meta data for this page
This is an old revision of the document!
Installation
- Put client configuration into
/etc/openvpn/client/ - Start openvpn services
systemctl start openvpn-client@config-name systemctl enable openvpn-client@config-name
Deprecated
- Put client configuration into /etc/openvpn/client.conf
- Enable autostart ALL or specified configs in
/etc/default/openvpn - Generate systemd services from openvon configs
systemctl daemon-reload
- Start openvpn services
systemct start openvpn
Certifcates
- CA has to be with
X509v3 Key Usage: Certificate Sign, CRL Sign
. Without
CRL Signlatest version of OpenVPN doesn't allow to use CRL.- basicConstraints = CA:TRUE (critical)
- nsCertType = sslCA # restrict the usage
- keyUsage = keyCertSign, cRLSign
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid:always,issuer:always
- OpenVPN Server
- basicConstraints = CA:FALSE
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid,issuer
- nsCertType = server # restrict the usage
- keyUsage = digitalSignature, keyEncipherment
- extendedKeyUsage = serverAuth # restrict the usage
- OpenVPN Client
- basicConstraints = CA:FALSE
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid,issuer
- nsCertType = client # restrict the usage
- keyUsage = digitalSignature # restrict the usage
- extendedKeyUsage = clientAuth
Configuration
Routing
route directive adds normal routes to the Kernel table. It routes the packet from kernel to OpenVPN. iroute directive adds routes to internal OpenVPN table. It routes the packets to specified clients.
Subnets behind client
In normal scenario, each VPN client is the final endpoint. But sometimes, there are additional networks behind client.
- Client side (or CCD directory - per client). There are networks 192.168.22.0/24 and fcaa::/64 behind client:
iroute 192.168.22.0/24 iroute-ipv6 fcaa::/64
* Server configuration
route 192.168.22.0/24 route-ipv6 fcaa::/64
Username support
To easily distinguish clients with the same cert.
Server configuration
- /etc/openvpn/auth-accept.sh
#!/bin/sh exit 0
- /etc/openvpn/server.conf
duplicate-cn auth-user-pass-verify /etc/openvpn/auth-accept.sh via-env auth-user-pass-optional #username-as-common-name
Client configuration
Create file with username in 1st line, and password in 2nd
- /etc/openvpn/devicename
client_A fakepassword
- /etc/opencvpn/client.conf
auth-user-pass /etc/openvpn/devicename
IPv6
Troubleshooting
Error: “write to TUN/TAP : Invalid argument (code=22)”.
Cause: one side use LZO compression, second side not.
Solution: “comp-lzo no” on both sides.
Note:
this is a bug: the server pushes out 'comp-lzo' to the client but this is not picked up, because the client does not have 'comp-lzo' configured in the client config (all according to man page). The bug is , that when the client reconnects that it then does honor the 'comp-lzo' pushed out from the server. The client should either consistently refuse 'comp-lzo' or it should consistently accept this option as pushed out by the server.
Error: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13).
Exiting due to fatal error
Use persist-key and persist-tun.
Cause: on VPS platform /dev/net/tun has only root permisstion. So openvpn should be started as root user.
Error: unsupported protocol Cause: Modern OpenSSL (like 1.1.1) config forbids TLSv1 Solution:
- /etc/ssl/openssl.cnf
MinProtocol = TLSv1
rsyslog
- /etc/rsyslog.d/20-ovpn.conf
if $programname startswith 'ovpn-' then /var/log/openvpn/ovpn.log & ~
mkdir /var/log/openvpn chown syslog /var/log/openvpv
- /etc/logrotate.d/openvpn
/var/log/openvpn/*.log { weekly size 100M rotate 4 compress delaycompress missingok notifempty create 640 syslog adm }
Create p12 package for android
openssl pkcs12 -export -in user.crt -inkey user.key -certfile ca.crt -name user -out user.p12