meta data for this page
This is an old revision of the document!
Installation
- Put clien configuration into /etc/openvpn/client.conf
- Enable autostart ALL or specified configs in
/etc/default/openvpn
- Generate systemd services from openvon configs
systemctl daemon-reload
- Start openvpn services
systemct start openvpn
Configuration
Username support
To easily distinguish clients with the same cert.
Server configuration
- /etc/openvpn/auth-accept.sh
#!/bin/sh exit 0
- /etc/openvpn/server.conf
duplicate-cn auth-user-pass-verify /etc/openvpn/auth-accept.sh via-env auth-user-pass-optional #username-as-common-name
Client configuration
Create file with username in 1st line, and password in 2nd
- /etc/openvpn/devicename
client_A fakepassword
- /etc/opencvpn/client.conf
auth-user-pass /etc/openvpn/devicename
IPv6
Troubleshooting
Error: “write to TUN/TAP : Invalid argument (code=22)”.
Cause: one side use LZO compression, second side not.
Solution: “comp-lzo no” on both sides.
Note:
this is a bug: the server pushes out 'comp-lzo' to the client but this is not picked up, because the client does not have 'comp-lzo' configured in the client config (all according to man page). The bug is , that when the client reconnects that it then does honor the 'comp-lzo' pushed out from the server. The client should either consistently refuse 'comp-lzo' or it should consistently accept this option as pushed out by the server.
Error: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13).
Exiting due to fatal error
Use persist-key and persist-tun.
Cause: on VPS platform /dev/net/tun has only root permisstion. So openvpn should be started as root user.
rsyslog
- /etc/rsyslog.d/20-ovpn.conf
if $programname startswith 'ovpn-' then /var/log/openvpn/ovpn.log & ~
mkdir /var/log/openvpn chown syslog /var/log/openvpv
- /etc/logrotate.d/openvpn
/var/log/openvpn/*.log { weekly size 100M rotate 4 compress delaycompress missingok notifempty create 640 syslog adm }
Create p12 package for android
openssl pkcs12 -export -in user.crt -inkey user.key -certfile ca.crt -name user -out user.p12