OpenVPN configuration
Jump to navigation
Jump to search
Wouldn't it be nice to talk to the private network resources through some sort of secure channel? We make use of OpenVPN for that. This will allow private, authenticated traffic flow over potentially hostile networks.
Some quick bits about the config:
- Private PKI in use to do certificate based authentication
- TLS HMAC auth (
tls-authconfig option) in use. Migrate to usingtls-cryptwhen all clients are compatible (OpenWRT wifi APs for instance probably need updating) - template based client and server config file creation
client-to-clientin use to allow two VPN client systems to talk with each other instead of bouncing through a third system- ciphers are currently manually chosen -- after testing all clients, consider switching to "negotiable crypto parameters", an OpenVPN 2.4 feature
not quite complete doc of server install
sudo apt-get install openvpn
sudo mkdir -m 755 /etc/openvpn/certificate-authorities
sudo install -o root -g root -m 644 fnord*.cr[lt] /etc/openvpn/certificate-authorities
cd /etc/openvpn/certificate-authorities
for f in *.crt; do sudo ln -s "${f}" $(openssl x509 -hash -noout -in ${f}).0; done
for f in *.crl; do sudo ln -s "${f}" $(openssl x509 -hash -noout -in "${f%.crl}.crt").r0; done
cd -
sudo openssl dhparam -out /etc/openvpn/vpn-0.fnord.greeley.co.us_server_dh4096.pem 4096 # expect this to take quite a while
# copy certificate and key file to /etc/openvpn (certificate (and probably the server's private key as well) was generated elsewhere)
# copy server config to /etc/openvpn
sudo systemctl start openvpn@vpn-0.fnord.greeley.co.us_server
Please note that this does still need some work.