />
<br />
1. ./sign-req mycert<br />
2. mycert.crt will be built in your KEY_DIR<br />
directory using mycert.csr and your root CA<br />
file as input.<br />
<br />
BUILD AND SIGN A CERTIFICATE SIGNING REQUEST<br />
USING A LOCALLY INSTALLED ROOT CERTIFICATE/KEY -- this<br />
script generates and signs a certificate in one step,<br />
but it requires that the generated certificate and private<br />
key files be copied to the destination host over a<br />
secure channel.<br />
<br />
1. ./build-key mycert (no password protection)<br />
2. OR ./build-key-pass mycert (with password protection)<br />
3. OR ./build-key-pkcs12 mycert (PKCS #12 format)<br />
4. OR ./build-key-server mycert (with nsCertType=server)<br />
5. mycert.crt and mycert.key will be built in your<br />
KEY_DIR directory, and mycert.crt will be signed<br />
by your root CA. If ./build-key-pkcs12 was used a<br />
mycert.p12 file will also be created including the<br />
private key, certificate and the ca certificate.<br />
<br />
IMPORTANT<br />
<br />
To avoid a possible Man-in-the-Middle attack where an authorized<br />
client tries to connect to another client by impersonating the<br />
server, make sure to enforce some kind of server certificate<br />
verification by clients. There are currently four different ways<br />
of accomplishing this, listed in the order of preference:<br />
<br />
(1) Build your server certificates with the build-key-server<br />
script. This will designate the certificate as a<br />
server-only certificate by setting nsCertType=server.<br />
Now add the following line to your client configuration:<br />
<br />
ns-cert-type server<br />
<br />
This will block clients from connecting to any<br />
server which lacks the nsCertType=server designation<br />
in its certificate, even if the certificate has been<br />
signed by the CA which is cited in the OpenVPN configuration<br />
file (--ca directive).<br />
<br />
(2) Use the --tls-remote directive on the client to<br />
accept/reject the server connection based on the common<br />
name of the server certificate.<br />
<br />
(3) Use a --tls-verify script or plugin to accept/reject the<br />
server connection based on a custom test of the server<br />
certificate's embedded X509 subject details.<br />
IMPORTANT<br />
<br />
To avoid a possible Man-in-the-Middle attack where an authorized<br />
client tries to connect to another client by impersonating the<br />
server, make sure to enforce some kind of server certificate<br />
verification by clients. There are currently four different ways<br />
of accomplishing this, listed in the order of preference:<br />
<br />
(1) Build your server certificates with the build-key-server<br />
script. This will designate the certificate as a<br />
server-only certificate by setting nsCertType=server.<br />
Now add the following line to your client configuration:<br />
<br />
ns-cert-type server<br />
<br />
This will block clients from connecting to any<br />
server which lacks the nsCertType=server designation<br />
in its certificate, even if the certificate has been<br />
signed by the CA which is cited in the OpenVPN configuration<br />
file (--ca directive).<br />
<br />
(2) Use the --tls-remote directive on the client to<br />
accept/reject the server connection based on the common<br />
name of the server certificate.<br />
<br />
(3) Use a --tls-verify script or plugin to accept/reject the<br />
server connection based on a custom test of the server<br />
certificate's embedded X509 subject details.<br />
<br />
(4) Sign server certificates with one CA and client certificates<br />
with a different CA. The client config "ca" directive should<br />
reference the server-signing CA while the server config "ca"<br />
directive should reference the client-signing CA.<br />
<br />
NOTES<br />
<br />
Show certificate fields:<br />
openssl x509 -in cert.crt -text<br />
</pre><br />
