User Tools

Site Tools


encryption:openvpn

Tunnel without Security

Here's the respective man page excerpt:

Example 1: A simple tunnel without security
    On may:

           openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 9

    On june:

           openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 9

    Now verify the tunnel is working by pinging across the tunnel.

    On may:

           ping 10.4.0.2

    On june:

           ping 10.4.0.1

Preshared Key Method

Creating the Key

First of all, generate a random key like so:

openvpn --genkey --secret key

or maybe also:

openvpn --genkey --cipher BF-CBC --keysize 128 --secret key

show the possible arguments tocipher and keysize:

openvpn --show-ciphers

Configuring the Peers

The remaining procedure is analogous to Tunnel without Security above, though with parameter –secret <key>:

On may:

      openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 5  --secret key

On june:

      openvpn  --remote  may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 5 --secret key

Server with TLS

The following requires the existence of a CA. To generate one, refer to SSL.

The TLS server needs a file with Diffie-Hellman parameters in PEM format. To create:

openssl dhparam -out dh1024.pem 1024

Each peer requires a key/certificate pair. Begin with creating a CSR:

openssl req -nodes -new -keyout mycert.key -out mycert.csr

Then have the CA sign the request (mycert.csr):

openssl ca -out mycert.crt -in mycert.csr

To prevent DOS attacks, an additional TLS auth file may be shared between peers. An openvpn-generated preshared key serves well for that purpose:

openvpn --genkey --secret key

Bridging vs. Tunneling

To create an interface which may be bridged, –dev tapX must be given. Arguments passed to '–ifconfig are then interpreted differently: –ifconfig <own IP> <netmask>. If the TAP device is supposed to be bridged, –ifconfig should be omitted entirely. ===== Performance-Tuning ===== ==== Less Security ==== Reducing crypto-induced overhead usually improves performance, though often there is a mandatory minimum security which prevents this from being a real alternative. ==== Reducing Log-Output ==== Especially embedded devices benefit from a low –verbose'' value.

Sample Configs

Server

#local 10.0.0.1
tls-server
mode server
port 1194
proto udp
dev tap
#dev tun
ca /etc/ssl/openvpn/cacert.pem
cert /etc/ssl/openvpn/basecrt.pem
key /etc/ssl/openvpn/base.key 
dh /etc/ssl/openvpn/dh1024.pem

#server 10.4.0.0 255.255.255.0
#server-bridge 192.168.1.1 255.255.255.0 192.168.1.100 192.168.1.200

push "route 192.168.1.0 255.255.255.0"
#push "route 192.168.20.0 255.255.255.0"
#push "redirect-gateway"
#push "dhcp-option DNS 192.168.1.23"
push "dhcp-option DNS 192.168.1.1"

keepalive 10 120

tls-auth /etc/ssl/openvpn/ta.key 0 # This file is secret

max-clients 5

user nobody
group nobody
persist-key
persist-tun

verb 3
mute-replay-warnings

Client

tls-client
dev tap
proto udp
#remote pr4x.ath.cx 1194
remote 10.0.0.1
ifconfig 192.168.1.21 255.255.255.0
route-gateway 192.168.1.1
redirect-gateway
nobind
user nobody
group nobody
persist-key
persist-tun
ca /etc/openvpn/cacert.pem
cert /etc/openvpn/tinycrt.pem
key /etc/openvpn/private/tinykey.pem
#ns-cert-type server
tls-auth /etc/openvpn/private/ta.key 1
#verb 6
verb 3
encryption/openvpn.txt · Last modified: 2023/12/23 01:04 by 127.0.0.1