| Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung |
| openvpn [09/09/2018 - 12:57] – thommie3 | openvpn [17/08/2024 - 07:06] (aktuell) – Externe Bearbeitung 127.0.0.1 |
|---|
| ====== Server-Konfiguration ====== | ====== Server-Konfiguration ====== |
| |
| ''############################################################################## # sources for configuration: # http://sarwiki.informatik.hu-berlin.de/OpenVPN_(deutsch) # http://www.online--tutorials.net/security/openvpn-tutorial/ ### BASICS mode server # bridged vpn with client IP range server-bridge 192.168.72.1 255.255.255.0 192.168.72.61 192.168.72.100 # Protocol/port proto udp port 1194 ### Type of operation # operation with PKI tls-server # instead for using a symmetric key # secret /etc/openvpn/server_static.key # for vpn with shared key # tls-auth xxx 1 # Device type dev tap0 # receive connection request on this local adress only # if not defined, use all interfaces local 192.168.172.1 # topology and network topology subnet # make IPs persistant ifconfig-pool-persist ipp.txt # clients can see each other client-to-client # see http://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/ sndbuf 393216 rcvbuf 393216 ## PKI - certificates and keys, directory of cert/key cd /etc/openvpn ## Root CA which signed openvpn server and client certs ca /etc/easyrsa-pki/ca.crt ## cert of openvpn server cert /etc/openvpn/locutus.netzwissen.local.crt ## key of server key /etc/openvpn/locutus.netzwissen.local.key # diffie hellman parameter # create with: openssl genpkey -genparam -algorithm DH -out /etc/openvpn/dh2014.pem dh /etc/easyrsa-pki/dh.pem # certificate revocation list, should be copied from CA crl-verify /etc/openvpn/crl.pem # Verification of certs # Details: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage # old method (Name/name-prefix from CN field) # verify-x509-name locutus.netzwissen.local name # new method from RFC3280: type of certificate must be client remote-cert-eku "TLS Web Client Authentication" # Cipher algorithm cipher AES-256-CBC # HMAC Authentication auth SHA256 # tunnel compression comp-lzo # hardening. Beware: can exclude pre-2.3.3 clients # tls-version-min 1.2 ## pushed configs for clients for routing & dns ## redirect all traffic to VPN ## push "redirect-gateway def1" push "route 192.168.72.0 255.255.255.0 172.168.72.1" push "dhcp-option DOMAIN netzwissen.local" push "dhcp-option DNS 192.168.72.1" push "dhcp-option WINS 192.168.72.1" # http://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/ push "sndbuf 393216" push "rcvbuf 393216" # will not work with --ifconfig-pool-persist # duplicate-cn # permissions after connect user nobody group nogroup # dont re-read keys after --ping-restart persist-key # dont restart tun after --ping-restart persist-tun ### LOGGING log /var/log/openvpn.log # Status info status /var/log/openvpn-status.log 20 # dont repeat messages so often mute 20 # Log-Levels: 0 no logging, 4 standard, 5 + 6 debugging, 9 max verb 6 # Daemon-Mode: write to syslog - activate after the configuration finished daemon # Management console management localhost 7505 '' | ''sources for configuration: # [[http://sarwiki.informatik.hu-berlin.de/OpenVPN_|http://sarwiki.informatik.hu-berlin.de/OpenVPN_]](deutsch) # [[http://www.online--tutorials.net/security/openvpn-tutorial/|http://www.online--tutorials.net/security/openvpn-tutorial/]] '' |
| | |
| | ''### BASICS '' |
| | |
| | ''mode server '' |
| | |
| | ''# bridged vpn with client IP range '' |
| | |
| | ''server-bridge 192.168.72.1 255.255.255.0 192.168.72.61 192.168.72.100 '' |
| | |
| | ''# Protocol/port proto udp port 1194 ### Type of operation '' |
| | |
| | ''# operation with PKI tls-server '' |
| | |
| | ''# instead for using a symmetric key '' |
| | |
| | ''secret /etc/openvpn/server_static.key '' |
| | |
