08fb5ff0e91d0ce83df4ff92ae5e7d757c7a296c
howto/openvpn.md
| ... | ... | @@ -1,4 +1,5 @@ |
| 1 | 1 | # Example Configuration for direct peer to peer |
| 2 | + |
|
| 2 | 3 | * Replace `<PEER_NAME>` with a self chosen name to identify this peer |
| 3 | 4 | * Replace `<PROTO>` with either `udp` or `udp6`, depending if you reach your remote peer with ipv4 o ipv6 |
| 4 | 5 | * Replace `<REMOTE_HOST>` with the public ip address of your peer |
| ... | ... | @@ -74,6 +75,97 @@ ifconfig <LOCAL_GATEWAY_IP> <REMOTE_GATEWAY_IP> |
| 74 | 75 | secret /etc/openvpn/<PEER_NAME>.key |
| 75 | 76 | ``` |
| 76 | 77 | |
| 78 | +# Example configuration for connecting roaming clients to dn42 |
|
| 79 | + |
|
| 80 | +Clients connect using certificates, and simply get attributed dn42 IPs in the order they connect. This is useful for roaming clients, where you don't really care which IP you have. Note that once a client has connected for the first time, it will keep the same IP on subsequent connections (option `ifconfig-pool-persist`). |
|
| 81 | + |
|
| 82 | +## Server configuration |
|
| 83 | + |
|
| 84 | +Replace `<PORT>` with the UDP port you want OpenVPN to listen to |
|
| 85 | + |
|
| 86 | +``` |
|
| 87 | +mode server |
|
| 88 | +tls-server |
|
| 89 | + |
|
| 90 | +dh dh2048.pem |
|
| 91 | + |
|
| 92 | +ca keys/ca.crt |
|
| 93 | +cert keys/roaming-dn42.crt |
|
| 94 | +key keys/roaming-dn42.key |
|
| 95 | + |
|
| 96 | +client-config-dir /etc/openvpn/roaming |
|
| 97 | + |
|
| 98 | +dev tun-roaming |
|
| 99 | +persist-tun |
|
| 100 | +#link-mtu |
|
| 101 | +tun-mtu 1500 |
|
| 102 | +fragment 1300 |
|
| 103 | +mssfix |
|
| 104 | +log /var/log/openvpn-dn42-roaming.log |
|
| 105 | +status /var/log/openvpn-dn42-roaming-status.log 60 |
|
| 106 | + |
|
| 107 | +# Should work for both IPv4 and IPv6 |
|
| 108 | +proto udp6 |
|
| 109 | +port <PORT> |
|
| 110 | + |
|
| 111 | +# IPv6 |
|
| 112 | +###tun-ipv6 |
|
| 113 | +###push tun-ipv6 |
|
| 114 | +###ifconfig-ipv6 2001:db8:42:42::1 2001:db8:42:42::2 |
|
| 115 | +###ifconfig-ipv6-pool 2001:db8:42:42::3/64 |
|
| 116 | + |
|
| 117 | +topology subnet |
|
| 118 | +push "topology subnet" |
|
| 119 | + |
|
| 120 | +keepalive 10 60 |
|
| 121 | + |
|
| 122 | +# That's 172.23.185.144/28 (172.23.185.144 to 172.23.185.159) |
|
| 123 | +ifconfig 172.23.185.145 255.255.255.240 |
|
| 124 | +ifconfig-pool 172.23.185.146 172.23.185.158 255.255.255.240 |
|
| 125 | + |
|
| 126 | +ifconfig-pool-persist pool-persist.txt |
|
| 127 | + |
|
| 128 | +push "route-gateway 172.23.185.145" |
|
| 129 | +push "route 172.22.0.0 255.254.0.0" |
|
| 130 | +###push "route 172.31.0.0 255.255.0.0" |
|
| 131 | +###push "route 10.0.0.0 255.0.0.0" |
|
| 132 | +``` |
|
| 133 | + |
|
| 134 | +## Client configuration |
|
| 135 | + |
|
| 136 | +Change `<SERVER>` and `<PORT>`. |
|
| 137 | + |
|
| 138 | +``` |
|
| 139 | +client |
|
| 140 | + |
|
| 141 | +ca ca.crt |
|
| 142 | +cert myclient.crt |
|
| 143 | +key myclient.key |
|
| 144 | + |
|
| 145 | +dev tun |
|
| 146 | +proto udp6 |
|
| 147 | + |
|
| 148 | +remote <SERVER> <PORT> |
|
| 149 | + |
|
| 150 | +tun-mtu 1500 |
|
| 151 | +fragment 1300 |
|
| 152 | +mssfix |
|
| 153 | + |
|
| 154 | +route-delay 2 |
|
| 155 | +nobind |
|
| 156 | +persist-key |
|
| 157 | +persist-tun |
|
| 158 | + |
|
| 159 | +verb 3 |
|
| 160 | +``` |
|
| 161 | + |
|
| 162 | +## Certificate management |
|
| 163 | + |
|
| 164 | +Use easy-rsa, it's easy to use. Below is a very short description, find a real tutorial if you don't know how it works. |
|
| 165 | + |
|
| 166 | +Build the CA: `. vars`, `./build-ca`, then generate the server key: `./build-key-server roaming-dn42`. |
|
| 167 | + |
|
| 168 | +Then, for each client, generate a private key and a certificate: ```./build-key myclient```. The Common Name is the only important information (it will be used to identify the client, for instance in the logs). |
|
| 77 | 169 | |
| 78 | 170 | # External Links |
| 79 | 171 | * multicast: |