This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
vpn-server [2023/09/12 18:50] – [Routing everything over the VPN] -formatting hogwild | vpn-server [2023/09/12 19:50] – [Adding certificate revocation lists] -capitalize heading hogwild | ||
---|---|---|---|
Line 136: | Line 136: | ||
- | ==== TLS Control | + | ==== TLS Control |
(tls-auth/ | (tls-auth/ | ||
Line 179: | Line 179: | ||
In Static Key encryption mode, the HMAC key is included in the key file. In TLS mode, the HMAC key is dynamically generated and shared between peers via the TLS control channel. If OpenVPN receives a packet with a bad HMAC, it will drop the packet. HMAC usually adds 16 or 20 bytes per packet. | In Static Key encryption mode, the HMAC key is included in the key file. In TLS mode, the HMAC key is dynamically generated and shared between peers via the TLS control channel. If OpenVPN receives a packet with a bad HMAC, it will drop the packet. HMAC usually adds 16 or 20 bytes per packet. | ||
- | For basic HMAC information, | + | For basic HMAC information, |
- | [[https:// | + | |
==== VPN Subnet/ | ==== VPN Subnet/ | ||
Line 195: | Line 195: | ||
===== Advanced Tab ===== | ===== Advanced Tab ===== | ||
- | \\ | + | |
- | {{: | + | \\ {{: |
- | \\ | + | |
==== Poll Interval ==== | ==== Poll Interval ==== | ||
Line 401: | Line 402: | ||
- | ==== Adding | + | ==== Adding |
Within the CA, you can also revoke certificates as needed. Using your preferred CA management tool, you should be able to generate a Certificate Revocation List (CRL file). Adding this to the OpenVPN server should cause all client certificates to be checked against this revocation list. Clients which have their certificates listed in the CRL will not be able to connect. This is a common way to disable access to a VPN service on a per-user level. | Within the CA, you can also revoke certificates as needed. Using your preferred CA management tool, you should be able to generate a Certificate Revocation List (CRL file). Adding this to the OpenVPN server should cause all client certificates to be checked against this revocation list. Clients which have their certificates listed in the CRL will not be able to connect. This is a common way to disable access to a VPN service on a per-user level. | ||
Line 414: | Line 415: | ||
crl / | crl / | ||
</ | </ | ||
+ | |||
+ | \\ | ||
- | ==== Routing | + | ==== Routing |
If you want to access particular network resources fromk other IP addresses through the VPN tunnel, you need to add network routes. A route tells your system where it needs to send network traffic in order to access certain resources. An operating system can handle multiple routes via multiple gateways at the same time. So if you have a server on 192.168.1.10 behind your VPN server and you want to access this server via the VPN, you need to tell OpenVPN to configure a route for either a specific host or a network range to go via the tunnel. | If you want to access particular network resources fromk other IP addresses through the VPN tunnel, you need to add network routes. A route tells your system where it needs to send network traffic in order to access certain resources. An operating system can handle multiple routes via multiple gateways at the same time. So if you have a server on 192.168.1.10 behind your VPN server and you want to access this server via the VPN, you need to tell OpenVPN to configure a route for either a specific host or a network range to go via the tunnel. | ||
Line 441: | Line 444: | ||
- | ==== Routing | + | ==== Routing |
It is possible to route all network traffic over the VPN. The OpenVPN configuration for this is fairly simple. However, you'' | It is possible to route all network traffic over the VPN. The OpenVPN configuration for this is fairly simple. However, you'' | ||
Line 470: | Line 473: | ||
- | ==== What about IPv6? ==== | + | ==== About IPv6 ==== |
- | OpenVPN v2.3 and later supports | + | OpenVPN v2.3 and later support |
+ | |||
+ | \\ | ||
For example, adding this will configure the IPv6 addresses for server and clients: | For example, adding this will configure the IPv6 addresses for server and clients: | ||
+ | |||
+ | \\ | ||
<code -> | <code -> | ||
server-ipv6 2001: | server-ipv6 2001: | ||
</ | </ | ||
+ | |||
+ | \\ | ||
You can use the // | You can use the // | ||
+ | |||
+ | \\ | ||
<code -> | <code -> | ||
Line 486: | Line 497: | ||
</ | </ | ||
+ | \\ | ||
+ | \\ | ||