| | ''# for vpn with shared key '' |
| | |
| | ''tls-auth xxx 1 # Device type dev tap0 '' |
| | |
| | ''# receive connection request on this local adress only '' \\ |
| | ''# if not defined, use all interfaces '' |
| | |
| | ''local 192.168.172.1 '' |
| | |
| | ''# topology and network topology\\ |
| | subnet '' |
| | |
| | ''# make IPs persistant\\ |
| | ifconfig-pool-persist ipp.txt '' |
| | |
| | ''# clients can see each other\\ |
| | client-to-client '' |
| | |
| | ''# see [[http://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/|http://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/]]\\ |
| | sndbuf 393216\\ |
| | rcvbuf 393216 '' |
| | |
| | ''## PKI - certificates and keys, directory of cert/key\\ |
| | cd /etc/openvpn '' |
| | |
| | ''## Root CA which signed openvpn server and client certs\\ |
| | ca /etc/easyrsa-pki/ca.crt\\ |
| | ## cert of openvpn server\\ |
| | cert /etc/openvpn/locutus.netzwissen.local.crt '' \\ |
| | ''## key of server\\ |
| | key /etc/openvpn/locutus.netzwissen.local.key\\ |
| | # diffie hellman parameter\\ |
| | # create with: openssl genpkey -genparam -algorithm DH -out /etc/openvpn/dh2014.pem\\ |
| | dh /etc/easyrsa-pki/dh.pem '' |
| | |
| | ''# certificate revocation list, should be copied from CA\\ |
| | crl-verify /etc/openvpn/crl.pem '' |
| | |
| | ''# Verification of certs\\ |
| | # Details: [[https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage|https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage]]\\ |
| | # old method (Name/name-prefix from CN field)\\ |
| | # verify-x509-name locutus.netzwissen.local name '' |
| | |
| | ''# new method from RFC3280: type of certificate must be client\\ |
| | remote-cert-eku "TLS Web Client Authentication" '' |
| | |
| | ''# Cipher algorithm\\ |
| | cipher AES-256-CBC\\ |
| | # HMAC Authentication\\ |
| | auth SHA256 '' |
| | |
| | ''# tunnel compression\\ |
| | comp-lzo '' |
| | |
| | ''# hardening. Beware: can exclude pre-2.3.3 clients\\ |
| | # tls-version-min 1.2 '' |
| | |
| | ''## pushed configs for clients for routing & dns\\ |
| | ## redirect all traffic to VPN\\ |
| | ## push "redirect-gateway def1" push "route 192.168.72.0 255.255.255.0 172.168.72.1"\\ |
| | push "dhcp-option DOMAIN netzwissen.local"\\ |
| | push "dhcp-option DNS 192.168.72.1"\\ |
| | push "dhcp-option WINS 192.168.72.1" '' |
| | |
| | ''# [[http://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/|http://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/]]\\ |
| | push "sndbuf 393216"\\ |
| | push "rcvbuf 393216" '' |
| | |
| | ''# will not work with –ifconfig-pool-persist\\ |
| | # duplicate-cn # permissions after connect\\ |
| | user nobody\\ |
| | group nogroup '' |
| | |
| | ''# dont re-read keys after –ping-restart\\ |
| | persist-key '' |
| | |
| | ''# dont restart tun after –ping-restart\\ |
| | persist-tun '' |
| | |
| | ''### LOGGING\\ |
| | log /var/log/openvpn.log '' |
| | |
| | ''# Status info\\ |
| | status /var/log/openvpn-status.log 20\\ |
| | \\ |
| | # dont repeat messages so often\\ |
| | mute 20 '' |
| | |
| | ''# Log-Levels: 0 no logging, 4 standard, 5 + 6 debugging, 9 max\\ |
| | verb 6 '' |
| | |
| | ''# Daemon-Mode: write to syslog - activate after the configuration finished\\ |
| | daemon '' |
| | |
| | ''# Management console\\ |
| | management localhost 7505 '' |
| | |
| ====== Management Console ====== | ====== Management Console ====== |
| |
| ====== Inhalte kontrollieren ====== | ====== Inhalte kontrollieren ====== |
| |
| **CSR** | **Zertifikat** |
| |
| ''openssl req -in www2.netzwissen.de.csr -text -noout '' | ''openssl x509 -in pki/issued/openvpn.dvsdnet.local.crt -text -noout '' |
| |
| **Zertifikat** | **CSR** |
| |
| '' openssl x509 -in certificate.crt -text -noout '' | ''openssl req -in www2.netzwissen.de.csr -text -noout '' |
| |
| |