Differences

This shows you the differences between two versions of the page.

--- vpn-server [2024/11/05 21:51] – [A Warning about Certificates] -Condense hogwild
+++ vpn-server [2024/11/24 10:52] (current) – CB -> CBC petervdm
@@ Line 13: / Line 13: @@
  \\
-However, there are still differences between versions. For example, clients and servers may be configured on different versions. Encryption algorithms may be negotiated differently among versions. FreshTomato 2024.3 includes OpenVPN 2.6.12. For details, see the OpenVPN documentation/support forums: [[https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html]]
+However, there are still differences between versions. For example, clients and servers may be configured on different versions. Encryption algorithms may be negotiated differently among versions. FreshTomato 2024.3 includes OpenVPN 2.6.12. For details, see the OpenVPN documentation/support forums: [[https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html]]
  \\
@@ Line 236: / Line 236: @@
   * Encrypt Channel - (tls-crypt) [Direction] is set to 3. \\ Will use //HMAC-send/HMAC-receive and cipher-encrypt //keys.
-  * Encrypt Channel v2 - (tls-crypt-v2[Direction] is set to 4. \\ Will use //HMAC-send/HMAC-receive//, and //cipher-encrypt/cipher-receive//.
+  * Encrypt Channel v2 - (tls-crypt-v2[Direction] is set to 4. \\ Uses //HMAC-send/HMAC-receive//, and //cipher-encrypt/cipher-receive//.
  \\
@@ Line 351: / Line 351: @@
   * AES-128-GCM
   * AES-256-GCM
-  * AES-128-CB
+  * AES-128-CBC
   * AES-256-CBC
@@ Line 448: / Line 448: @@
 Here, you can specify a custom configuration for the OpenVPN server to use.
-For details about valid custom parameters, please see: \\  [[https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html]] \\ .
+For details about valid custom parameters, please see: \\  [[https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html]] \\ .
@@ Line 459: / Line 459: @@
 For a TLS handshake, both "server" and "client" must have their respective certificates. Also, you must generate Diffie-Hellman parameters for the "server". This will finally lead to the creation of a shared secret number. You will generate your own certificates.
-Every certificate is issued by a Certificate Authority, ("CA"), so you must create one. The tools to create a CA, certificates, and Diffie-Hellman parameters are included in FreshTomato OpenVPN.
+Every certificate is issued by a Certificate Authority, ("CA"), so you must create one. You can create a CA, certificates, and Diffie-Hellman parameters in FreshTomato.
  \\
-The first step to building an OpenVPN 2.x setup is to create a Public Key Infrastructure ("PKI").
+The first step to building an OpenVPN 2.x setup is to create a Public Key Infrastructure.
 A PKI consists of:
@@ Line 470: / Line 470: @@
   * A separate certificate (public key) and private key for the server \\ and for each client
-  * A master Certificate Authority (CA) certificate and key used to sign \\ each of the server and client certificates
+  * A master CA certificate and key used to sign each of the server \\ and client certificates
  \\
-OpenVPN supports bidirectional, certificate-based authentication. Client and server must authenticate each other's certificates before they establish mutual trust.
+OpenVPN uses bidirectional, certificate-based authentication. Client/server must authenticate the other's certificates before they establish mutual trust.
 Both server and client authenticate each other:
@@ Line 489: / Line 489: @@
  \\
-  * The server only needs its own certificate/key. It doesn’t need to know \\ the certificate of every client that might connect to it. \\
+  * The server only needs its own certificate/key. It doesn’t need to know \\ the certificate of every client that might connect to it. \\  \\
   * The server will only accept clients whose certificates were signed \\ by the master CA certificate (which we'll generate below). \\ \\ Because the server can verify this signature without needing access \\ to the CA private key itself, you can store the CA key on another machine. \\ It can even be stored on a device not connected to the network. \\ This is crucial, since it's the most sensitive key in the entire PKI. \\ \\
   * If a private key is compromised, it can be disabled by adding its certificate \\ to a CRL (Certificate Revocation List). This allows compromised certificates \\ to be selectively rejected without requiring the entire PKI be rebuilt. \\ \\
@@ Line 550: / Line 550: @@
 ==== A Warning about Certificates ====
-A common mistake when setting up a new Certificate Authority is to place all CA files on the OpenVPN server.%% **Avoid doing this**. %%A CA requires a private key to sign the certificates that clients and servers use. If you lose control of the CA private key, you can no longer trust certificates from that CA. At that point, anyone with access to the CA private key can sign new certificates without your knowledge. Clients using those certificates can then connect to your OpenVPN server without modifying anything on the VPN Server. Whenever possible, place your CA files on an //offline// storage medium, only to be activated when you need to get a new certificate for a client or server.
+A common mistake when setting up a new Certificate Authority is to place all CA files on the OpenVPN server.%% **Avoid this**. %%A CA needs a private key to sign the certificates clients and servers use. If you lose control of the CA private key, you can no longer trust certificates from that CA. At that point, anyone with access to the key can sign new certificates without your knowledge. Clients using those certificates can then connect to your OpenVPN server without changing anything on the VPN Server. Whenever possible, place your CA files on an //offline// storage medium, only to be activated when you need to get a new certificate for a client or server.
-There are just 3 files you need to copy from a CA to achieve this:
+There are 3 files you need to copy from a CA to achieve this:
  \\
@@ Line 573: / Line 573: @@
-==== Adding Certificate Revocation Lists ====
