User Tools

Site Tools


doc:howto:openvpn-streamlined-server-setup
This wiki is read only and for archival purposes only. >>>>>>>>>> Please use the new OpenWrt wiki at https://openwrt.org/ <<<<<<<<<<

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
doc:howto:openvpn-streamlined-server-setup [2016/10/24 03:57]
JW0914 [Encryption] Added missing RFC4945 info to EKU section
doc:howto:openvpn-streamlined-server-setup [2018/01/28 23:22]
ssdnvv added option remote-cert-eku 'TLS Web Client Authentication' within server configuration
Line 9: Line 9:
 ===== Introduction ===== ===== Introduction =====
  
-<​WRAP ​indent>+<​WRAP ​box 78em lo>
  
 +<tabbox Purpose>
 +<color #​508CAA>​**VPN Server Purpose**</​color>​
  
-==== VPN Requirements ====+  * Provides an encrypted remote connection over WAN to router and downstream devices
  
-<WRAP 75em lo> +  * If Gateway Redirect is utilized, it provides an encrypted connection ​for local traffic
-Five things are required ​for a SSL VPN: +
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​encryption|Encryption (Certificates)]] +
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​network|Network (VPN Interface Creation)]] +
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​firewall|Firewall Rules [VPN Traffic]]] +
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_server|VPN Server [Config]]] +
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​clients|VPN Clients [Config]]] +
-</​WRAP>​+
  
 +<tabbox Requirements>​
 +<color #​508CAA>​**SSL VPN Requirements**</​color>​
 +
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​encryption|Encryption]] [Certificates]
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​network|Network]] [VPN Interface]
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​firewall|Firewall]] [Traffic Rules]
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_server|Server]] [Config]
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​clients|Clients]] [Config]\\ \\
 +
 +<tabbox Editing>
 +<wrap right button>​[[https://​github.com/​JW0914/​Wikis/​blob/​master/​Scripts%2BConfigs/​Vim/​.vimrc|VimRC]] ​ [[http://​vim.wikia.com/​wiki/​Tutorial|Vim Tutorial]]</​wrap>​
 +<color #​508CAA>​**Editing Configs**</​color>​
 +
 +  * Vim is the default command line text editor\\ \\
 +  * If you've never utilized Vim before, please see the Vim Tutorial
 +    * Save the VimRC to ''<​color #​C86400>​~/​.vimrc</​color>''​
 +</​tabbox>​
 </​WRAP>​ </​WRAP>​
 +
  
  
Line 29: Line 42:
  
 <WRAP centeralign 78.25em lo> <WRAP centeralign 78.25em lo>
-<​wrap ​danger>​Easy-RSA //does not// create secure enough certs & has too many limitations,​ therefore OpenSSL should be utilized directly via an openssl.cnf</​wrap>​+<​wrap ​warning><​color #FFFFFF>​Easy-RSA //does not// create secure enough certs & has too many limitations,​ therefore OpenSSL should be utilized directly via an openssl.cnf</​color>​</​wrap>​
 </​WRAP>​ </​WRAP>​
  
-<WRAP indent> 
  
 +<WRAP indent>
  
 ==== Prerequisites ==== ==== Prerequisites ====
  
 <WRAP box lo> <WRAP box lo>
-<wrap right button>​[[https://​github.com/​JW0914/​Wikis/​blob/​master/​Scripts%2BConfigs/​OpenSSL/​OpenSSL.cnf|openssl.cnf]]</​wrap>​+<wrap right button>​[[https://​github.com/​JW0914/​Wikis/​blob/​master/​Scripts%2BConfigs/​OpenSSL/​openssl.cnf|openssl.cnf]]</​wrap>​
  
 <tabbox Prerequisites>​ <tabbox Prerequisites>​
Line 44: Line 57:
 <color #​508CAA>​**OpenVPN Prerequisites**</​color>​ <color #​508CAA>​**OpenVPN Prerequisites**</​color>​
  
-  - <color #4B4B4B>**Install Packages:**</​color>​ +  - **Install Packages:​** 
-    - //''<​color #​647D00>​opkg update ; opkg install openvpn-openssl luci-app-openvpn</​color>''//​\\ \\ +    - //''<​color #​647D00>​opkg update ; opkg install openvpn-openssl luci-app-openvpn ​openssl-util</​color>''//​\\ \\ 
-  - <color #4B4B4B>**Download openssl.cnf:​**</​color>​ +  - **Download openssl.cnf:​** 
-    - <color #646464>Save as ''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''​</​color>​\\ \\ +    - Save as ''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''​\\ \\ 
-  - <color #4B4B4B>**Navaigate to SSL directory & create required directories**</​color>​+  - **Navaigate to SSL directory & create required directories**
     - //''<​color #​647D00>​cd /etc/ssl ; mkdir -p ca/csr crl openvpn/​clients</​color>''//​\\ \\     - //''<​color #​647D00>​cd /etc/ssl ; mkdir -p ca/csr crl openvpn/​clients</​color>''//​\\ \\
-  - <color #4B4B4B>**Create Serial file**</​color>​+  - **Create Serial file**
     - //''<​color #​647D00>​echo 00 > serial</​color>''//​     - //''<​color #​647D00>​echo 00 > serial</​color>''//​
-      * <color #646464>Maintains the serial for the most recent cert in order to know what serial to next assign</​color>​ +      * Maintains the serial for the most recent cert in order to know what serial to next assign 
-        * <color #646464>Serial is in hex, not dec[//​imal//​] format</​color>​\\ \\ +        * Serial is in hex, not dec[//​imal//​] format\\ \\ 
-  - <color #4B4B4B>**Create CRLnumber file**</​color>​ +  - **Create CRLnumber file** 
-    - //''<​color #​647D00>​echo 00 > crlnumber</​color>''//​ +    - //''<​color #​647D00>​echo 00 > crl/crlnumber</​color>''//​ 
-            * <color #646464>CRL should be generated, but will only be utilized once a cert is revoked</​color>​\\ \\ +            * CRL should be generated, but will only be utilized once a cert is revoked\\ \\ 
-  - <color #4B4B4B>**Create Index file**</​color>​+  - **Create Index file**
     - //''<​color #​647D00>​touch index</​color>''//​     - //''<​color #​647D00>​touch index</​color>''//​
-      * <color #646464>Maintains an index of all certs issued <​sup>​[lines ​744 759]</sup></color+      * Maintains an index of all certs issued <sup><​color #646464>​[lines ​644 689]</color></sup
-        * <color #646464>Keeps track of certs issued; extremely important if one has revoked a cert</​color>​\\ \\ +        * Keeps track of certs issued; extremely important if one has revoked a cert\\ \\ 
-  - <color #4B4B4B>**Create Rand file**</​color>​+  - **Create Rand file**
     - //''<​color #​647D00>​touch rand</​color>''//​     - //''<​color #​647D00>​touch rand</​color>''//​
-      * <color #646464>Utilized for random characters & is queried by OpenSSL during key creation</​color>​+      * Utilized for random characters & is queried by OpenSSL during key creation
  
  
Line 69: Line 82:
 <color #​508CAA>​**File & Folder Locations**</​color>​ <color #​508CAA>​**File & Folder Locations**</​color>​
  
