Differences

This shows you the differences between two versions of the page.

--- linux:openvpn [2019/03/29 13:29] – niziak
+++ linux:openvpn [2020/10/19 15:52] – niziak
@@ Line 1: / Line 1: @@
+====== OpenVPN ======
 ====== Installation ======
-    * Put clien configuration into /etc/openvpn/client.conf
+    * Put client configuration into ''/etc/openvpn/client/''
+    * Start openvpn services <code bash>
+systemctl start openvpn-client@config-name
+systemctl status openvpn-client@config-name
+systemctl enable openvpn-client@config-name
+</code>
+NOTE: `openvpn-client@` service doesn't contain `restart`.
+The result of failed openvpn daemon looks like:
+<code bash>
+systemctl status openvpn-client@config-name
+...
+   Active: activating (auto-restart) since Mon 2020-10-19 15:50:36 CEST; 15s ago
+     Docs: man:openvpn(8)
+           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+           https://community.openvpn.net/openvpn/wiki/HOWTO
+ Main PID: 19630 (code=exited, status=0/SUCCESS)
+...
+</code>
+To make sure your VPN is running:
+<code bash>systemctl edit openvpn-client@config-name</code>
+and enter following config:
+<code>
+[Service]
+Restart=always
+RestartSec=300
+</code>
+===== issue =====
+<code>
+openvpn[281925]: Failed to query password: Timer expired
+openvpn[281924]: ERROR: Failed retrieving username or password
+</code>
+Solution:
+<file | /etc/systemd/system/openvpn-client@.service.d/askpass.conf>
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/openvpn --suppress-timestamps --askpass --nobind --config
+%i.conf
+</file>
+===== Deprecated =====
+    * Put client configuration into /etc/openvpn/client.conf
     * Enable autostart ALL or specified configs in ''/etc/default/openvpn''
     * Generate systemd services from openvon configs <code bash>systemctl daemon-reload</code>
@@ Line 9: / Line 59: @@
     * CA has to be with <code>X509v3 Key Usage: Certificate Sign, CRL Sign</code>. Without ''CRL Sign'' latest version of OpenVPN doesn't allow to use CRL.
         * basicConstraints        = CA:TRUE (critical)
+        * nsCertType              = sslCA                 # restrict the usage
         * keyUsage                = keyCertSign, cRLSign
+        * subjectKeyIdentifier    = hash
+        * authorityKeyIdentifier  = keyid:always,issuer:always
     * OpenVPN Server
        * basicConstraints        = CA:FALSE
+       * subjectKeyIdentifier    = hash
+       * authorityKeyIdentifier  = keyid,issuer
        * nsCertType              = server                # restrict the usage
        * keyUsage                = digitalSignature, keyEncipherment
@@ Line 17: / Line 72: @@
     * OpenVPN Client
        * basicConstraints        = CA:FALSE
+       * subjectKeyIdentifier    = hash
+       * authorityKeyIdentifier  = keyid,issuer
        * nsCertType              = client                # restrict the usage
        * keyUsage                = digitalSignature      # restrict the usage
@@ Line 95: / Line 152: @@
 MinProtocol = TLSv1
 </file>
+**Error**: File transfer stuck
+**Cause**: File transfer are using maximum packet size, which probably cannot fit to MTU limitataions
+**Solution**: Not tested, try params like:
+<file>
+# On one side of connection
+mssfix 1400
+# MTU on tunX interface
+# has to be set on both sides
+tun-mtu 1400
+</file>
+More:
+  * [[https://community.openvpn.net/openvpn/wiki/271-i-can-ping-through-the-tunnel-but-any-real-work-causes-it-to-lock-up-is-this-an-mtu-problem]]
+  * [[https://www.sonassi.com/help/troubleshooting/setting-correct-mtu-for-openvpn|Setting correct MTU for OpenVPN]]
 ====== rsyslog ======
 <file txt /etc/rsyslog.d/20-ovpn.conf>

Tools

menus and quick search

quick search

site status

Page Tools

meta data for this page

Differences