+==== Adding Certificate Revocation Lists (CRLs) ====
-Within the CA, you can revoke certificates when needed. Using your preferred CA management tool, you can generate a Certificate Revocation List (CRL file). Adding this to the OpenVPN server should cause all client certificates to be checked against this revocation list. Clients which have their certificates listed in the CRL won't be able to connect. This common method lets you deny access to a VPN on a per-user level.
+Within the CA, you can revoke certificates when needed. Using your preferred CA management tool, you can generate a Certificate Revocation List (CRL file). Adding this to the OpenVPN server should cause all client certificates to be checked against this list. Clients whose certificates are listed in the CRL won't be allowed to connect. This common method lets you deny access to a VPN on a per-user level.
  \\
@@ Line 592: / Line 592: @@
-==== OpenVPN Server Won't Start When EasyRSA3 used ====
+==== OpenVPN Server Won't Start When EasyRSA3 is used ====
-In some cases when you've generated server certificate/keys using EasyRSA 3, the server may not start. This can be happen when the server certificate requires a password but there was no way to provide it. In such cases, you should regenerate the certificate/key using the the EasyRSA "nopass" option. Doing this should allow the OpenVPN Server to start properly.
+In some cases, when you've generated server certificate/keys using EasyRSA 3, the server may not start. This can be happen when the server certificate requires a password but there was no way to provide it. In such cases, regenerate the certificate/key using the the EasyRSA "nopass" option. This should allow OpenVPN Server to start properly.
  \\
@@ Line 601: / Line 601: @@
 ==== Routing Notes ====
-To access particular network resources from other IP addresses through the VPN, you must add network routes. A route tells your system where to send network traffic to access certain resources. An OS can handle multiple routes via multiple gateways at the same time. For example, say you have a server on 192.168.1.10 behind your VPN server. You want to access this server through the VPN. You need to tell OpenVPN to configure a route for either a specific host or a network range to go through the tunnel.
+You must add network routes to access specific resources from other IP addresses via the VPN.  A route tells your system where to send network traffic to access certain resources. An OS can handle multiple routes via multiple gateways at the same time.
  \\
-To configure this, you need to add a line in the server configuration and restart OpenVPN server and OpenVPN client.
+For example, let's say:
+  * A server exists on 192.168.1.10 behind your VPN server.
+  * You want to access this server through the VPN.
+ \\
+You need to configure OpenVPN to route specific hosts or networks through the tunnel.
+To do this, you must add a line similar to this in the server configuration:
  \\
@@ Line 612: / Line 621: @@
    push "route 192.168.1.0 255.255.255.0"
 </code>
+ \\
+You must then restart both the OpenVPN server and the client.\\  \\
- \\
+This will cause the server to tell any client that connects to route all traffic for IP addresses in scope 192.168.1.XXX through the VPN.
-Now, when the client connects, the server tells it that it should route all traffic for IP addresses in the 192.168.1.XXX scope through the VPN.
+This example describes a basic setup. The setup is almost complete. The only thing left is to add the appropriate routes, as with normal routing.
-This is an example of a basic setup. When we now start on the routing part, the setup is mostly complete. At this point, all you need to add are the appropriate routes, just as you would for normal TCP/IP routing.
+You also must ensure return routes. Just because a VPN client can access a host behind the VPN server, doesn't mean the host behind the server will send the response via the same route. Hosts behind the VPN server must know which gateway to use for VPN traffic. Usually, this is done by adding a route on the existing default gateway. Then, if you run OpenVPN on an existing gateway, you have the return route already implicitly configured.
-Remember, you also need to consider return routes. Just because a VPN client can access a host behind the VPN server, doesn't mean the host behind the server can/will send the response via the same route. You must ensure the hosts behind your VPN server also know which gateway to use for the VPN. Usually, this is done by adding a route on your existing default gateway. Then, if you run OpenVPN on an existing gateway, you have the return route already (implicitly) configured.
+For a more detailed example, see the%% %%Using routing%% %%section in the Bridging and routing wiki page.
-For a more detailed example of using routing, see the%% %%Using routing%% %%section in the 'Bridging and routing' wiki page.
+==== Routing all Traffic through the VPN ====
-==== Routing all Traffic over the VPN ====
 You can route all network traffic over the VPN. The configuration for this is fairly simple. However, you'll need to learn how to configure NAT on your VPN server for the virtual TUN adapter.
@@ Line 657: / Line 666: @@
 ==== About IPv6 ====
-OpenVPN v2.3 and later support IPv6. Setting up IPv6 in a VPN is similar to the IPv4 examples above. To configure IPv6, please use the //–server-ipv6// and //–route-ipv6//  options.
+OpenVPN v2.3 and later support IPv6. Configuring IPv6 for a VPN is similar to the above IPv4 examples. To configure IPv6, you must use the \\ //–server-ipv6// and //–route-ipv6//  options.
  \\
@@ Line 673: / Line 682: @@
  \\
-You can use the //–route-ipv6// option in two ways. You can push it from the server, or use it directly in the client configuration. The same is true for the //–route// option. The syntax is similar:
+You can use the //–route-ipv6// option two ways. You can push it from the server, or use it directly in client settings. The same is true for the //–route// option.
+ \\
+The syntax is similar:
  \\

FreshTomato Wiki

User Tools

Site Tools

Differences

Page Tools