<pre><br />
# cd easy-rsa<br />
# vi vars<br />
. vars<br />
./clean-all<br />
<br />
## BUILD YOUR OWN ROOT CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY<br />
./build.ca<br />
<br />
## BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional)<br />
./build-inter inter<br />
<br />
## BUILD DIFFIE-HELLMAN PARAMETERS (necessary for the server end of a SSL/TLS connection).<br />
./build.dh<br />
<br />
## BUILD A CERTIFICATE SIGNING REQUEST <br />
## (If you want to sign your certificate with a root certificate controlled by another individual <br />
## or organization, or residing on a different machine)<br />
<br />
./build-req mycert<br />
## SIGN A CERTIFICATE SIGNING REQUEST<br />
./sign-req mycert<br />
<br />
## BUILD AND SIGN A CERTIFICATE SIGNING REQUEST USING A LOCALLY INSTALLED ROOT CERTIFICATE/KEY<br />
./build-key mycert (no password protection)<br />
OR <br />
./build-key-pass mycert (with password protection)<br />
OR <br />
./build-key-pkcs12 mycert (PKCS #12 format)<br />
OR <br />
./build-key-server mycert (with nsCertType=server)<br />
</pre><br />
<br />
==Configuring the Server==<br />
<br />
Edit the server.conf file with vi '''''vi /etc/openvpn/server.conf'''''<br />
<pre><br />
## Mode Server<br />
mode server<br />
<br />
## Local Host Name/IP Server<br />
;local 127.0.0.1<br />
<br />
## Protocol<br />
;proto tcp<br />
proto udp<br />
<br />
## Port<br />
; port 1194<br />
<br />
## Device Interface<br />
;dev tap<br />
dev tun<br />
<br />
## TAP-Win32 adapter name<br />
;dev-node MyTap<br />
<br />
## SSL/TLS <br />
## root certificate (ca)<br />
## certificate (cert)<br />
## private key (key)<br />
ca /etc/openvpn/certs/ca.crt<br />
cert /etc/openvpn/certs/server.crt<br />
key /etc/openvpn/certs/server.key<br />
<br />
## Diffie hellman parameters<br />
dh dh1024.pem<br />
<br />
## VPN subnet<br />
server 10.8.0.0 255.255.255.0<br />
<br />
ifconfig-pool-persist ipp.txt<br />
<br />
##ethernet bridging<br />
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100<br />
<br />
## dhcpcaveats<br />
;push "route 192.168.10.0 255.255.255.0"<br />
;push "route 192.168.20.0 255.255.255.0"<br />
<br />
;client-config-dir ccd<br />
<br />
;route 192.168.40.128 255.255.255.248<br />
<br />
;client-config-dir ccd<br />
<br />
;route 10.9.0.0 255.255.255.252<br />
<br />
;learn-address ./script<br />
<br />
## dhcpcaveats<br />
;push "redirect-gateway"<br />
;push "dhcp-option DNS 10.8.0.1"<br />
;push "dhcp-option WINS 10.8.0.1"<br />
<br />
##<br />
;client-to-client<br />
<br />
## same "COMMON NAME" certificate/key<br />
;duplicate-cn<br />
<br />
## Status Connection<br />
keepalive 10 120<br />
<br />
## tls-auth key<br />
;tls-auth ta.key 0 <br />
<br />
## Cryptographic cipher<br />
;cipher BF-CBC # Blowfish (default)<br />
;cipher AES-128-CBC # AES<br />
;cipher DES-EDE3-CBC # Triple-DES<br />
<br />
## Link Compresion<br />
comp-lzo<br />
<br />
## Max Client Connections<br />
;max-clients 100<br />
<br />
## daemon privileges (non windows saja)<br />
user nobody<br />
group nobody<br />
<br />
persist-key<br />
persist-tun<br />
<br />
## Openvpn Log<br />
;log /var/log/openvpn/openvpn.log<br />
;log-append /var/log/openvpn/openvpn.log<br />
<br />
## Output Log<br />
status /var/log/openvpn/openvpn-status.log<br />
<br />
## Log Verbosity<br />
## 0 is silent, except for fatal errors<br />
## 4 is reasonable for general usage<br />
## 5 and 6 can help to debug connection problems<br />
## 9 is extremely verbose<br />
verb 3<br />
<br />
## Repeating Messages<br />
;mute 20<br />
<br />
## Pid File<br />
writepid /var/run/openvpn.pid<br />
</pre><br />
<br />
'''Routing'''<br />
<br />
<pre><br />
echo 1 > /proc/sys/net/ipv4/ip_forward<br />
route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2<br />
</pre><br />
<br />
'''Firewall'''<br />
<pre><br />
iptables -A INPUT -p udp -s 1.2.3.4 --dport 1194 -j ACCEPT<br />
OR<br />