-  - <color #4B4B4B>**Config Locations:​**</​color>​ +  - **Config Locations:​** 
-    * <color #646464>Firewall: ''<​color #​C86400>/​etc/​config/​firewall</​color>''​</​color>​ +    * Firewall: ''<​color #​C86400>/​etc/​config/​firewall</​color>''​ 
-    * <color #646464>Network: ''<​color #​C86400>/​etc/​config/​network</​color>''​</​color>​ +    * Network: ''<​color #​C86400>/​etc/​config/​network</​color>''​ 
-    * <color #646464>OpenSSL: ''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''​</​color>​ +    * OpenSSL: ''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''​ 
-    * <color #646464>OpenVPN: ''<​color #​C86400>/​etc/​config/​openvpn</​color>''​</​color>​\\ \\ +    * OpenVPN: ''<​color #​C86400>/​etc/​config/​openvpn</​color>''​\\ \\ 
-  - <color #4B4B4B>**Folder Locations:​**</​color>​ +  - **Folder Locations:​** 
-    * <color #646464>OpenVPN</​color>​ +    * OpenVPN 
-      * <color #646464>CA & ICA Certs: ''<​color #​C86400>/​etc/​ssl/​ca/</​color>''​</​color>​ +      * CA & ICA Certs: ''<​color #​C86400>/​etc/​ssl/​ca/</​color>''​ 
-        * <color #646464>CSR: ''<​color #​C86400>/​etc/​ssl/​ca/​csr/</​color>''​</​color>​ +        * CSR: ''<​color #​C86400>/​etc/​ssl/​ca/​csr/</​color>''​ 
-        * <color #646464>CRL: ''<​color #​C86400>/​etc/​ssl/​crl/</​color>''​</​color>​ +        * CRL: ''<​color #​C86400>/​etc/​ssl/​crl/</​color>''​ 
-      * <color #646464>Client Certs: ''<​color #​C86400>/​etc/​ssl/​openvpn/​clients/</​color>''​</​color>​ +      * Client Certs: ''<​color #​C86400>/​etc/​ssl/​openvpn/​clients/</​color>''​ 
-      * <color #646464>Server Certs: ''<​color #​C86400>/​etc/​ssl/​openvpn/</​color>''​</​color>​+      * Server Certs: ''<​color #​C86400>/​etc/​ssl/​openvpn/</​color>''​
  
 <tabbox Extensions>​ <tabbox Extensions>​
 <color #​508CAA>​**Certificate Extensions**</​color>​ <color #​508CAA>​**Certificate Extensions**</​color>​
  
-  - <color #4B4B4B>**.csr:**</​color>​ +  - **.csr:** 
-    * <color #646464>//​certificate request//</​color>​\\ \\ +    * //​certificate request//\\ \\ 
-  - <color #4B4B4B>**.key:**</​color>​ +  - **.key:** 
-    * <color #646464>//private key//</​color>​ +    * //private key// 
-      * <color #64646>4All key files, except for a server'​s,​ should be encrypted with a passphrase</​color>​\\ \\ +      * 4All key files, except for a server'​s,​ should be encrypted with a passphrase\\ \\ 
-  - <color #4B4B4B>**.crt:**</​color>​ +  - **.crt:** 
-    * <color #646464>//signed certificate//​</​color>​\\ \\ +    * //signed certificate//​\\ \\ 
-  - <color #4B4B4B>**.p12:**</​color>​ +  - **.p12:** 
-    * <color #646464>//PKCS12 certificate//​</​color>​ +    * //PKCS12 certificate//​ 
-      * <color #646464>Contains the //CA.crt// or concatenated //​ICA-CA.crt//,​ //​Certificate.crt//,​ and //​CertificateKey.key//​</​color>​+      * Contains the //CA.crt// or concatenated //​ICA-CA.crt//,​ //​Certificate.crt//,​ and //​CertificateKey.key//​
 </​tabbox>​ </​tabbox>​
 </​WRAP>​ </​WRAP>​
Line 107: Line 120:
 <color #​508CAA>​**Section Synopsis**</​color>​ <color #​508CAA>​**Section Synopsis**</​color>​
  
-  * <color #4B4B4B>**These tabs contain critical information one will likely find helpful while going through the steps in this wiki**</​color>​ +  * **These tabs contain critical information one will likely find helpful while going through the steps in this wiki** 
-    * <color #646464>Tabs 2 - 3 contain informational & reference links to the main man pages</​color>​ +    * Tabs 2 - 3 contain informational & reference links to the main man pages 
-    * <color #646464>Tabs 4 - 7 cover the definitions of KUs, EKUs, KEAs, & EC KEAs</​color>​+    * Tabs 4 - 7 cover the definitions of KUs, EKUs, KEAs, & EC KEAs
  
  
Line 177: Line 190:
 <color #​508CAA>​**keyUsage**</​color>​ <color #​508CAA>​**keyUsage**</​color>​
  
-  - <color #4B4B4B>**digitalSignature**</​color>​ +  - **digitalSignature** 
-    - <color #646464>Certificate may be used to apply a digital signature</​color>​ +    - Certificate may be used to apply a digital signature 
-      - <color #646464>Digital signatures are often used for entity authentication & data origin authentication with integrity</​color>​\\ \\ +      - Digital signatures are often used for entity authentication & data origin authentication with integrity\\ \\ 
-  - <color #4B4B4B>**nonRepudiation**</​color>​ +  - **nonRepudiation** 
-    - <color #646464>Certificate may be used to sign data as above but the certificate public key may be used to provide non-repudiation services</​color>​ +    - Certificate may be used to sign data as above but the certificate public key may be used to provide non-repudiation services 
-      - <color #646464>This prevents the signing entity from falsely denying some action</​color>​\\ \\ +      - This prevents the signing entity from falsely denying some action\\ \\ 
-  - <color #4B4B4B>**keyEncipherment**</​color>​ +  - **keyEncipherment** 
-    - <color #646464>Certificate may be used to encrypt a symmetric key which is then transferred to the target</​color>​ +    - Certificate may be used to encrypt a symmetric key which is then transferred to the target 
-      - <color #646464>Target decrypts key, subsequently using it to encrypt & decrypt data between the entities</​color>​\\ \\ +      - Target decrypts key, subsequently using it to encrypt & decrypt data between the entities\\ \\ 
-  - <color #4B4B4B>**dataEncipherment**</​color>​ +  - **dataEncipherment** 
-    - <color #646464>Certificate may be used to encrypt & decrypt actual application data</​color>​\\ \\ +    - Certificate may be used to encrypt & decrypt actual application data\\ \\ 
-  - <color #4B4B4B>**keyAgreement**</​color>​ +  - **keyAgreement** 
-    - <color #646464>Certificate enables use of a key agreement protocol to establish a symmetric key with a target</​color>​ +    - Certificate enables use of a key agreement protocol to establish a symmetric key with a target 
-    - <color #646464>Symmetric key may then be used to encrypt & decrypt data sent between the entities</​color>​\\ \\ +    - Symmetric key may then be used to encrypt & decrypt data sent between the entities\\ \\ 
-  - <color #4B4B4B>**keyCertSign**</​color>​+  - **keyCertSign**
     - <wrap danger>​CA ONLY</​wrap>​     - <wrap danger>​CA ONLY</​wrap>​
-      - <color #646464>Subject public key is used to verify signatures on certificates</​color>​+      - Subject public key is used to verify signatures on certificates
       - <color #​AF0000>//​This extension must only be used for CA certificates//</​color>​\\ \\       - <color #​AF0000>//​This extension must only be used for CA certificates//</​color>​\\ \\
-  - <color #4B4B4B>**cRLSign**</​color>​+  - **cRLSign**
     - <wrap danger>​CA ONLY</​wrap>​     - <wrap danger>​CA ONLY</​wrap>​
-      - <color #646464>Subject public key is to verify signatures on revocation information,​ such as a CRL</​color>​+      - Subject public key is to verify signatures on revocation information,​ such as a CRL
       - <color #​AF0000>//​This extension must only be used for CA certificates//</​color>​\\ \\       - <color #​AF0000>//​This extension must only be used for CA certificates//</​color>​\\ \\
-  - <color #4B4B4B>**encipherOnly**</​color>​ +  - **encipherOnly** 
-    - <color #646464>KU ''<​color #​009B9B>​keyAgreement</​color>''​ is required</​color>​ +    - KU ''<​color #​009B9B>​keyAgreement</​color>''​ is required 
-    - <color #646464>Public key used only for enciphering data while performing key agreement</​color>​\\ \\ +    - Public key used only for enciphering data while performing key agreement\\ \\ 
-  - <color #4B4B4B>**decipherOnly**</​color>​ +  - **decipherOnly** 
-    - <color #646464>KU ''<​color #​009B9B>​keyAgreement</​color>''​ is required</​color>​ +    - KU ''<​color #​009B9B>​keyAgreement</​color>''​ is required 
-    - <color #646464>Public key used only for deciphering data while performing key agreement</​color>​+    - Public key used only for deciphering data while performing key agreement
  
