meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
linux:openvpn [2017/05/22 21:16] niziaklinux:openvpn [2020/10/19 15:52] niziak
Line 1: Line 1:
 +====== OpenVPN ======
 +
 ====== Installation ====== ====== Installation ======
-  * Put clien configuration into /etc/openvpn/client.conf +    * Put client configuration into ''/etc/openvpn/client/'' 
-  * Enable autostart ALL or specified configs in ''/etc/default/openvpn'' +    Start openvpn services <code bash> 
-  Generate systemd services from openvon configs <code bash>systemctl daemon-reload</code> +systemctl start openvpn-client@config-name 
-  * Start openvpn services <code bash>systemct start openvpn</code>+systemctl status openvpn-client@config-name 
 +systemctl enable openvpn-client@config-name 
 +</code>
  
 +NOTE: `openvpn-client@` service doesn't contain `restart`. 
 +The result of failed openvpn daemon looks like:
 +<code bash>
 +systemctl status openvpn-client@config-name
 +...
 +   Active: activating (auto-restart) since Mon 2020-10-19 15:50:36 CEST; 15s ago
 +     Docs: man:openvpn(8)
 +           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
 +           https://community.openvpn.net/openvpn/wiki/HOWTO
 + Main PID: 19630 (code=exited, status=0/SUCCESS)
 +...
 +</code>
 +
 +To make sure your VPN is running:
 +<code bash>systemctl edit openvpn-client@config-name</code>
 +
 +and enter following config:
 +
 +<code>
 +[Service]
 +Restart=always
 +RestartSec=300
 +</code>
 +
 +===== issue =====
 +<code>
 +openvpn[281925]: Failed to query password: Timer expired
 +openvpn[281924]: ERROR: Failed retrieving username or password
 +</code>
 +
 +Solution:
 +<file | /etc/systemd/system/openvpn-client@.service.d/askpass.conf>
 +[Service]
 +ExecStart=
 +ExecStart=/usr/sbin/openvpn --suppress-timestamps --askpass --nobind --config
 +%i.conf
 +</file>
 +
 +
 +===== Deprecated =====
 +
 +    * Put client configuration into /etc/openvpn/client.conf
 +    * Enable autostart ALL or specified configs in ''/etc/default/openvpn''
 +    * Generate systemd services from openvon configs <code bash>systemctl daemon-reload</code>
 +    * Start openvpn services <code bash>systemct start openvpn</code>
 +
 +====== Certifcates ======
 +
 +    * CA has to be with <code>X509v3 Key Usage: Certificate Sign, CRL Sign</code>. Without ''CRL Sign'' latest version of OpenVPN doesn't allow to use CRL.
 +        * basicConstraints        = CA:TRUE (critical)
 +        * nsCertType              = sslCA                 # restrict the usage
 +        * keyUsage                = keyCertSign, cRLSign
 +        * subjectKeyIdentifier    = hash
 +        * authorityKeyIdentifier  = keyid:always,issuer:always
 +    * OpenVPN Server
 +       * basicConstraints        = CA:FALSE
 +       * subjectKeyIdentifier    = hash
 +       * authorityKeyIdentifier  = keyid,issuer
 +       * nsCertType              = server                # restrict the usage
 +       * keyUsage                = digitalSignature, keyEncipherment
 +       * extendedKeyUsage        = serverAuth            # restrict the usage
 +    * OpenVPN Client
 +       * basicConstraints        = CA:FALSE
 +       * subjectKeyIdentifier    = hash
 +       * authorityKeyIdentifier  = keyid,issuer
 +       * nsCertType              = client                # restrict the usage
 +       * keyUsage                = digitalSignature      # restrict the usage
 +       * extendedKeyUsage        = clientAuth   
  
 ====== Configuration ====== ====== Configuration ======
 +
 +=== Routing ===
 +**route** directive adds normal routes to the Kernel table. It routes the packet from kernel to OpenVPN.
 +**iroute** directive adds routes to internal OpenVPN table. It routes the packets to specified clients.
 +
 +== Subnets behind client ==
 +In normal scenario, each VPN client is the final endpoint. But sometimes, there are additional networks behind client.
 +  * Client side (or CCD directory - per client). There are networks **192.168.22.0/24** and **fcaa::/64** behind client:
 +<code>
 +iroute 192.168.22.0/24
 +iroute-ipv6 fcaa::/64
 +</code>
 + * Server configuration
 +<code>
 +route 192.168.22.0/24
 +route-ipv6 fcaa::/64
 +</code>
 +
  
 === Username support === === Username support ===
Line 42: Line 132:
  
 ====== Troubleshooting ====== ====== Troubleshooting ======
 +
 **Error**: "write to TUN/TAP : Invalid argument (code=22)".\\  **Error**: "write to TUN/TAP : Invalid argument (code=22)".\\ 
 **Cause**: one side use LZO compression, second side not.\\  **Cause**: one side use LZO compression, second side not.\\ 
Line 52: Line 143:
 Exiting due to fatal error\\ Exiting due to fatal error\\
 Use persist-key and persist-tun. Use persist-key and persist-tun.
- 
 **Cause**: on VPS platform /dev/net/tun has only root permisstion. So openvpn should be started as root user. **Cause**: on VPS platform /dev/net/tun has only root permisstion. So openvpn should be started as root user.
  
  
 +**Error**: unsupported protocol
 +**Cause**: Modern OpenSSL (like 1.1.1) config forbids TLSv1
 +**Solution**:
 +<file | /etc/ssl/openssl.cnf>
 +MinProtocol = TLSv1
 +</file>
 +
 +**Error**: File transfer stuck 
 +**Cause**: File transfer are using maximum packet size, which probably cannot fit to MTU limitataions
 +**Solution**: Not tested, try params like:
 +<file>
 +# On one side of connection
 +mssfix 1400
 +
 +# MTU on tunX interface
 +# has to be set on both sides
 +tun-mtu 1400 
 +</file>
 +
 +More: 
 +  * [[https://community.openvpn.net/openvpn/wiki/271-i-can-ping-through-the-tunnel-but-any-real-work-causes-it-to-lock-up-is-this-an-mtu-problem]]
 +  * [[https://www.sonassi.com/help/troubleshooting/setting-correct-mtu-for-openvpn|Setting correct MTU for OpenVPN]]
 ====== rsyslog ====== ====== rsyslog ======
 <file txt /etc/rsyslog.d/20-ovpn.conf> <file txt /etc/rsyslog.d/20-ovpn.conf>