iptables -A INPUT -p udp --dport 1194 -j ACCEPT<br />
<br />
## Tun Device<br />
iptables -A INPUT -i tun+ -j ACCEPT<br />
iptables -A FORWARD -i tun+ -j ACCEPT<br />
<br />
## Tap Device<br />
iptables -A INPUT -i tap+ -j ACCEPT<br />
iptables -A FORWARD -i tap+ -j ACCEPT<br />
</pre><br />
<br />
==Configuring the Client==<br />
<br />
Edit the client.conf file with vi '''''vi /etc/openvpn/client.conf'''''<br />
<pre><br />
## Config<br />
client<br />
<br />
## Device Interface<br />
;dev tap<br />
dev tun<br />
<br />
## Tap adapter name (Win only)<br />
;dev-node MyTap<br />
<br />
## Conectivity<br />
;proto tcp<br />
proto udp<br />
<br />
## Server [hostname/ip] [port]<br />
remote my-server-1 1194<br />
;remote my-server-2 1194<br />
<br />
## load-balancing<br />
;remote-random<br />
<br />
## resolve host name OpenVPN server<br />
resolv-retry infinite<br />
<br />
# local port<br />
nobind<br />
<br />
## privileges (non windows saja)<br />
user nobody<br />
group nobody<br />
<br />
## preserve<br />
persist-key<br />
persist-tun<br />
<br />
## HTTP proxy<br />
;http-proxy-retry <br />
;http-proxy [proxy server] [proxy port]<br />
<br />
## duplicate packet warnings<br />
;mute-replay-warnings<br />
<br />
## SSL/TLS parms<br />
/etc/openvpn/certs/ca ca.crt<br />
/etc/openvpn/certs/cert client.crt<br />
/etc/openvpn/certs/key client.key<br />
<br />
## nsCertType key<br />
;ns-cert-type server<br />
<br />
## tls-auth key<br />
;tls-auth /etc/openvpn/certs/ta.key 1<br />
<br />
## Cryptographic cipher<br />
;cipher x<br />
<br />
## Link compression<br />
comp-lzo<br />
<br />
## verbosity<br />
## 0 is silent, except for fatal errors<br />
## 4 is reasonable for general usage<br />
## 5 and 6 can help to debug connection problems<br />
## 9 is extremely verbose<br />
verb 3<br />
<br />
## repeating messages<br />
;mute 20<br />
</pre><br />
'''Routing'''<br />
<pre><br />
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1 <br />
</pre><br />
<br />
<br />
<br />
==Example==<br />
<br />
'''Example 1:''' A simple tunnel without security<br><br />
'''On May: Server Side'''<br />
<pre><br />
openvpn --remote jun.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 9<br />
</pre><br />
<br />
'''On Jun: Client Side'''<br />
<pre><br />
openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 9 <br />
</pre><br />
<br />
On May:<br />
ping 10.4.0.2 <br />
<br />
On Jun:<br />
ping 10.4.0.1<br />
<br />
'''Example 2:''' A tunnel with static-key security (i.e. using a pre-shared secret)<br><br />
'''On May: Server Side'''<br />
<pre><br />
openvpn --remote jun.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 \<br />
--verb 5 --secret key<br />
</pre><br />
<br />
'''On Jun: Client Side'''<br />
<pre><br />
openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 \<br />
--verb 5 --secret key <br />
</pre><br />
<br />
On May:<br />
ping 10.4.0.2 <br />
<br />
On Jun:<br />
ping 10.4.0.1<br />
<br />
'''Example 3:''' A tunnel with full TLS-based security <br><br />
'''On May: Server Side'''<br />
<pre><br />
openvpn --remote jun.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 \<br />
--tls-client --ca tmp-ca.crt --cert client.crt --key client.key \<br />
--reneg-sec 60 --verb 5 <br />
</pre><br />
<br />
'''On Jun: Client Side'''<br />
<pre><br />
openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 \<br />
--tls-server --ca tmp-ca.crt --cert server.crt --key server.key \<br />
--reneg-sec 60 --verb 5 --dh dh1024.pem<br />
</pre><br />
<br />
On May:<br />
<br />
ping 10.4.0.2 <br />
<br />
On Jun:<br />
<br />
ping 10.4.0.1<br />
<br />
== External Links ==<br />
<br />
* http://dmalloc.com/<br />
* http://valgrind.org/<br />
* http://www.oberhumer.com/opensource/lzo/<br />
* http://openvpn.net/<br />
* http://openvpn.net/howto.html<br />
* http://openvpn.net/1xhowto.html (Old-v1.06)<br />
* http://openvpn.net/man.html</div>
Seekret