  
Line 211: Line 224:
 <color #​508CAA>​**extendedKeyUsage**</​color>​ <color #​508CAA>​**extendedKeyUsage**</​color>​
  
-  - <color #4B4B4B>**serverAuth**</​color>​ +  - **serverAuth** 
-    - <color #646464>All VPN servers should be signed with this EKU present</​color>​ +    - All VPN servers should be signed with this EKU present 
-      - <color #646464>SSL/TLS Web/VPN Server authentication EKU, distinguishing a server which clients can authenticate against</​color>​ +      - SSL/TLS Web/VPN Server authentication EKU, distinguishing a server which clients can authenticate against 
-      - <color #646464>This supersedes ''<​color #​009B9B>​nscertype</​color>''​ options (''<​color #​009B9B>​ns</​color>''​ in ''<​color #​009B9B>​nscertype</​color>''​ stands for NetScape [browser])</​color>​\\ \\ +      - This supersedes ''<​color #​009B9B>​nscertype</​color>''​ options (''<​color #​009B9B>​ns</​color>''​ in ''<​color #​009B9B>​nscertype</​color>''​ stands for NetScape [browser])\\ \\ 
-  - <color #4B4B4B>**clientAuth**</​color>​ +  - **clientAuth** 
-    - <color #646464>All VPN clients //must// be signed with this EKU present</​color>​ +    - All VPN clients //must// be signed with this EKU present 
-      - <color #646464>SSL/TLS Web/VPN Client authentication EKU distinguishing a client as a client only</​color>​\\ \\ +      - SSL/TLS Web/VPN Client authentication EKU distinguishing a client as a client only\\ \\ 
-  - <color #4B4B4B>**codeSigning**</​color>​ +  - **codeSigning** 
-    - <color #646464>Code Signing</​color>​\\ \\ +    - Code Signing\\ \\ 
-  - <color #4B4B4B>**emailProtection**</​color>​ +  - **emailProtection** 
-    - <color #646464>Email Protection via S/MIME, allows you to send and receive encrypted emails</​color>​\\ \\ +    - Email Protection via S/MIME, allows you to send and receive encrypted emails\\ \\ 
-  - <color #4B4B4B>**timeStamping**</​color>​ +  - **timeStamping** 
-    - <color #646464>Trusted Timestamping</​color>​\\ \\ +    - Trusted Timestamping\\ \\ 
-  - <color #4B4B4B>**OCSPSigning**</​color>​ +  - **OCSPSigning** 
-    - <color #646464>OCSP Signing</​color>​\\ \\ +    - OCSP Signing\\ \\ 
-  - <color #4B4B4B>**ipsecIKE**</​color>​ +  - **ipsecIKE** 
-    - <color #646464>IPSec Internet Key Exchange, of which I believe is in the same boat as the three below [#8]</​color>​ +    - IPSec Internet Key Exchange, of which I believe is in the same boat as the three below [#8] 
-      - <color #646464>Research needs to be performed to determine if this EKU should also no longer be utilized</​color>​ +      - Research needs to be performed to determine if this EKU should also no longer be utilized 
-      - <color #646464>''<​color #​009B9B>​clientAuth</​color>''​ can be utilized in a IPSec VPN client cert</​color>​\\ \\ +      - ''<​color #​009B9B>​clientAuth</​color>''​ can be utilized in a IPSec VPN client cert\\ \\ 
-  - <color #4B4B4B>**ipsecEndSystem,​ ipsecTunnel,​ & ipsecUser**</​color>​+  - **ipsecEndSystem,​ ipsecTunnel,​ & ipsecUser**
     - <wrap danger>​SHOULD NOT BE UTILIZED</​wrap>​     - <wrap danger>​SHOULD NOT BE UTILIZED</​wrap>​
-      - <color #646464>Assigned in 1999, the semantics of these values were never clearly defined</​color>​ +      - Assigned in 1999, the semantics of these values were never clearly defined 
-      - <color #7D7D7D>**RFC 4945:**</​color>​ <color #646464>The use of these three EKU values is obsolete and explicitly deprecated by this specification</​color> ​<​sup><​color #7D7D7D>​[5.1.3.12]</​color></​sup>​\\ \\ +      - **RFC 4945:** The use of these three EKU values is obsolete and explicitly deprecated by this specification <​sup><​color #646464>​[5.1.3.12]</​color></​sup>​\\ \\ 
-  - <color #4B4B4B>**msCodeInd**</​color>​ +  - **msCodeInd** 
-    - <color #646464>Microsoft Individual Code Signing (authenticode)</​color>​\\ \\ +    - Microsoft Individual Code Signing (authenticode)\\ \\ 
-  - <color #4B4B4B>**msCodeCom**</​color>​ +  - **msCodeCom** 
-    - <color #646464>Microsoft Commerical Code Signing (authenticode)</​color>​\\ \\ +    - Microsoft Commerical Code Signing (authenticode)\\ \\ 
-  - <color #4B4B4B>**mcCTLSign**</​color>​ +  - **mcCTLSign** 
-    - <color #646464>Microsoft Trust List Signing</​color>​\\ \\ +    - Microsoft Trust List Signing\\ \\ 
-  - <color #4B4B4B>**msEFS**</​color>​ +  - **msEFS** 
-    - <color #646464>Microsoft Encrypted File System Signing</​color>​\\ \\+    - Microsoft Encrypted File System Signing\\ \\
  
  
Line 247: Line 260:
 <color #​508CAA>​**Key Exchange**</​color>​ <color #​508CAA>​**Key Exchange**</​color>​
  
-  - <color #4B4B4B>**RSA**</​color>​ +  - **RSA** 
-    - <color #646464>Key exchange occurs via encryption of a random value</​color>​ +    - Key exchange occurs via encryption of a random value 
-      - <color #646464>Client chooses a random value via the server public key</​color>​ +      - Client chooses a random value via the server public key 
-      - <color #646464>Server public key must be an RSA key</​color>​ +      - Server public key must be an RSA key 
-      - <color #646464>Server certificate must utilize KU ''<​color #​009B9B>​keyAgreement</​color>''​</​color>​\\ \\ +      - Server certificate must utilize KU ''<​color #​009B9B>​keyAgreement</​color>''​\\ \\ 
-  - <color #4B4B4B>**DH_RSA**</​color>​ +  - **DH_RSA** 
-    - <color #646464>Key exchange occurs via a static Diffie-Hellman key</​color>​ +    - Key exchange occurs via a static Diffie-Hellman key 
-      - <color #646464>Server public key must be a Diffie-Hellman key</​color>​ +      - Server public key must be a Diffie-Hellman key 
-      - <color #646464>Diffie-Hellman key must have been issued by a CA</​color>​ +      - Diffie-Hellman key must have been issued by a CA 
-      - <color #646464>CA must be using an RSA key signing key</​color>​\\ \\ +      - CA must be using an RSA key signing key\\ \\ 
-  - <color #4B4B4B>**DH_DSA**</​color>​ +  - **DH_DSA** 
-    - <color #646464>Like ''<​color #​009B9B>​DH_RSA</​color>'',​ except CA used a DSA key in lieu of RSA</​color>​\\ \\ +    - Like ''<​color #​009B9B>​DH_RSA</​color>'',​ except CA used a DSA key in lieu of RSA\\ \\ 
-  - <color #4B4B4B>**DHE_RSA**</​color>​ +  - **DHE_RSA** 
-    - <color #646464>Key exchange occurs via an ephemeral Diffie-Hellman</​color>​ +    - Key exchange occurs via an ephemeral Diffie-Hellman 
-      - <color #646464>Server dynamically generates & signs a DH public key, sending it to the client</​color>​ +      - Server dynamically generates & signs a DH public key, sending it to the client 
-      - <color #646464>Server Public Key must be an RSA key</​color>​ +      - Server Public Key must be an RSA key 
-      - <color #646464>Server certificate must utilize KU ''<​color #​009B9B>​digitalSignature</​color>''​</​color>​\\ \\ +      - Server certificate must utilize KU ''<​color #​009B9B>​digitalSignature</​color>''​\\ \\ 
-  - <color #4B4B4B>**DHE_DSA**</​color>​ +  - **DHE_DSA** 
-    - <color #646464>Like ''<​color #​009B9B>​DHE_RSA</​color>'',​ except CA used a DSA key in lieu of RSA</​color>​+    - Like ''<​color #​009B9B>​DHE_RSA</​color>'',​ except CA used a DSA key in lieu of RSA
  
