OpenVPN configuration

Wouldn't it be nice to talk to the private network resources through some sort of secure channel? We make use of OpenVPN for that. This will allow private, authenticated traffic flow over potentially hostile networks.

Some quick bits about the config:

• Private PKI in use to do certificate based authentication
• TLS HMAC auth (tls-auth config option) in use. Migrate to using tls-crypt when all clients are compatible (OpenWRT wifi APs for instance probably need updating)
• template based client and server config file creation
• client-to-client in use to allow two VPN client systems to talk with each other instead of bouncing through a third system
• ciphers are currently manually chosen -- after testing all clients, consider switching to "negotiable crypto parameters", an OpenVPN 2.4 feature

not quite complete doc of server install

sudo apt-get install openvpn
sudo mkdir -m 755 /etc/openvpn/certificate-authorities
sudo install -o root -g root -m 644 fnord*.cr[lt] /etc/openvpn/certificate-authorities
cd /etc/openvpn/certificate-authorities
for f in *.crt; do sudo ln -s "${f}" $(openssl x509 -hash -noout -in ${f}).0; done
for f in *.crl; do sudo ln -s "${f}" $(openssl x509 -hash -noout -in "${f%.crl}.crt").r0; done
cd -
sudo openssl dhparam -out /etc/openvpn/vpn-0.fnord.greeley.co.us_server_dh4096.pem 4096 # expect this to take quite a while
# copy certificate and key file to /etc/openvpn (certificate (and probably the server's private key as well) was generated elsewhere)
# copy server config to /etc/openvpn
sudo systemctl start openvpn@vpn-0.fnord.greeley.co.us_server

Please note that this does still need some work.

A Windows client system

lorem ipsum

a Linux client system

lorem ipsum

An Android client system

lorem ipsum

an OpenWRT client system

lorem ipsum