User Tools
vpn-server
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| vpn-server [2023/09/12 19:47] – [Auth digest] hogwild | vpn-server [2024/04/11 00:50] (current) – [Adding Certificate Revocation Lists] -formatting hogwild | ||
|---|---|---|---|
| Line 136: | Line 136: | ||
| - | ==== TLS Control | + | ==== TLS Control |
| (tls-auth/ | (tls-auth/ | ||
| Line 232: | Line 232: | ||
| (Ref. OpenVPN " | (Ref. OpenVPN " | ||
| + | |||
| + | \\ | ||
| Line 251: | Line 253: | ||
| - | ==== TLS renegotiation time ==== | + | ==== TLS Renegotiation Time ==== |
| This specifies how many seconds (//n//) will pass before OpenVPN renegotiates the data channel key (Default=3600). When using dual-factor authentication, | This specifies how many seconds (//n//) will pass before OpenVPN renegotiates the data channel key (Default=3600). When using dual-factor authentication, | ||
| This option can be used on both client and server. Whichever host uses the lower value will trigger the renegotiation. It's a common mistake to set this parameter to a higher value on either the client or server, while the other end is still using the default value. In this case, renegotiation will still occur once every 3600 seconds. The solution is to increase// –reneg-sec// | This option can be used on both client and server. Whichever host uses the lower value will trigger the renegotiation. It's a common mistake to set this parameter to a higher value on either the client or server, while the other end is still using the default value. In this case, renegotiation will still occur once every 3600 seconds. The solution is to increase// –reneg-sec// | ||
| + | |||
| ==== Manage Client-Specific Options ==== | ==== Manage Client-Specific Options ==== | ||
| Line 383: | Line 386: | ||
| - | ==== A warning | + | ==== A Warning |
| A common mistake when setting up a new Certificate Authority is to place all CA files on the OpenVPN server.%% **Avoid doing this**. %%A CA requires a private key to sign the certificates used by clients and servers. If you lose control of the CA private key, you can no longer trust certificates from that CA. Anyone with access to the CA private key can sign new certificates without your knowledge, and clients using those certificates can then connect to your OpenVPN server without modifying anything on the VPN Server. Whenever possible, place your CA files on an //offline// storage medium, only to be activated when you need to get a new certificate for a client or server. | A common mistake when setting up a new Certificate Authority is to place all CA files on the OpenVPN server.%% **Avoid doing this**. %%A CA requires a private key to sign the certificates used by clients and servers. If you lose control of the CA private key, you can no longer trust certificates from that CA. Anyone with access to the CA private key can sign new certificates without your knowledge, and clients using those certificates can then connect to your OpenVPN server without modifying anything on the VPN Server. Whenever possible, place your CA files on an //offline// storage medium, only to be activated when you need to get a new certificate for a client or server. | ||
| Line 402: | Line 405: | ||
| - | ==== Adding | + | ==== Adding |
| Within the CA, you can also revoke certificates as needed. Using your preferred CA management tool, you should be able to generate a Certificate Revocation List (CRL file). Adding this to the OpenVPN server should cause all client certificates to be checked against this revocation list. Clients which have their certificates listed in the CRL will not be able to connect. This is a common way to disable access to a VPN service on a per-user level. | Within the CA, you can also revoke certificates as needed. Using your preferred CA management tool, you should be able to generate a Certificate Revocation List (CRL file). Adding this to the OpenVPN server should cause all client certificates to be checked against this revocation list. Clients which have their certificates listed in the CRL will not be able to connect. This is a common way to disable access to a VPN service on a per-user level. | ||
| Line 417: | Line 420: | ||
| \\ | \\ | ||
| + | |||
| + | \\ | ||
| + | |||
| + | |||
| + | ==== OpenVPN Server Won't Start When EasyRSA3 used ==== | ||
| + | |||
| + | In some cases when you've generated server certificate/ | ||
| - | ==== Routing | + | ==== Routing |
| If you want to access particular network resources fromk other IP addresses through the VPN tunnel, you need to add network routes. A route tells your system where it needs to send network traffic in order to access certain resources. An operating system can handle multiple routes via multiple gateways at the same time. So if you have a server on 192.168.1.10 behind your VPN server and you want to access this server via the VPN, you need to tell OpenVPN to configure a route for either a specific host or a network range to go via the tunnel. | If you want to access particular network resources fromk other IP addresses through the VPN tunnel, you need to add network routes. A route tells your system where it needs to send network traffic in order to access certain resources. An operating system can handle multiple routes via multiple gateways at the same time. So if you have a server on 192.168.1.10 behind your VPN server and you want to access this server via the VPN, you need to tell OpenVPN to configure a route for either a specific host or a network range to go via the tunnel. | ||
| Line 444: | Line 454: | ||
| - | ==== Routing | + | ==== Routing |
| It is possible to route all network traffic over the VPN. The OpenVPN configuration for this is fairly simple. However, you'' | It is possible to route all network traffic over the VPN. The OpenVPN configuration for this is fairly simple. However, you'' | ||
vpn-server.1694544469.txt.gz · Last modified: 2023/09/12 19:47 by hogwild
Page Tools