  
Line 271: Line 284:
 <color #​508CAA>​**Elliptic-Curve Key Exchange**</​color>​ <color #​508CAA>​**Elliptic-Curve Key Exchange**</​color>​
  
-  - <color #4B4B4B>**ECDH_ECDSA**</​color>​ +  - **ECDH_ECDSA** 
-    - <color #646464>Like DH_DSA, but with elliptic curves</​color>​ +    - Like ''​<color #009B9B>DH_DSA</​color>''​, but with elliptic curves 
-      - <color #646464>Server public key must be an ECDH key</​color>​ +      - Server public key must be an ECDH key 
-      - <color #646464>Server certificate must be issued by a CA utilizing an ECDSA public key</​color>​\\ \\ +      - Server certificate must be issued by a CA utilizing an ECDSA public key\\ \\ 
-  - <color #4B4B4B>**ECDH_RSA**</​color>​ +  - **ECDH_RSA** 
-    - <color #646464>Like ''<​color #​009B9B>​ECDH_ECDSA</​color>'',​ except CA used an RSA key</​color>​\\ \\ +    - Like ''<​color #​009B9B>​ECDH_ECDSA</​color>'',​ except CA used an RSA key\\ \\ 
-  - <color #4B4B4B>**ECDHE_ECDSA**</​color>​ +  - **ECDHE_ECDSA** 
-    - <color #646464>Server sends dynamically generated EC Diffie-Hellman key, signing it via it's ECDSA key</​color>​ +    - Server sends dynamically generated EC Diffie-Hellman key, signing it via it's ECDSA key 
-      - <color #646464>Equivalent to DHE_DSS, but with elliptic curves for both the Diffie-Hellman & signature</​color>​\\ \\ +      - Equivalent to ''​<color #009B9B>DHE_DSS</​color>''​, but with elliptic curves for both the Diffie-Hellman & signature\\ \\ 
-  - <color #4B4B4B>**ECDHE_RSA**</​color>​ +  - **ECDHE_RSA** 
-    - <color #646464>Like ''<​color #​009B9B>​ECDHE_ECDSA</​color>'',​ except Server public key is an RSA key</​color>​ +    - Like ''<​color #​009B9B>​ECDHE_ECDSA</​color>'',​ except Server public key is an RSA key 
-      - <color #646464>Server public key signs the ephemeral EC Diffie-Hellman key</​color>​+      - Server public key signs the ephemeral EC Diffie-Hellman key
 </​tabbox>​ </​tabbox>​
 </​WRAP>​ </​WRAP>​
Line 291: Line 304:
 === CA Creation === === CA Creation ===
  
-<WRAP 75em lo>+<​WRAP ​indent ​75em lo>
 <tabbox Prerequisites>​ <tabbox Prerequisites>​
 <wrap right>''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''</​wrap>​ <wrap right>''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''</​wrap>​
Line 297: Line 310:
  
 <WRAP indent> <WRAP indent>
-<color #4B4B4B>**Modify the following SubjectAltNames & V3 Profiles**</​color>​+**Modify the following SubjectAltNames & V3 Profiles**
  
-  - <color #646464>**Certificate Authorities** <​sup>​[Line ​228]</sup></​color+  - **Certificate Authorities** <​sup>​[Line ​177]</​sup>​ 
-    - <color #​4B4B4B4>​//Main//</​color>​ +    - //Main// 
-      - <color #646464>**Line ​234:**</​color> ​''<​color #​647D00>​DNS.1 = Router.1</​color>''​ +      - **Line ​183:** ''<​color #​647D00>​DNS.1 = //Router.1//</​color>''​ 
-        * <color #646464>//Change//</​color> ​''<​color #506400>//Router.1//</​color>'' ​<color #646464>//to what you'd like the name of your Certificate Authority to be//</​color>​\\ \\ +        * //Change// ''<​color #007DC8>​Router.1</​color>''​ //to what you'd like the name of your Certificate Authority to be//\\ \\ 
-  - <color #646464>**Certificate Authority Clients** <​sup>​[Line ​253]</sup></color+  - **Certificate Authority Clients** <sup><​color #646464>​[Line ​205]</color></sup
-    - <color #​4B4B4B4>​//Servers//</​color>​ +    - //​Servers//​ 
-      * <color #646464>**Lines:​** ​259 281</​color>​ +      * **Lines:​** ​198 220 
-    - <color #​4B4B4B4>​//Clients//</​color>​ +    - //​Clients//​ 
-      * <color #646464>**Lines:​** ​283 287</​color>​\\ \\ +      * **Lines:​** ​222 226\\ \\
-  - <color #​646464>​**Change SAN & V3 profile names from** ''<​color #​647D00>​alt_ca_main</​color>''​ **to** ''<​color #​647D00>​alt_ca_openwrt</​color>''</​color>​ <​sup><​color #​646464>​[lines 233, 353, & 357]</​color></​sup>​ +
-    - <color #​646464>​**Line 233:** ''<​color #​647D00>​[ alt_ca_openwrt ]</​color>''</​color>​ +
-    - <color #​646464>​**Line 353:** ''<​color #​647D00>​[ v3_ca_openwrt ]</​color>''</​color>​ +
-    - <color #​646464>​**Line 357:** ''<​color #​647D00>​subjectAltName = @alt_ca_openwrt</​color>''</​color>​+
 </​WRAP>​ </​WRAP>​
  
Line 319: Line 328:
 <color #​508CAA>​**CA OpenSSL Commands**</​color>​ <color #​508CAA>​**CA OpenSSL Commands**</​color>​
  
-  - <color #​4B4B4B4>​**Generate CA**</​color>​\\ <code bash>​openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ca/​OpenWrt-CA.key.pem -out ca/​OpenWrt-CA.crt.pem -config ./​openssl.cnf -extensions ​v3_ca_openwrt</​code>​+  - <color #​4B4B4B4>​**Generate CA**</​color>​\\ <code bash>​openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ca/​OpenWrt-CA.key.pem -out ca/​OpenWrt-CA.crt.pem -config ./​openssl.cnf -extensions ​v3_ca</​code>​
     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\
   - <color #​4B4B4B4>​**Generate CA CRL**</​color>​\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenWrt-CA.key.pem -cert ca/​OpenWrt-CA.crt.pem -out crl/​OpenWrt-CA.crl.pem -config ./​openssl.cnf</​code>​   - <color #​4B4B4B4>​**Generate CA CRL**</​color>​\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenWrt-CA.key.pem -cert ca/​OpenWrt-CA.crt.pem -out crl/​OpenWrt-CA.crl.pem -config ./​openssl.cnf</​code>​
Line 330: Line 339:
 === ICA Creation === === ICA Creation ===
  
-<WRAP 75em lo> +<​WRAP ​indent ​75em lo>
 <tabbox Prerequisites>​ <tabbox Prerequisites>​
 <wrap right>''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''</​wrap>​ <wrap right>''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''</​wrap>​
Line 337: Line 345:
  
 <WRAP indent> <WRAP indent>
-<color #4B4B4B>**Modify the following SubjectAltNames & V3 Profiles**</​color>​+**Modify the following SubjectAltNames & V3 Profiles**
  
