Difference between revisions of "OpenVPN configuration"
Jump to navigation
Jump to search
(Created page with "Wouldn't it be nice to talk to the private network resources through some sort of secure channel? We make use of [https://openvpn.net/ OpenVPN] for that. This will allow pri...") |
|||
| Line 7: | Line 7: | ||
* <code>client-to-client</code> in use to allow two VPN client systems to talk with each other instead of bouncing through a third system |
* <code>client-to-client</code> in use to allow two VPN client systems to talk with each other instead of bouncing through a third system |
||
* ciphers are currently manually chosen -- after testing all clients, consider switching to "negotiable crypto parameters", an OpenVPN 2.4 feature |
* ciphers are currently manually chosen -- after testing all clients, consider switching to "negotiable crypto parameters", an OpenVPN 2.4 feature |
||
| + | |||
| + | == not quite complete doc of server install == |
||
| + | sudo apt-get install openvpn |
||
| + | sudo mkdir -m 755 /etc/openvpn/certificate-authorities |
||
| + | sudo install -o root -g root -m 644 fnord*.cr[lt] /etc/openvpn/certificate-authorities |
||
| + | cd /etc/openvpn/certificate-authorities |
||
| + | for f in *.crt; do sudo ln -s "${f}" $(openssl x509 -hash -noout -in ${f}).0; done |
||
| + | for f in *.crl; do sudo ln -s "${f}" $(openssl x509 -hash -noout -in "${f%.crl}.crt").r0; done |
||
| + | cd - |
||
| + | sudo openssl dhparam -out /etc/openvpn/''vpn-0.fnord.greeley.co.us''_server_dh4096.pem 4096 # expect this to take quite a while |
||
| + | # copy certificate and key file to /etc/openvpn (certificate (and probably the server's private key as well) was generated elsewhere) |
||
| + | # copy server config to /etc/openvpn |
||
| + | sudo systemctl start openvpn@vpn-0.fnord.greeley.co.us_server |
||
| + | |||
| + | Please note that this does still need some work. |
||
Revision as of 01:37, 13 January 2018
Wouldn't it be nice to talk to the private network resources through some sort of secure channel? We make use of OpenVPN for that. This will allow private, authenticated traffic flow over potentially hostile networks.
Some quick bits about the config:
- Private PKI in use to do certificate based authentication
- TLS HMAC auth (
tls-authconfig option) in use. Migrate to usingtls-cryptwhen all clients are compatible (OpenWRT wifi APs for instance probably need updating) - template based client and server config file creation
client-to-clientin use to allow two VPN client systems to talk with each other instead of bouncing through a third system- ciphers are currently manually chosen -- after testing all clients, consider switching to "negotiable crypto parameters", an OpenVPN 2.4 feature
not quite complete doc of server install
sudo apt-get install openvpn
sudo mkdir -m 755 /etc/openvpn/certificate-authorities
sudo install -o root -g root -m 644 fnord*.cr[lt] /etc/openvpn/certificate-authorities
cd /etc/openvpn/certificate-authorities
for f in *.crt; do sudo ln -s "${f}" $(openssl x509 -hash -noout -in ${f}).0; done
for f in *.crl; do sudo ln -s "${f}" $(openssl x509 -hash -noout -in "${f%.crl}.crt").r0; done
cd -
sudo openssl dhparam -out /etc/openvpn/vpn-0.fnord.greeley.co.us_server_dh4096.pem 4096 # expect this to take quite a while
# copy certificate and key file to /etc/openvpn (certificate (and probably the server's private key as well) was generated elsewhere)
# copy server config to /etc/openvpn
sudo systemctl start openvpn@vpn-0.fnord.greeley.co.us_server
Please note that this does still need some work.