OpenVPN: Difference between revisions
New page: == Server Configuration == === server.conf === <pre> local 96.52.184.47 port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh102... |
Ovipowumon (talk | contribs) No edit summary |
||
| Line 1: | Line 1: | ||
---- | |||
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> | |||
---- | |||
=[http://itygeligub.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]= | |||
---- | |||
=[http://itygeligub.co.cc CLICK HERE]= | |||
---- | |||
</div> | |||
== Server Configuration == | == Server Configuration == | ||
=== server.conf === | === server.conf === | ||
<pre> | |||
local 96.52.184.47 | local 96.52.184.47 | ||
port 1194 | port 1194 | ||
| Line 44: | Line 52: | ||
verb 3 | verb 3 | ||
</pre> | |||
=== rc.conf === | === rc.conf === | ||
<pre> | |||
openvpn_enable="YES" | openvpn_enable="YES" | ||
openvpn_configfile="/usr/local/etc/openvpn/server.conf" | openvpn_configfile="/usr/local/etc/openvpn/server.conf" | ||
| Line 57: | Line 65: | ||
firewall_enable="YES" | firewall_enable="YES" | ||
gateway_enable="YES" | gateway_enable="YES" | ||
</pre> | |||
=== natd.conf === | === natd.conf === | ||
| Line 83: | Line 91: | ||
This is a preshared secret used for the ''tls-auth'' directive. It is required for all clients. | This is a preshared secret used for the ''tls-auth'' directive. It is required for all clients. | ||
==== client.crt & client.key ==== | ==== client.crt & client.key ==== | ||
These two files are specific to each individual client. Everyone requiring access to the VPN will need these files generated for them. | These two files are specific to each individual client. Everyone requiring access to the VPN will need these files generated for them. | ||
| Line 101: | Line 109: | ||
Change the cert and key directives in this file to match your certificate and key files respectively. | Change the cert and key directives in this file to match your certificate and key files respectively. | ||
<pre> | |||
client | client | ||
dev tun | dev tun | ||
| Line 118: | Line 126: | ||
cipher AES-128-CBC | cipher AES-128-CBC | ||
comp-lzo | comp-lzo | ||
</pre> | |||
=== Mac OS X === | === Mac OS X === | ||
Revision as of 03:37, 24 November 2010
Server Configuration
server.conf
<pre> local 96.52.184.47 port 1194 proto udp dev tun
ca ca.crt cert server.crt key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd route 172.31.0.0 255.255.255.0
push "redirect-gateway" push "dhcp-option DNS 216.234.161.25" push "dhcp-option DNS 216.194.64.160"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-128-CBC # AES comp-lzo
user nobody group nobody
persist-key persist-tun
status openvpn-status.log
log openvpn.log
verb 3 </pre>
rc.conf
<pre> openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/server.conf"
natd_enable="YES" natd_interface="fxp0" natd_flags="-f /etc/natd.conf" firewall_enable="YES" gateway_enable="YES" </pre>
natd.conf
interface fxp0 use_sockets yes same_ports yes
Client Config Directory (CCD)
Client specific settings can be specified by creating a ccd/CN file.
Client Configuration
Required Files
Under Windows, the following files will need to be placed in Program Files\OpenVPN\Config
ca.crt
This is the Root CA certificate that the client and server certificates are signed with. It is required for all clients.
ta.key
This is a preshared secret used for the tls-auth directive. It is required for all clients.
client.crt & client.key
These two files are specific to each individual client. Everyone requiring access to the VPN will need these files generated for them.
These files are generated on 'inferno.incoherency.net, as root:
cd /root/easy-rsa . ./vars ./build-key clientname
Where clientname is the unique name of the client you are building the certificate/key files for. When prompted for the CN (Common Name) attribute, use the same clientname parameter used on the command line.
incoherency.ovpn
This is the main configuration file. Under Unix systems you'd likely call this incoherency.conf or client.conf. The ovpn extension to this filename is Windows specific.
Change the cert and key directives in this file to match your certificate and key files respectively.
<pre> client dev tun proto udp remote inferno.incoherency.net 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert yourcert.crt key yourkey.key
ns-cert-type server tls-auth ta.key 1 cipher AES-128-CBC comp-lzo </pre>
Mac OS X
OS X has an OpenVPN GUI called [Tunnelblick]. The setup is basically the same as in Windows. The client configuration, certificates, etc go in ~/Library/openvpn.
Unfortunately Tunnelblick does not seem to support the redirect-gateway directive as of version 3.0b9.
Vista Quirks
- The TAP driver included with OpenVPN in versions prior to 2.1 is not compatible with Vista. At the time of this writing OpenVPN 2.1_rc13 is available and appears to work as expected. Although I'm not sure the TAP driver is required for our purposes, given the TAP interface is used for bridged VPNs, not routed VPNs.
- UAC prevents the OpenVPN client from adding or altering routes in the system. When launching the OpenVPN GUI under Vista, write click the shortcut and choose Run as Administrator to work around this.
Misc Notes
- TUN interface for Layer 3 (IP) traffic. TAP interface for Layer 2 (Ethernet) traffic.