-  - <color #646464>**Certificate Authorities** <​sup>​[Line ​228]</sup></color+  - **Certificate Authorities** <sup><​color #646464>​[Line ​177]</color></sup
-    - <color #4B4B4B>//Router 2//</​color>​ +    - //Router 2// 
-      - <color #646464>**Line ​239:**</​color> ​''<​color #​647D00>​DNS.1 = Router.2</​color>''​ +      - **Line ​188:** ''<​color #​647D00>​DNS.1 = //Router.2//</​color>''​ 
-        * <color #646464>//Change ''<​color #647D00>​Router.2</​color>''​ to what you'd like the name of your Intermediate CA to be//</​color>​\\ \\ +        * //Change// ''<​color #007DC8>​Router.2</​color>'' ​//to what you'd like the name of your Intermediate CA to be//\\ \\ 
-  - <color #646464>**Intermediate Certificate Authority Clients** <​sup>​[Line ​290]</sup></color+  - **Intermediate Certificate Authority Clients** <sup><​color #646464>​[Line ​229]</color></sup
-    - <color #​4B4B4B4>​//Servers//</​color>​ +    -//​Servers//​ 
-      * <color #646464>**Lines:​** ​296 312</​color>​ +      * **Lines:​** ​235 251 
-    - <color #​4B4B4B4>​//Clients//</​color>​ +    - //​Clients//​ 
-      * <color #646464>**Lines:​** ​314 322:</​color>​\\ \\ +      * **Lines:​** ​253 261:\\ \\
-  - <color #​646464>​**Change SAN & V3 profile names from** ''<​color #​647D00>​alt_ica_router2</​color>''​ **to** ''<​color #​647D00>​alt_ica_openvpn</​color>''</​color>​ <​sup>​[lines 238, 360, & 364]</​sup>​ +
-    - <color #​646464>​**Line 238:** ''<​color #​647D00>​[ alt_ica_openvpn ]</​color>''</​color>​ +
-    - <color #​646464>​**Line 360:** ''<​color #​647D00>​[ v3_ica_openvpn ]</​color>''</​color>​ +
-    - <color #​646464>​**Line 364:** ''<​color #​647D00>​subjectAltName = @alt_ica_openvpn</​color>''</​color>​+
 </​WRAP>​ </​WRAP>​
  
Line 359: Line 363:
 <color #​508CAA>​**ICA OpenSSL Commands**</​color>​ <color #​508CAA>​**ICA OpenSSL Commands**</​color>​
  
-  - <color #​4B4B4B4>​**Generate Intermediate CA CSR**</​color>​\\ <code bash>​openssl req -out ca/​csr/​OpenVPN-ICA.csr -new -days 3650 -sha512 -newkey rsa:4096 -keyout ca/​OpenVPN-ICA.key -config ./​openssl.cnf -extensions ​v3_ica_openvpn</​code>​+  - <color #​4B4B4B4>​**Generate Intermediate CA CSR**</​color>​\\ <code bash>​openssl req -out ca/​csr/​OpenVPN-ICA.csr -new -days 3650 -sha512 -newkey rsa:4096 -keyout ca/​OpenVPN-ICA.key -config ./​openssl.cnf -extensions ​v3_ica_router2</​code>​
     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\
-  - <color #​4B4B4B4>​**Create & Sign ICA with CA**</​color>​\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​OpenVPN-ICA.csr -CA ca/​OpenWrt-CA.crt.pem -CAkey ca/​OpenWrt-CA.key.pem -CAserial ./serial -out ca/​OpenVPN-ICA.crt.pem -extfile ./​openssl.cnf -extensions ​v3_ica_openvpn</​code>​+  - <color #​4B4B4B4>​**Create & Sign ICA with CA**</​color>​\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​OpenVPN-ICA.csr -CA ca/​OpenWrt-CA.crt.pem -CAkey ca/​OpenWrt-CA.key.pem -CAserial ./serial -out ca/​OpenVPN-ICA.crt.pem -extfile ./​openssl.cnf -extensions ​v3_ica_router2</​code>​
   - <color #​4B4B4B4>​**Generate ICA CRL**</​color>​\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenVPN-ICA.key -cert ca/​OpenVPN-ICA.crt.pem -out crl/​OpenVPN-ICA.crl.pem -config ./​openssl.cnf</​code>​   - <color #​4B4B4B4>​**Generate ICA CRL**</​color>​\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenVPN-ICA.key -cert ca/​OpenVPN-ICA.crt.pem -out crl/​OpenVPN-ICA.crl.pem -config ./​openssl.cnf</​code>​
   - <color #​4B4B4B4>​**Convert ICA CRL -> DER CRL**</​color>​\\ <code bash>​openssl crl -inform PEM -in crl/​OpenVPN-ICA.crl.pem -outform DER -out crl/​OpenVPN-ICA.crl</​code>​   - <color #​4B4B4B4>​**Convert ICA CRL -> DER CRL**</​color>​\\ <code bash>​openssl crl -inform PEM -in crl/​OpenVPN-ICA.crl.pem -outform DER -out crl/​OpenVPN-ICA.crl</​code>​
Line 371: Line 375:
 === Index File === === Index File ===
  
-<WRAP 75em lo>+<​WRAP ​indent ​75em lo>
  
 <tabbox Info> <tabbox Info>
Line 377: Line 381:
 <color #​508CAA>​**Index Info**</​color>​ <color #​508CAA>​**Index Info**</​color>​
  
-  * <color #4B4B4B>**If wishing to maintain the index file automatically,​** ''​openssl ca''​ **must be used to sign certs**</​color>​ +  * **If wishing to maintain the index file automatically,​** ''​<color #647D00>openssl ca</​color>​''​ **must be used to sign certs** 
-    * <color #646464>''​openssl ca''​ is not used in this wiki as it requires additional steps & adds unneeded complexity</​color>​\\ \\+    * ''​openssl ca''​ is not used in this wiki as it requires additional steps & adds unneeded complexity\\ \\
  
  
Line 386: Line 390:
  
 <WRAP indent> <WRAP indent>
-<color #4B4B4B>**Manually maintaining the index file consists of inputting 1 cert entry per line in the following format**</​color>​ +**Manually maintaining the index file consists of inputting 1 cert entry per line in the following format** 
-  * <color #646464>Entering certificate information into the index file takes ~30s per cert</​color>​ +  * Entering certificate information into the index file takes ~30s per cert 
-  * <color #646464>Copy & paste DN from the output of: ''​ //<color #​647D00>​openssl x509 -in certificate.crt -text -noout</​color>//''​</​color>​+  * Copy & paste DN from the output of: ''​ //<color #​647D00>​openssl x509 -in certificate.crt -text -noout</​color>//''​
 <code cpp> <code cpp>
-V    261231235959Z ​   0a    unknown ​   /​C=US/​ST=State/​L=Locality/​O=Sophos UTM/​OU=LAN/​CN=Cert Common Name/​emailaddress=whatever@whichever.com +V    261231235959Z ​           0a    unknown ​   /​C=US/​ST=State/​L=Locality/​O=Sophos UTM/​OU=LAN/​CN=Cert Common Name/​emailaddress=whatever@whichever.com 
-1    2-----------> ​   4-> ​  ​5-----> ​   6---------------------------------------------------------------------------------------------------></​code>​+1    2-----------> ​   ​3-> ​    4-> ​  ​5-----> ​   6---------------------------------------------------------------------------------------------------></​code>​
 </​WRAP>​ </​WRAP>​
-  - <color #4B4B4B>**Status of Certificate**</​color>​ +  - **Status of Certificate** 
-    - <color #646464>**''​V''​** [Valid]</​color>  ​ +    - **''​V''​** [Valid] 
-    - <color #646464>**''​R''​** [Revoked]</​color> ​ +    - **''​R''​** [Revoked] 
-    - <color #646464>**''​E''​** [Expired]</​color>​\\ \\ +    - **''​E''​** [Expired]\\ \\ 
-  - <color #4B4B4B>**Expiration Date**</​color> ​ +  - **Expiration Date** 
-    - <color #646464>Format: **''​YYMMDDHHMMSS''​** followed by **''​Z''​**</​color>​ +    - Format: **''​YYMMDDHHMMSS''​** followed by **''​Z''​** 
-      * <color #646464>//​2026.12.31 @ 23:59:59//</​color>​\\ \\ +      * //​2026.12.31 @ 23:​59:​59//​\\ \\ 
-  - <color #4B4B4B>**Revocation Date**</​color> ​ +  - **Revocation Date** 
-    - <color #646464>Format: **''​YYMMDDHHMMSSZ,​reason''​**</​color>​ +    - Format: **''​YYMMDDHHMMSSZ,​reason''​** 
-      - <color #4B4B4B>Valid reasons are:</​color>​+      - Valid reasons are:
         - ''<​color #​009B9B>​keyCompromise</​color>''​         - ''<​color #​009B9B>​keyCompromise</​color>''​
         - ''<​color #​009B9B>​CACompromise</​color>''​         - ''<​color #​009B9B>​CACompromise</​color>''​
Line 411: Line 415:
         - ''<​color #​009B9B>​privilegeWithdrawn</​color>''​         - ''<​color #​009B9B>​privilegeWithdrawn</​color>''​
         - ''<​color #​009B9B>​AACompromise</​color>''​         - ''<​color #​009B9B>​AACompromise</​color>''​
-    - <color #646464>Empty if not revoked</​color>​\\ \\ +    - Empty if not revoked 
-  - <color #4B4B4B>**Serial number** <​sup>​(//​hex//​ format)</​sup></color+      * Certain distros were erroring out without a whitespace for 3 in the index file, which is why it's there\\ \\ 
-    - <color #646464>**''​0a''​** is hex for 10</​color>​ +  - **Serial number** <sup><​color #646464>​(//​hex//​ format)</​color></sup
-      - <color #646464>**Windows:​**</​color> ​ +    - **''​0a''​** is hex for 10 
-        * <color #646464>Calculator has programmer feature which can convert dec <-> hex</​color>​ +      - **Windows:​** 
-      - <color #646464>**Linux/​BSD**</​color> ​ +        * Calculator has programmer feature which can convert dec <-> hex 
-        * <color #646464>cli hex -> dec: ''​ //<color #​647D00>​printf '​%d\n'​ 0x0a</​color>//​ ''​ returns ''<​color #​647D00>​10</​color>''​</​color> ​ +      - **Linux/​BSD** 
-        * <color #646464>cli dec -> hex: ''​ //<color #​647D00>​printf '​%x\n'​ 10</​color>//​ ''​ returns ''<​color #​647D00>​0a</​color>''​</​color> ​\\ \\ +        * cli hex -> dec: ''​ //<color #​647D00>​printf '​%d\n'​ 0x0a</​color>//​ ''​ returns ''<​color #​647D00>​10</​color>''​ 
-  - <color #4B4B4B>**Certificate Filename or Literal String**</​color>​ +        * cli dec -> hex: ''​ //<color #​647D00>​printf '​%x\n'​ 10</​color>//​ ''​ returns ''<​color #​647D00>​0a</​color>''​ \\ \\ 
-    - <color #646464>Certificate Filename or Literal String **''​unknown''​**</​color>​\\ \\ +  - **Certificate Filename or Literal String** 
-  - <color #4B4B4B>**Distinguished Name**</​color>​+    - Certificate Filename or Literal String **''​unknown''​**\\ \\ 
 +  - **Distinguished Name**
 </​tabbox>​ </​tabbox>​
 </​WRAP>​ </​WRAP>​
Line 427: Line 432:
 === Server Cert === === Server Cert ===
  
