meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
linux:openvpn [2017/10/05 10:21] – [Configuration] niziaklinux:openvpn [2020/10/19 15:52] niziak
Line 1: Line 1:
 +====== OpenVPN ======
 +
 ====== Installation ====== ====== Installation ======
-  * Put clien configuration into /etc/openvpn/client.conf +    * Put client configuration into ''/etc/openvpn/client/'' 
-  * Enable autostart ALL or specified configs in ''/etc/default/openvpn'' +    * Start openvpn services <code bash> 
-  * Generate systemd services from openvon configs <code bash>systemctl daemon-reload</code> +systemctl start openvpn-client@config-name 
-  * Start openvpn services <code bash>systemct start openvpn</code>+systemctl status openvpn-client@config-name 
 +systemctl enable openvpn-client@config-name 
 +</code> 
 + 
 +NOTE: `openvpn-client@` service doesn't contain `restart`.  
 +The result of failed openvpn daemon looks like: 
 +<code bash> 
 +systemctl status openvpn-client@config-name 
 +... 
 +   Active: activating (auto-restart) since Mon 2020-10-19 15:50:36 CEST; 15s ago 
 +     Docs: man:openvpn(8) 
 +           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage 
 +           https://community.openvpn.net/openvpn/wiki/HOWTO 
 + Main PID: 19630 (code=exited, status=0/SUCCESS) 
 +... 
 +</code> 
 + 
 +To make sure your VPN is running: 
 +<code bash>systemctl edit openvpn-client@config-name</code> 
 + 
 +and enter following config: 
 + 
 +<code> 
 +[Service] 
 +Restart=always 
 +RestartSec=300 
 +</code> 
 + 
 +===== issue ===== 
 +<code> 
 +openvpn[281925]: Failed to query password: Timer expired 
 +openvpn[281924]: ERROR: Failed retrieving username or password 
 +</code> 
 + 
 +Solution: 
 +<file | /etc/systemd/system/openvpn-client@.service.d/askpass.conf> 
 +[Service] 
 +ExecStart= 
 +ExecStart=/usr/sbin/openvpn --suppress-timestamps --askpass --nobind --config 
 +%i.conf 
 +</file> 
 + 
 + 
 +===== Deprecated ===== 
 + 
 +    * Put client configuration into /etc/openvpn/client.conf 
 +    * Enable autostart ALL or specified configs in ''/etc/default/openvpn'' 
 +    * Generate systemd services from openvon configs <code bash>systemctl daemon-reload</code> 
 +    * Start openvpn services <code bash>systemct start openvpn</code> 
 + 
 +====== Certifcates ======
  
 +    * CA has to be with <code>X509v3 Key Usage: Certificate Sign, CRL Sign</code>. Without ''CRL Sign'' latest version of OpenVPN doesn't allow to use CRL.
 +        * basicConstraints        = CA:TRUE (critical)
 +        * nsCertType              = sslCA                 # restrict the usage
 +        * keyUsage                = keyCertSign, cRLSign
 +        * subjectKeyIdentifier    = hash
 +        * authorityKeyIdentifier  = keyid:always,issuer:always
 +    * OpenVPN Server
 +       * basicConstraints        = CA:FALSE
 +       * subjectKeyIdentifier    = hash
 +       * authorityKeyIdentifier  = keyid,issuer
 +       * nsCertType              = server                # restrict the usage
 +       * keyUsage                = digitalSignature, keyEncipherment
 +       * extendedKeyUsage        = serverAuth            # restrict the usage
 +    * OpenVPN Client
 +       * basicConstraints        = CA:FALSE
 +       * subjectKeyIdentifier    = hash
 +       * authorityKeyIdentifier  = keyid,issuer
 +       * nsCertType              = client                # restrict the usage
 +       * keyUsage                = digitalSignature      # restrict the usage
 +       * extendedKeyUsage        = clientAuth   
  
 ====== Configuration ====== ====== Configuration ======
Line 60: Line 132:
  
 ====== Troubleshooting ====== ====== Troubleshooting ======
 +
 **Error**: "write to TUN/TAP : Invalid argument (code=22)".\\  **Error**: "write to TUN/TAP : Invalid argument (code=22)".\\ 
 **Cause**: one side use LZO compression, second side not.\\  **Cause**: one side use LZO compression, second side not.\\ 
Line 70: Line 143:
 Exiting due to fatal error\\ Exiting due to fatal error\\
 Use persist-key and persist-tun. Use persist-key and persist-tun.
- 
 **Cause**: on VPS platform /dev/net/tun has only root permisstion. So openvpn should be started as root user. **Cause**: on VPS platform /dev/net/tun has only root permisstion. So openvpn should be started as root user.
  
  
 +**Error**: unsupported protocol
 +**Cause**: Modern OpenSSL (like 1.1.1) config forbids TLSv1
 +**Solution**:
 +<file | /etc/ssl/openssl.cnf>
 +MinProtocol = TLSv1
 +</file>
 +
 +**Error**: File transfer stuck 
 +**Cause**: File transfer are using maximum packet size, which probably cannot fit to MTU limitataions
 +**Solution**: Not tested, try params like:
 +<file>
 +# On one side of connection
 +mssfix 1400
 +
 +# MTU on tunX interface
 +# has to be set on both sides
 +tun-mtu 1400 
 +</file>
 +
 +More: 
 +  * [[https://community.openvpn.net/openvpn/wiki/271-i-can-ping-through-the-tunnel-but-any-real-work-causes-it-to-lock-up-is-this-an-mtu-problem]]
 +  * [[https://www.sonassi.com/help/troubleshooting/setting-correct-mtu-for-openvpn|Setting correct MTU for OpenVPN]]
 ====== rsyslog ====== ====== rsyslog ======
 <file txt /etc/rsyslog.d/20-ovpn.conf> <file txt /etc/rsyslog.d/20-ovpn.conf>