Differences

This shows you the differences between two versions of the page.

--- tips:vpn:openvpn [2015/07/24 12:21] – [Mikrotik server] scipio
+++ tips:vpn:openvpn [2018/06/14 17:54] (current) – [Linux client] scipio
@@ Line 15: / Line 15: @@
 source vars
 ./clean-all
+./build-dh
 ./pkitool --initca
 </code>
@@ Line 22: / Line 23: @@
 <code>
 NAME=legnago-gw
-./pkitool --pass --server $NAME
+./pkitool --pass --server $NAME # create passphrase here
-openssl rsa -in keys/$NAME.key -out keys/$NAME.pem
+openssl rsa -in keys/$NAME.key -out keys/$NAME.pem # give passphrase here
+chmod 600 keys/$NAME.pem
 </code>
@@ Line 42: / Line 44: @@
 import file=server.pem
 import file=ca.crt
+</code>
+<del>Simplier method</del>
+<code bash>
+openssl genrsa -des3 -out ca.key 4096
+# specify dns name of mikrotik server in common name
+openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
+# now import in mikrotik ca.crt and after ca.key
 </code>
@@ Line 74: / Line 86: @@
 </code>
+===== Linux client =====
+<code>
+apt-get install openvpn
+</code>
+/etc/openvpn/client1.conf
+<code>
+dev tun
+proto tcp-client
+remote legnago.csgalileo.org 1194
+ca  /etc/easy-rsa-legnago/keys/ca.crt
+cert /etc/easy-rsa-legnago/keys/nms.crt
+key  /etc/easy-rsa-legnago/keys/nms.pem
+tls-client
+port 1194
+user nobody
+group nogroup
+#comp-lzo # Do not use compression. It doesn't work with RouterOS (at least up to RouterOS 3.0rc9)
+# More reliable detection when a system loses its connection.
+ping 15
+ping-restart 45
+ping-timer-rem
+persist-tun
+persist-key
+# Silence  the output of replay warnings, which are a common false
+# alarm on WiFi networks.  This option preserves the  security  of
+# the replay protection code without the verbosity associated with
+# warnings about duplicate packets.
+mute-replay-warnings
+# Verbosity level.
+# 0 = quiet, 1 = mostly quiet, 3 = medium output, 9 = verbose
+verb 3
+cipher AES-256-CBC
+auth SHA1
+pull
+auth-user-pass auth.cfg
+script-security 2
+up /etc/openvpn/up.sh
+</code>
+/etc/openvpn/up.sh (chmod +x)
+<code>
+#!/bin/sh
+ip route add 10.90.0.0/16 via 10.15.32.33
+</code>
+/etc/openvpn/auth.cfg
+<code>
+username
+password
+</code>
+Start service with systemd
+<code>
+systemctl start openvpn@client1
+systemctl enable openvpn@client1
+</code>
+===== Linux server =====
+<file txt /etc/openvpn/server.conf>
+proto tcp
+dev tun
+ca /etc/easy-rsa/keys/ca.crt
+cert /etc/easy-rsa/keys/captive.crt
+key /etc/easy-rsa/keys/captive.pem
+dh /etc/easy-rsa/keys/dh2048.pem
+server 10.4.0.0 255.255.255.0
+ifconfig-pool-persist ipp.txt
+keepalive 10 120
+cipher BF-CBC
+max-clients 100
+client-config-dir ccd
+# It's a good idea to reduce the OpenVPN
+# daemon's privileges after initialization.
+#
+# You can uncomment this out on
+# non-Windows systems.
+user nobody
+group nogroup
+persist-key
+persist-tun
+# Output a short status file showing
+# current connections, truncated
+# and rewritten every minute.
+#status /var/log/openvpn/captive.stats
+log /var/log/openvpn/captive.log
+# 0 is silent, except for fatal errors
+# 4 is reasonable for general usage
+# 5 and 6 can help to debug connection problems
+# 9 is extremely verbose
+#log         openvpn.log
+#log-append  openvpn.log
+verb 0
+# Silence repeating messages.  At most 20
+# sequential messages of the same message
+# category will be output to the log.
+mute 20
+#fragment 1300
+mssfix 1300
+#link-mtu 1503
+#tun-mtu 1460
+#client-connect /etc/openvpn/on-client-connect
+script-security 2
+push "explicit-exit-notify"
+management localhost 7505
+client-to-client
+</file>
+===== Mikrotik client =====
+Import certificates
+<code>
+import file-name=ca.crt
+import file-name=galileo.crt
+import file-name=galileo.pem
+</code>
+===== LXD =====
+To enable tun inside container
+<code>
+lxc config device add <NAME> tun unix-char path=/dev/net/tun
+</code>