-<WRAP 75em lo> +<​WRAP ​indent ​75em lo>
 <tabbox Prerequisites>​ <tabbox Prerequisites>​
 <wrap right>''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''</​wrap>​ <wrap right>''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''</​wrap>​
Line 434: Line 438:
  
 <WRAP indent> <WRAP indent>
-<color #4B4B4B>**Modify the following SubjectAltNames & V3 Profiles**</​color>​+**Modify the following SubjectAltNames & V3 Profiles**
 <WRAP indent> <WRAP indent>
 **__SubjectAltNames Profile__** **__SubjectAltNames Profile__**
  
-  - <color #4B4B4B>**Intermediate Certificate Authority Clients**</​color> ​<sup><​color #646464>​(Line ​290)</​color>​</​sup>​ +  - **Intermediate Certificate Authority Clients** <​sup>​(Line ​229)</​sup>​ 
-    - <color #4B4B4B>//Change the SAN alt name ''<​color #​647D00>​alt_vpn_server2</​color>''​ to ''<​color #​647D00>​alt_openvpn_server</​color>''//</​color>​ +    - //Change the server'SAN IP from// ''<​color #​647D00>​10.0.1.1</​color>'' ​//to match your VPN Server IP// 
-      - <color #​646464>​**Line 310:** ''<​color #​647D00>​[ alt_openvpn_server ]</​color>''</​color>​\\ \\ +      - **Line ​250:** ''<​color #​647D00>​IP.1 = //10.0.1.1//</​color>''​\\ \\ 
-    - <color #​4B4B4B>//​Change the SAN IP from ''<​color #​647D00>​10.0.1.1</​color>''​ to match your VPN Server IP//</​color>​ +    - //Change the SAN DNS from// ''<​color #​647D00>​your.ddns.com</​color>'' ​//to match your own DDNS and/or FQDN// 
-      - <color #646464>**Line ​311:** ''<​color #​647D00>​IP.1 = 10.0.1.1</​color>''​</​color>​\\ \\ +      - **Line ​251:** ''<​color #​647D00>​DNS.1 = //your.ddns.com//</​color>''​ 
-    - <color #4B4B4B>//Change the SAN DNS from ''<​color #​647D00>​your.ddns.com</​color>''​ to match your own DDNS and/or FQDN//</​color>​ +        * //For each additional DNS or FQDN, add a new line in sequential order// (i.e. DNS.2, DNS.3, etc.)
-      - <color #646464>**Line ​312:** ''<​color #​647D00>​DNS.1 = your.ddns.com</​color>''​</​color>​ +
-        * <color #646464>//For each additional DNS or FQDN, add a new line in sequential order// (i.e. DNS.2, DNS.3, etc.)</​color>​ +
- +
-**__V3 Profile__** +
- +
-  - <color #​4B4B4B>​**Intermediate Certificate Authority Clients**</​color>​ <​sup><​color #​646464>​(Line 473)</​color></​sup>​ +
-    - <color #​4B4B4B>//​Change the V3 profile name from ''<​color #​647D00>​[ v3_vpn_server2 ]</​color>''​ to match alt name set above//</​color>​ +
-      - <color #​646464>​**Line 496:** ''<​color #​647D00>​[ v3_openvpn_server ]</​color>''</​color>​\\ \\ +
-    - <color #​4B4B4B>//​Change the SAN alt name from ''<​color #​647D00>​@alt_vpn_server2</​color>''​ to match alt name set above//</​color>​ +
-      - <color #​646464>​**Line 502:** ''<​color #​647D00>​subjectAltName = @alt_openvpn_server</​color>''</​color>​+
 </​WRAP>​ </​WRAP>​
 </​WRAP>​ </​WRAP>​
Line 462: Line 456:
 <color #​508CAA>​**Server Cert OpenSSL Commands**</​color>​ <color #​508CAA>​**Server Cert OpenSSL Commands**</​color>​
  
