Differences

This shows you the differences between two versions of the page.

--- vpn-server [2024/11/05 22:05] – [OpenVPN Server Won't Start When EasyRSA3 used] -Condense hogwild
+++ vpn-server [2024/11/24 10:52] (current) – CB -> CBC petervdm
@@ Line 13: / Line 13: @@
  \\
-However, there are still differences between versions. For example, clients and servers may be configured on different versions. Encryption algorithms may be negotiated differently among versions. FreshTomato 2024.3 includes OpenVPN 2.6.12. For details, see the OpenVPN documentation/support forums: [[https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html]]
+However, there are still differences between versions. For example, clients and servers may be configured on different versions. Encryption algorithms may be negotiated differently among versions. FreshTomato 2024.3 includes OpenVPN 2.6.12. For details, see the OpenVPN documentation/support forums: [[https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html]]
  \\
@@ Line 236: / Line 236: @@
   * Encrypt Channel - (tls-crypt) [Direction] is set to 3. \\ Will use //HMAC-send/HMAC-receive and cipher-encrypt //keys.
-  * Encrypt Channel v2 - (tls-crypt-v2[Direction] is set to 4. \\ Will use //HMAC-send/HMAC-receive//, and //cipher-encrypt/cipher-receive//.
+  * Encrypt Channel v2 - (tls-crypt-v2[Direction] is set to 4. \\ Uses //HMAC-send/HMAC-receive//, and //cipher-encrypt/cipher-receive//.
  \\
@@ Line 351: / Line 351: @@
   * AES-128-GCM
   * AES-256-GCM
-  * AES-128-CB
+  * AES-128-CBC
   * AES-256-CBC
@@ Line 448: / Line 448: @@
 Here, you can specify a custom configuration for the OpenVPN server to use.
-For details about valid custom parameters, please see: \\  [[https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html]] \\ .
+For details about valid custom parameters, please see: \\  [[https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html]] \\ .
@@ Line 470: / Line 470: @@
   * A separate certificate (public key) and private key for the server \\ and for each client
-  * A master Certificate Authority (CA) certificate and key used to sign \\ each of the server and client certificates
+  * A master CA certificate and key used to sign each of the server \\ and client certificates
  \\
@@ Line 489: / Line 489: @@
  \\
-  * The server only needs its own certificate/key. It doesn’t need to know \\ the certificate of every client that might connect to it. \\
+  * The server only needs its own certificate/key. It doesn’t need to know \\ the certificate of every client that might connect to it. \\  \\
   * The server will only accept clients whose certificates were signed \\ by the master CA certificate (which we'll generate below). \\ \\ Because the server can verify this signature without needing access \\ to the CA private key itself, you can store the CA key on another machine. \\ It can even be stored on a device not connected to the network. \\ This is crucial, since it's the most sensitive key in the entire PKI. \\ \\
   * If a private key is compromised, it can be disabled by adding its certificate \\ to a CRL (Certificate Revocation List). This allows compromised certificates \\ to be selectively rejected without requiring the entire PKI be rebuilt. \\ \\
@@ Line 601: / Line 601: @@
 ==== Routing Notes ====
-To access particular network resources from other IP addresses through the VPN, you must add network routes. A route tells your system where to send network traffic to access certain resources. An OS can handle multiple routes via multiple gateways at the same time. For example, say you have a server on 192.168.1.10 behind your VPN server. You want to access this server through the VPN. You need to tell OpenVPN to configure a route for either a specific host or a network range to go through the tunnel.
+You must add network routes to access specific resources from other IP addresses via the VPN.  A route tells your system where to send network traffic to access certain resources. An OS can handle multiple routes via multiple gateways at the same time.
  \\
-To configure this, you need to add a line in the server configuration and restart OpenVPN server and OpenVPN client.
+For example, let's say:
+  * A server exists on 192.168.1.10 behind your VPN server.
+  * You want to access this server through the VPN.
+ \\
+You need to configure OpenVPN to route specific hosts or networks through the tunnel.
+To do this, you must add a line similar to this in the server configuration:
  \\
@@ Line 612: / Line 621: @@
    push "route 192.168.1.0 255.255.255.0"
 </code>
+ \\
+You must then restart both the OpenVPN server and the client.\\  \\
- \\
+This will cause the server to tell any client that connects to route all traffic for IP addresses in scope 192.168.1.XXX through the VPN.
-Now, when the client connects, the server tells it that it should route all traffic for IP addresses in the 192.168.1.XXX scope through the VPN.
+This example describes a basic setup. The setup is almost complete. The only thing left is to add the appropriate routes, as with normal routing.
-This is an example of a basic setup. When we now start on the routing part, the setup is mostly complete. At this point, all you need to add are the appropriate routes, just as you would for normal TCP/IP routing.
+You also must ensure return routes. Just because a VPN client can access a host behind the VPN server, doesn't mean the host behind the server will send the response via the same route. Hosts behind the VPN server must know which gateway to use for VPN traffic. Usually, this is done by adding a route on the existing default gateway. Then, if you run OpenVPN on an existing gateway, you have the return route already implicitly configured.
-Remember, you also need to consider return routes. Just because a VPN client can access a host behind the VPN server, doesn't mean the host behind the server can/will send the response via the same route. You must ensure the hosts behind your VPN server also know which gateway to use for the VPN. Usually, this is done by adding a route on your existing default gateway. Then, if you run OpenVPN on an existing gateway, you have the return route already (implicitly) configured.
+For a more detailed example, see the%% %%Using routing%% %%section in the Bridging and routing wiki page.
-For a more detailed example of using routing, see the%% %%Using routing%% %%section in the 'Bridging and routing' wiki page.
+==== Routing all Traffic through the VPN ====
-==== Routing all Traffic over the VPN ====
 You can route all network traffic over the VPN. The configuration for this is fairly simple. However, you'll need to learn how to configure NAT on your VPN server for the virtual TUN adapter.
@@ Line 657: / Line 666: @@
 ==== About IPv6 ====
-OpenVPN v2.3 and later support IPv6. Setting up IPv6 in a VPN is similar to the IPv4 examples above. To configure IPv6, please use the //–server-ipv6// and //–route-ipv6//  options.
+OpenVPN v2.3 and later support IPv6. Configuring IPv6 for a VPN is similar to the above IPv4 examples. To configure IPv6, you must use the \\ //–server-ipv6// and //–route-ipv6//  options.
  \\
@@ Line 673: / Line 682: @@
  \\
-You can use the //–route-ipv6// option in two ways. You can push it from the server, or use it directly in the client configuration. The same is true for the //–route// option. The syntax is similar:
+You can use the //–route-ipv6// option two ways. You can push it from the server, or use it directly in client settings. The same is true for the //–route// option.
+ \\
+The syntax is similar:
  \\

FreshTomato Wiki

User Tools

Site Tools

Differences

Page Tools