Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| tips:vpn:openvpn [2016/10/17 15:55] – [Linux server] scipio | tips:vpn:openvpn [2018/06/14 17:54] (current) – [Linux client] scipio | ||
|---|---|---|---|
| Line 15: | Line 15: | ||
| source vars | source vars | ||
| ./clean-all | ./clean-all | ||
| + | ./build-dh | ||
| ./pkitool --initca | ./pkitool --initca | ||
| </ | </ | ||
| Line 22: | Line 23: | ||
| < | < | ||
| NAME=legnago-gw | NAME=legnago-gw | ||
| - | ./pkitool --pass --server $NAME | + | ./pkitool --pass --server $NAME # create passphrase here |
| - | openssl rsa -in keys/ | + | openssl rsa -in keys/ |
| + | chmod 600 keys/ | ||
| </ | </ | ||
| Line 42: | Line 44: | ||
| import file=server.pem | import file=server.pem | ||
| import file=ca.crt | import file=ca.crt | ||
| + | </ | ||
| + | |||
| + | < | ||
| + | <code bash> | ||
| + | openssl genrsa -des3 -out ca.key 4096 | ||
| + | |||
| + | # specify dns name of mikrotik server in common name | ||
| + | openssl req -new -x509 -days 3650 -key ca.key -out ca.crt | ||
| + | |||
| + | # now import in mikrotik ca.crt and after ca.key | ||
| </ | </ | ||
| Line 141: | Line 153: | ||
| < | < | ||
| systemctl start openvpn@client1 | systemctl start openvpn@client1 | ||
| + | systemctl enable openvpn@client1 | ||
| </ | </ | ||
| Line 146: | Line 159: | ||
| <file txt / | <file txt / | ||
| + | proto tcp | ||
| + | dev tun | ||
| + | |||
| + | ca / | ||
| + | cert / | ||
| + | key / | ||
| + | dh / | ||
| + | |||
| + | server 10.4.0.0 255.255.255.0 | ||
| + | ifconfig-pool-persist ipp.txt | ||
| + | keepalive 10 120 | ||
| + | cipher BF-CBC | ||
| + | max-clients 100 | ||
| + | client-config-dir ccd | ||
| + | |||
| + | # It's a good idea to reduce the OpenVPN | ||
| + | # daemon' | ||
| + | # | ||
| + | # You can uncomment this out on | ||
| + | # non-Windows systems. | ||
| + | user nobody | ||
| + | group nogroup | ||
| + | |||
| + | persist-key | ||
| + | persist-tun | ||
| + | |||
| + | # Output a short status file showing | ||
| + | # current connections, | ||
| + | # and rewritten every minute. | ||
| + | #status / | ||
| + | log / | ||
| + | |||
| + | |||
| + | # 0 is silent, except for fatal errors | ||
| + | # 4 is reasonable for general usage | ||
| + | # 5 and 6 can help to debug connection problems | ||
| + | # 9 is extremely verbose | ||
| + | #log | ||
| + | # | ||
| + | verb 0 | ||
| + | |||
| + | # Silence repeating messages. | ||
| + | # sequential messages of the same message | ||
| + | # category will be output to the log. | ||
| + | mute 20 | ||
| + | |||
| + | #fragment 1300 | ||
| + | mssfix 1300 | ||
| + | #link-mtu 1503 | ||
| + | #tun-mtu 1460 | ||
| + | |||
| + | |||
| + | # | ||
| + | script-security 2 | ||
| + | push " | ||
| + | |||
| + | management localhost 7505 | ||
| + | |||
| + | client-to-client | ||
| + | |||
| </ | </ | ||
| + | |||
| + | ===== Mikrotik client ===== | ||
| + | |||
| + | Import certificates | ||
| + | < | ||
| + | import file-name=ca.crt | ||
| + | import file-name=galileo.crt | ||
| + | import file-name=galileo.pem | ||
| + | </ | ||
| + | |||
| ===== LXD ===== | ===== LXD ===== | ||