-  - <color #4B4B4B>**Generate VPN Server CSR**</​color>​\\ <code bash>​openssl req -out ca/​csr/​vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​vpn-server.key.pem -config ./​openssl.cnf -extensions ​v3_openvpn_server ​-nodes</​code>​ +  - **Generate VPN Server CSR**\\ <code bash>​openssl req -out ca/​csr/​vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​vpn-server.key.pem -config ./​openssl.cnf -extensions ​v3_vpn_server ​-nodes</​code>​ 
-    * <color #4B4B4B>**''​-nodes''​**</​color>​ <color #4B4B4B>creates a signing key without encryption</​color>​ +    * **''​-nodes''​** creates a signing key without encryption 
-      * <color #646464>For server certs **//​only//​**,​ as a passphrase prevents the server from starting/​restarting without manual intervention</​color>​\\ \\ +      * For server certs **//​only//​**,​ as a passphrase prevents the server from starting/​restarting without manual intervention\\ \\ 
-  - <color #4B4B4B>**Create & Sign Cert with CA**</​color>​\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​vpn-server.csr -CA ca/​OpenVPN-ICA.crt.pem -CAkey ca/​OpenVPN-ICA.key -CAserial ./serial -out certs/​vpn-server.crt.pem -extfile ./​openssl.cnf -extensions ​v3_openvpn_server</​code>​ +  - **Create & Sign Cert with CA**\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​vpn-server.csr -CA ca/​OpenVPN-ICA.crt.pem -CAkey ca/​OpenVPN-ICA.key -CAserial ./serial -out certs/​vpn-server.crt.pem -extfile ./​openssl.cnf -extensions ​v3_vpn_server</​code>​ 
-  - <color #4B4B4B>**Export to PKCS12**</​color>​\\ <code bash>​openssl pkcs12 -export -out openvpn/​vpn-server.p12 -inkey openvpn/​vpn-server.key.pem -in certs/​vpn-server.crt.pem -certfile ca/​OpenWrt-OpenVPN_CA-Chain.crt.pem</​code>​+  - **Export to PKCS12**\\ <code bash>​openssl pkcs12 -export -out openvpn/​vpn-server.p12 -inkey openvpn/​vpn-server.key.pem -in certs/​vpn-server.crt.pem -certfile ca/​OpenWrt-OpenVPN_CA-Chain.crt.pem</​code>​
     * <color #​AF0000>​**//​Do not encrypt this PKCS12//​**</​color>​\\ \\     * <color #​AF0000>​**//​Do not encrypt this PKCS12//​**</​color>​\\ \\
-    * <color #​4B4B4B4>​ICA is still used to sign the certs it issues</​color>​ +    * ICA is still used to sign the certs it issues 
-      * <color #646464>ICA - CA chain cert must be exported with the client cert & key to maintain the certificate chain of trust</​color>​ +      * ICA - CA chain cert must be exported with the client cert & key to maintain the certificate chain of trust 
-        * <color #646464>//Chain of Trust hierarchy: CA -> Intermediate CA -> Client//</​color>​+        * //Chain of Trust hierarchy: CA -> Intermediate CA -> Client//
 </​tabbox>​ </​tabbox>​
 </​WRAP>​ </​WRAP>​
Line 477: Line 471:
 === Client Certs === === Client Certs ===
  
-<WRAP 75em lo> +<​WRAP ​indent ​75em lo> 
-<wrap danger>​Do not use the same Common Name (CN) on more than one certificate</​wrap>​+<WRAP centeralign>​<wrap danger>​Do not use the same Common Name (CN) on more than one certificate</​wrap></​WRAP>
  
 <tabbox Prerequisites>​ <tabbox Prerequisites>​
Line 485: Line 479:
  
 <WRAP indent> <WRAP indent>
-<color #4B4B4B>**Modify the following SubjectAltNames & V3 Profiles**</​color>​+**Modify the following SubjectAltNames & V3 Profiles**
  
 <WRAP indent> <WRAP indent>
 **__SubjectAltNames Profile__** **__SubjectAltNames Profile__**
  
-  - <color #4B4B4B>**Intermediate Certificate Authority Clients**</​color> ​<​sup><​color #​646464>​(Line ​290)</​color></​sup>​ +  - **Intermediate Certificate Authority Clients** <​sup><​color #​646464>​(Line ​229)</​color></​sup>​ 
-    - <color #4B4B4B>//Change the SAN alt name ''<​color #​647D00>​alt_vpn2_user1''​ to ''​alt_openvpn_//<​username>//</​color>''//</​color>​ +    - //Change the SAN DNS from// ''<​color #​647D00>​VPNserver-Client1-Device-Hostname</​color>'' ​//to match client username//​ 
-      - <color #​646464>​**Line 315:** ''<​color #​647D00>​[ alt_openvpn_//<​username>//​ ]</​color>''</​color>​\\ \\ +      - **Line ​255:** ''<​color #​647D00>​DNS.1 = //VPN-<​username>​-Hostname//</​color>''​ 
-    - <color #​4B4B4B>//​Change the SAN DNS from ''<​color #​647D00>​VPNserver-Client1-Device-Hostname</​color>''​ to match client username//</​color>​ +        * //This makes configuring CCD more convenient//​\\ \\ 
-      - <color #646464>**Line ​316:** ''<​color #​647D00>​DNS.1 = VPN-//<​username>//​-Hostname</​color>''​</​color>​ +    - //Change the SAN email from// ''<​color #​647D00>​user1@email.com</​color>'' ​//to user's email// 
-        * <color #646464>//This makes configuring CCD more convenient//​</​color>​\\ \\ +      - **Line ​256** ''<​color #​647D00>​email.1 = //user1@email.com//</​color>''​
-    - <color #4B4B4B>//Change the SAN email from ''<​color #​647D00>​user1@email.com</​color>''​ to user's email//</​color>​ +
-      - <color #646464>**Line ​317:** ''<​color #​647D00>​email.1 = user1@email.com</color>''<​/color> +
- +
-**__V3 Profile__** +
- +
-  - <color #​4B4B4B>​**Intermediate Certificate Authority Clients**</​color> ​<​sup><​color #​646464>​(Line 473)</​color></​sup>​ +
-    - <color #​4B4B4B>//​Change the V3 profile name from ''​<color #​647D00>​[ v3_vpn2_user1 ]</​color>''​ to match alt name set above//</​color>​ +
-      - <color #​646464>​**Line 505:** ''<​color #​647D00>​[ v3_openvpn_//<​username>//​ ]</​color>''</​color>​\\ \\ +
-    - <color #​4B4B4B>//​Change the SAN alt name from ''<​color #​647D00>​@alt_vpn2_user1</​color>''​ to match alt name set above//</​color>​ +
-      - <color #​646464>​**Line 511:** ''<​color #​647D00>​subjectAltName = @alt_openvpn_//<​username>//</​color>''</​color>​+
 </​WRAP>​ </​WRAP>​
 </​WRAP>​ </​WRAP>​
Line 514: Line 498:
 <color #​508CAA>​**Client Cert OpenSSL Commands**</​color>​ <color #​508CAA>​**Client Cert OpenSSL Commands**</​color>​
  
-  - <color #4B4B4B>**Generate VPN Client Certs**</​color>​\\ <code bash>​openssl req -out ca/​csr/​vpn-client1.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.key.pem -config ./​openssl.cnf -extensions ​v3_openvpn_<​username>​</​code>​+  - **Generate VPN Client Certs**\\ <code bash>​openssl req -out ca/​csr/​vpn-client1.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.key.pem -config ./​openssl.cnf -extensions ​v3_vpn2_user1</​code>​
     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\
-  - <color #4B4B4B>**Sign Cert with CA**</​color>​\\ <code bash>​openssl x509 req -sha512 -days 3650 -in ca/​csr/​vpn-client1.csr -CA ca/​OpenWrt-CA.crt.pem -CAkey ca/​OpenWrt-CA.key -CAserial ./serial -out openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.crt.pem -extfile ./​openssl.cnf -extensions ​v3_openvpn_<​username>​</​code>​ +  - **Sign Cert with CA**\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​vpn-client1.csr -CA ca/​OpenWrt-CA.crt.pem -CAkey ca/​OpenWrt-CA.key -CAserial ./serial -out openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.crt.pem -extfile ./​openssl.cnf -extensions ​v3_vpn2_user1</​code>​ 
-  - <color #4B4B4B>**Export to PKCS12**</​color>​\\ <code bash>​openssl pkcs12 -export -out openvpn/​clients/​vpn-client1.p12 -inkey openvpn/​clients/​vpn-client1.key.pem -in openvpn/​clients/​vpn-client1.crt.pem -certfile ca/​OpenWrt-OpenVPN_ICA-Chain.crt.pem</​code>​+  - **Export to PKCS12**\\ <code bash>​openssl pkcs12 -export -out openvpn/​clients/​vpn-client1.p12 -inkey openvpn/​clients/​vpn-client1.key.pem -in openvpn/​clients/​vpn-client1.crt.pem -certfile ca/​OpenWrt-OpenVPN_ICA-Chain.crt.pem</​code>​
 </​tabbox>​ </​tabbox>​
 </​WRAP>​ </​WRAP>​
Line 524: Line 508:
 === Diffie-Hellman Key === === Diffie-Hellman Key ===
  
-<WRAP 75em lo>+<​WRAP ​indent ​75em lo>
 <wrap right button>​[[https://​wiki.openssl.org/​index.php/​Diffie_Hellman|DH Wiki]] ​ [[https://​wiki.openssl.org/​index.php/​Elliptic_Curve_Cryptography|EC Wiki]]</​wrap>​ <wrap right button>​[[https://​wiki.openssl.org/​index.php/​Diffie_Hellman|DH Wiki]] ​ [[https://​wiki.openssl.org/​index.php/​Elliptic_Curve_Cryptography|EC Wiki]]</​wrap>​
 </​WRAP>​ </​WRAP>​
  
