Table of Contents
Tunnel without Security
Here's the respective man page excerpt:
Example 1: A simple tunnel without security On may: openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 9 On june: openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 9 Now verify the tunnel is working by pinging across the tunnel. On may: ping 10.4.0.2 On june: ping 10.4.0.1
Preshared Key Method
Creating the Key
First of all, generate a random key like so:
openvpn --genkey --secret key
or maybe also:
openvpn --genkey --cipher BF-CBC --keysize 128 --secret key
show the possible arguments tocipher
and keysize
:
openvpn --show-ciphers
Configuring the Peers
The remaining procedure is analogous to Tunnel without Security above, though with parameter –secret <key>
:
On may: openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 5 --secret key On june: openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 5 --secret key
Server with TLS
The following requires the existence of a CA. To generate one, refer to SSL.
The TLS server needs a file with Diffie-Hellman parameters in PEM format. To create:
openssl dhparam -out dh1024.pem 1024
Each peer requires a key/certificate pair. Begin with creating a CSR:
openssl req -nodes -new -keyout mycert.key -out mycert.csr
Then have the CA sign the request (mycert.csr):
openssl ca -out mycert.crt -in mycert.csr
To prevent DOS attacks, an additional TLS auth file may be shared between peers. An openvpn-generated preshared key serves well for that purpose:
openvpn --genkey --secret key
Bridging vs. Tunneling
To create an interface which may be bridged, –dev tapX
must be given.
Arguments passed to '–ifconfig are then interpreted differently:
–ifconfig <own IP> <netmask>. If the TAP device is supposed to be bridged,
–ifconfig should be omitted entirely.
===== Performance-Tuning =====
==== Less Security ====
Reducing crypto-induced overhead usually improves performance, though often
there is a mandatory minimum security which prevents this from being a real
alternative.
==== Reducing Log-Output ====
Especially embedded devices benefit from a low
–verbose'' value.
Sample Configs
Server
#local 10.0.0.1 tls-server mode server port 1194 proto udp dev tap #dev tun ca /etc/ssl/openvpn/cacert.pem cert /etc/ssl/openvpn/basecrt.pem key /etc/ssl/openvpn/base.key dh /etc/ssl/openvpn/dh1024.pem #server 10.4.0.0 255.255.255.0 #server-bridge 192.168.1.1 255.255.255.0 192.168.1.100 192.168.1.200 push "route 192.168.1.0 255.255.255.0" #push "route 192.168.20.0 255.255.255.0" #push "redirect-gateway" #push "dhcp-option DNS 192.168.1.23" push "dhcp-option DNS 192.168.1.1" keepalive 10 120 tls-auth /etc/ssl/openvpn/ta.key 0 # This file is secret max-clients 5 user nobody group nobody persist-key persist-tun verb 3 mute-replay-warnings
Client
tls-client dev tap proto udp #remote pr4x.ath.cx 1194 remote 10.0.0.1 ifconfig 192.168.1.21 255.255.255.0 route-gateway 192.168.1.1 redirect-gateway nobind user nobody group nobody persist-key persist-tun ca /etc/openvpn/cacert.pem cert /etc/openvpn/tinycrt.pem key /etc/openvpn/private/tinykey.pem #ns-cert-type server tls-auth /etc/openvpn/private/ta.key 1 #verb 6 verb 3