meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux:openvpn [2018/12/08 18:09] – [Troubleshooting] niziaklinux:openvpn [2020/10/19 15:53] (current) niziak
Line 1: Line 1:
 +====== OpenVPN ======
 +
 ====== Installation ====== ====== Installation ======
-  * Put clien configuration into /etc/openvpn/client.conf +    * Put client configuration into ''/etc/openvpn/client/'' 
-  * Enable autostart ALL or specified configs in ''/etc/default/openvpn'' +    * Start openvpn services <code bash> 
-  * Generate systemd services from openvon configs <code bash>systemctl daemon-reload</code> +systemctl start openvpn-client@config-name 
-  * Start openvpn services <code bash>systemct start openvpn</code>+systemctl status openvpn-client@config-name 
 +systemctl enable openvpn-client@config-name 
 +</code> 
 + 
 +NOTE: `openvpn-client@` service doesn't contain `restart`.  
 +The result of failed openvpn daemon looks like: 
 +<code bash> 
 +systemctl status openvpn-client@config-name 
 +... 
 +   Active: activating (auto-restart) since Mon 2020-10-19 15:50:36 CEST; 15s ago 
 +     Docs: man:openvpn(8) 
 +           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage 
 +           https://community.openvpn.net/openvpn/wiki/HOWTO 
 + Main PID: 19630 (code=exited, status=0/SUCCESS) 
 +... 
 +</code> 
 + 
 +To make sure your VPN is running: 
 +<code bash>systemctl edit openvpn-client@config-name</code> 
 + 
 +and enter following config: 
 + 
 +<code> 
 +[Service] 
 +Restart=always 
 +RestartSec=300 
 +</code> 
 + 
 +<code bash>systemctl daemon-reload</code> 
 + 
 +===== issue ===== 
 +<code> 
 +openvpn[281925]: Failed to query password: Timer expired 
 +openvpn[281924]: ERROR: Failed retrieving username or password 
 +</code> 
 + 
 +Solution: 
 +<file | /etc/systemd/system/openvpn-client@.service.d/askpass.conf> 
 +[Service] 
 +ExecStart= 
 +ExecStart=/usr/sbin/openvpn --suppress-timestamps --askpass --nobind --config 
 +%i.conf 
 +</file> 
 + 
 + 
 +===== Deprecated ===== 
 + 
 +    * Put client configuration into /etc/openvpn/client.conf 
 +    * Enable autostart ALL or specified configs in ''/etc/default/openvpn'' 
 +    * Generate systemd services from openvon configs <code bash>systemctl daemon-reload</code> 
 +    * Start openvpn services <code bash>systemct start openvpn</code> 
 + 
 +====== Certifcates ======
  
 +    * CA has to be with <code>X509v3 Key Usage: Certificate Sign, CRL Sign</code>. Without ''CRL Sign'' latest version of OpenVPN doesn't allow to use CRL.
 +        * basicConstraints        = CA:TRUE (critical)
 +        * nsCertType              = sslCA                 # restrict the usage
 +        * keyUsage                = keyCertSign, cRLSign
 +        * subjectKeyIdentifier    = hash
 +        * authorityKeyIdentifier  = keyid:always,issuer:always
 +    * OpenVPN Server
 +       * basicConstraints        = CA:FALSE
 +       * subjectKeyIdentifier    = hash
 +       * authorityKeyIdentifier  = keyid,issuer
 +       * nsCertType              = server                # restrict the usage
 +       * keyUsage                = digitalSignature, keyEncipherment
 +       * extendedKeyUsage        = serverAuth            # restrict the usage
 +    * OpenVPN Client
 +       * basicConstraints        = CA:FALSE
 +       * subjectKeyIdentifier    = hash
 +       * authorityKeyIdentifier  = keyid,issuer
 +       * nsCertType              = client                # restrict the usage
 +       * keyUsage                = digitalSignature      # restrict the usage
 +       * extendedKeyUsage        = clientAuth   
  
 ====== Configuration ====== ====== Configuration ======
Line 80: Line 154:
 MinProtocol = TLSv1 MinProtocol = TLSv1
 </file> </file>
 +
 +**Error**: File transfer stuck 
 +**Cause**: File transfer are using maximum packet size, which probably cannot fit to MTU limitataions
 +**Solution**: Not tested, try params like:
 +<file>
 +# On one side of connection
 +mssfix 1400
 +
 +# MTU on tunX interface
 +# has to be set on both sides
 +tun-mtu 1400 
 +</file>
 +
 +More: 
 +  * [[https://community.openvpn.net/openvpn/wiki/271-i-can-ping-through-the-tunnel-but-any-real-work-causes-it-to-lock-up-is-this-an-mtu-problem]]
 +  * [[https://www.sonassi.com/help/troubleshooting/setting-correct-mtu-for-openvpn|Setting correct MTU for OpenVPN]]
 ====== rsyslog ====== ====== rsyslog ======
 <file txt /etc/rsyslog.d/20-ovpn.conf> <file txt /etc/rsyslog.d/20-ovpn.conf>