meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux:openvpn [2017/05/22 21:16] niziaklinux:openvpn [2020/10/19 15:53] (current) niziak
Line 1: Line 1:
 +====== OpenVPN ======
 +
 ====== Installation ====== ====== Installation ======
-  * Put clien configuration into /etc/openvpn/client.conf +    * Put client configuration into ''/etc/openvpn/client/'' 
-  * Enable autostart ALL or specified configs in ''/etc/default/openvpn'' +    Start openvpn services <code bash> 
-  Generate systemd services from openvon configs <code bash>systemctl daemon-reload</code> +systemctl start openvpn-client@config-name 
-  * Start openvpn services <code bash>systemct start openvpn</code>+systemctl status openvpn-client@config-name 
 +systemctl enable openvpn-client@config-name 
 +</code>
  
 +NOTE: `openvpn-client@` service doesn't contain `restart`. 
 +The result of failed openvpn daemon looks like:
 +<code bash>
 +systemctl status openvpn-client@config-name
 +...
 +   Active: activating (auto-restart) since Mon 2020-10-19 15:50:36 CEST; 15s ago
 +     Docs: man:openvpn(8)
 +           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
 +           https://community.openvpn.net/openvpn/wiki/HOWTO
 + Main PID: 19630 (code=exited, status=0/SUCCESS)
 +...
 +</code>
 +
 +To make sure your VPN is running:
 +<code bash>systemctl edit openvpn-client@config-name</code>
 +
 +and enter following config:
 +
 +<code>
 +[Service]
 +Restart=always
 +RestartSec=300
 +</code>
 +
 +<code bash>systemctl daemon-reload</code>
 +
 +===== issue =====
 +<code>
 +openvpn[281925]: Failed to query password: Timer expired
 +openvpn[281924]: ERROR: Failed retrieving username or password
 +</code>
 +
 +Solution:
 +<file | /etc/systemd/system/openvpn-client@.service.d/askpass.conf>
 +[Service]
 +ExecStart=
 +ExecStart=/usr/sbin/openvpn --suppress-timestamps --askpass --nobind --config
 +%i.conf
 +</file>
 +
 +
 +===== Deprecated =====
 +
 +    * Put client configuration into /etc/openvpn/client.conf
 +    * Enable autostart ALL or specified configs in ''/etc/default/openvpn''
 +    * Generate systemd services from openvon configs <code bash>systemctl daemon-reload</code>
 +    * Start openvpn services <code bash>systemct start openvpn</code>
 +
 +====== Certifcates ======
 +
 +    * CA has to be with <code>X509v3 Key Usage: Certificate Sign, CRL Sign</code>. Without ''CRL Sign'' latest version of OpenVPN doesn't allow to use CRL.
 +        * basicConstraints        = CA:TRUE (critical)
 +        * nsCertType              = sslCA                 # restrict the usage
 +        * keyUsage                = keyCertSign, cRLSign
 +        * subjectKeyIdentifier    = hash
 +        * authorityKeyIdentifier  = keyid:always,issuer:always
 +    * OpenVPN Server
 +       * basicConstraints        = CA:FALSE
 +       * subjectKeyIdentifier    = hash
 +       * authorityKeyIdentifier  = keyid,issuer
 +       * nsCertType              = server                # restrict the usage
 +       * keyUsage                = digitalSignature, keyEncipherment
 +       * extendedKeyUsage        = serverAuth            # restrict the usage
 +    * OpenVPN Client
 +       * basicConstraints        = CA:FALSE
 +       * subjectKeyIdentifier    = hash
 +       * authorityKeyIdentifier  = keyid,issuer
 +       * nsCertType              = client                # restrict the usage
 +       * keyUsage                = digitalSignature      # restrict the usage
 +       * extendedKeyUsage        = clientAuth   
  
 ====== Configuration ====== ====== Configuration ======
 +
 +=== Routing ===
 +**route** directive adds normal routes to the Kernel table. It routes the packet from kernel to OpenVPN.
 +**iroute** directive adds routes to internal OpenVPN table. It routes the packets to specified clients.
 +
 +== Subnets behind client ==
 +In normal scenario, each VPN client is the final endpoint. But sometimes, there are additional networks behind client.
 +  * Client side (or CCD directory - per client). There are networks **192.168.22.0/24** and **fcaa::/64** behind client:
 +<code>
 +iroute 192.168.22.0/24
 +iroute-ipv6 fcaa::/64
 +</code>
 + * Server configuration
 +<code>
 +route 192.168.22.0/24
 +route-ipv6 fcaa::/64
 +</code>
 +
  
 === Username support === === Username support ===
Line 42: Line 134:
  
 ====== Troubleshooting ====== ====== Troubleshooting ======
 +
 **Error**: "write to TUN/TAP : Invalid argument (code=22)".\\  **Error**: "write to TUN/TAP : Invalid argument (code=22)".\\ 
 **Cause**: one side use LZO compression, second side not.\\  **Cause**: one side use LZO compression, second side not.\\ 
Line 52: Line 145:
 Exiting due to fatal error\\ Exiting due to fatal error\\
 Use persist-key and persist-tun. Use persist-key and persist-tun.
- 
 **Cause**: on VPS platform /dev/net/tun has only root permisstion. So openvpn should be started as root user. **Cause**: on VPS platform /dev/net/tun has only root permisstion. So openvpn should be started as root user.
  
  
 +**Error**: unsupported protocol
 +**Cause**: Modern OpenSSL (like 1.1.1) config forbids TLSv1
 +**Solution**:
 +<file | /etc/ssl/openssl.cnf>
 +MinProtocol = TLSv1
 +</file>
 +
 +**Error**: File transfer stuck 
 +**Cause**: File transfer are using maximum packet size, which probably cannot fit to MTU limitataions
 +**Solution**: Not tested, try params like:
 +<file>
 +# On one side of connection
 +mssfix 1400
 +
 +# MTU on tunX interface
 +# has to be set on both sides
 +tun-mtu 1400 
 +</file>
 +
 +More: 
 +  * [[https://community.openvpn.net/openvpn/wiki/271-i-can-ping-through-the-tunnel-but-any-real-work-causes-it-to-lock-up-is-this-an-mtu-problem]]
 +  * [[https://www.sonassi.com/help/troubleshooting/setting-correct-mtu-for-openvpn|Setting correct MTU for OpenVPN]]
 ====== rsyslog ====== ====== rsyslog ======
 <file txt /etc/rsyslog.d/20-ovpn.conf> <file txt /etc/rsyslog.d/20-ovpn.conf>