-<​WRAP ​53.5em lo>+<​WRAP ​51.5em lo>
  
-  - <color #4B4B4B>**Generate DH Key**</​color> ​<​sup><​color #​646464>​(executed from</​color> ​''<​color #​C86400>/​etc/​ssl/</​color>''​<color #646464>)</​color></​sup>​\\ <code bash>​openssl dhparam -out openvpn/​dh2048.pem 2048</​code>​ +  - **Generate DH Key** <​sup><​color #​646464>​(executed from ''<​color #​C86400>/​etc/​ssl/</​color>''​)</​color></​sup>​\\ <code bash>​openssl dhparam -out openvpn/​dh2048.pem 2048</​code>​ 
-    * <color #4B4B4B>**Generating DH keys takes substantial amounts of time**</​color>​\\ \\     +    * **Generating DH keys takes substantial amounts of time**\\ \\     
-    * <color #4B4B4B>**You may wish to generate 3072bit and 4096bit DH keys as well**</​color>​ +    * **You may wish to generate 3072bit and 4096bit DH keys as well** 
-      * <color #646464>Generating multiple DH keys at once takes substantially less time due to the rand file</​color>​\\ \\ +      * Generating multiple DH keys at once takes substantially less time due to the rand file\\ \\ 
-    * <color #4B4B4B>**OpenVPN will add support for EC [//Elliptic Curve//] ciphers in v2.4**</​color>​ +    * **OpenVPN will add support for EC [//Elliptic Curve//] ciphers in v2.4** 
-      * <color #646464>For EC, the Diffie-Hellman key must be generated with a value **//greater than//** the encryption key</​color>​ +      * For EC, the Diffie-Hellman key must be generated with a value **//greater than//** the encryption key 
-        * <color #646464>For example, if you generate 2048bit cert keys, your dh.pem must exceed that value</​color>​+        * For example, if you generate 2048bit cert keys, your dh.pem must exceed that value
 </​WRAP>​ </​WRAP>​
  
Line 542: Line 526:
 === TLS-Auth Key === === TLS-Auth Key ===
  
-<​WRAP ​53.5em lo>+<​WRAP ​51.5em lo>
  
-  - <color #4B4B4B>**Generate TLS-Auth key**</​color> ​<​sup><​color #646464>(executed from</​color>​ ''<​color #​C86400>/​etc/​ssl/</​color>''​<color #646464>)</​color>​</​sup>​\\ <code bash>​openvpn --genkey --secret openvpn/ta.key</​code>​ +  - **Generate TLS-Auth key** <sup>(<color #​646464>​executed from</​color>​ ''<​color #​C86400>/​etc/​ssl/</​color>''​)</​sup>​\\ <code bash>​openvpn --genkey --secret openvpn/tls-auth.key</​code>​ 
-    ​* <color #​4B4B4B>​**This ensures ​PFS**</​color>​ <color #​646464>​[Perfect Forward Secrecy]</​color>​ <color #4B4B4B>**is maintained when utilizing a SSL cipher**</​color>​\\ \\ +    * This ensures **P**erfect **F**orward **S**ecrecy ​is maintained when utilizing a SSL cipher\\ \\ 
-    * <color #4B4B4B>''​tls-auth'' ​**requires a static ​pre-shared key**</​color>​ <color #​646464>​[PSK]</​color><​color #4B4B4B>**, generated in advance, and shared among all clients**</​color>​ +    * ''​tls-auth''​ requires a static ​**P**re-**S**hared **K**ey, generated in advance, and shared among all clients 
-      * <color #646464>This requires incoming packets to have a valid signature generated using the PSK key</​color>​ +      * This requires incoming packets to have a valid signature generated using the PSK key 
-        * <color #646464>If key is changed, it must be changed on all clients at the same time (no support for rollover)</​color>​\\ \\+        * If key is changed, it must be changed on all clients at the same time (no support for rollover)\\ \\
 </​WRAP>​ </​WRAP>​
  
Line 557: Line 541:
  
 <WRAP 76.5em lo> <WRAP 76.5em lo>
-<wrap safety>​GnuPG is a great tool to manage CAs and client certificates</​wrap> ​ <wrap right button>​[[https://​www.gnupg.org/​|GnuPG]]</​wrap>​+<WRAP centeralign>​<wrap safety>​GnuPG is a great tool to manage CAs and client certificates</​wrap> ​ <wrap right button>​[[https://​www.gnupg.org/​|GnuPG]]</​wrap></​WRAP>
  
 <tabbox Backup> <tabbox Backup>
Line 564: Line 548:
 <WRAP indent> <WRAP indent>
  
-<color #4B4B4B>**Create a backup:**</​color>​ +**Create a backup:** 
-  - <color #4B4B4B>**Apply correct permissions:​**</​color>​\\ <code bash>+  - **Apply correct permissions:​**\\ <code bash>
 chmod 600 /​etc/​ssl/​ca/​* /​etc/​ssl/​ca/​csr/​* /​etc/​ssl/​crl/​* /​etc/​ssl/​openvpn/​* /​etc/​ssl/​openvpn/​clients/​* ; chmod 644 /​etc/​ssl/​ca/​*.crt* /​etc/​ssl/​openvpn/​*.crt* /​etc/​ssl/​openvpn/​clients/​*.crt* /​etc/​ssl/​crl/​*.crl</​code>​ chmod 600 /​etc/​ssl/​ca/​* /​etc/​ssl/​ca/​csr/​* /​etc/​ssl/​crl/​* /​etc/​ssl/​openvpn/​* /​etc/​ssl/​openvpn/​clients/​* ; chmod 644 /​etc/​ssl/​ca/​*.crt* /​etc/​ssl/​openvpn/​*.crt* /​etc/​ssl/​openvpn/​clients/​*.crt* /​etc/​ssl/​crl/​*.crl</​code>​
-  - <color #4B4B4B>**Utilize GnuPG to encrypt a copy of**</​color> ​''<​color #​C86400>/​etc/​ssl/</​color>''​ +  - **Utilize GnuPG to encrypt a copy of** ''<​color #​C86400>/​etc/​ssl/</​color>''​ 
-    - <color #646464>**Create separate encryption tars for:**</​color> ​+    - **Create separate encryption tars for:**
       * ''<​color #​C86400>/​etc/​ssl/​ca/</​color>''​       * ''<​color #​C86400>/​etc/​ssl/​ca/</​color>''​
       * ''<​color #​C86400>/​etc/​ssl/​openvpn/</​color>''​       * ''<​color #​C86400>/​etc/​ssl/​openvpn/</​color>''​
       * ''<​color #​C86400>/​etc/​ssl/​openvpn/​clients/</​color>''​\\ \\       * ''<​color #​C86400>/​etc/​ssl/​openvpn/​clients/</​color>''​\\ \\
-    - <color #646464>**After creating encrypted backups:**</​color>​ +    - **After creating encrypted backups:​** 
-      - <color #646464>Copy p12s to their respective clients</​color>​ +      - Copy p12s to their respective clients 
-      - <color #646464>Securely erase unencrypted client, CA, & ICA keys and PKCS12s, overwriting freespace at least 5x</​color>​\\ \\ +      - Securely erase unencrypted client, CA, & ICA keys and PKCS12s, overwriting freespace at least 5x\\ \\ 
-  - <color #4B4B4B>**Add directories & files to**</​color> ​''<​color #​C86400>/​etc/​sysupgrade.conf</​color>''​+  - **Add directories & files to** ''<​color #​C86400>/​etc/​sysupgrade.conf</​color>''​
     - //''<​color #​647D00>​vi /​etc/​sysupgrade.conf</​color>''//​     - //''<​color #​647D00>​vi /​etc/​sysupgrade.conf</​color>''//​
       - <color #​789600>​**//​Add://​**</​color>​       - <color #​789600>​**//​Add://​**</​color>​
Line 604: Line 588:
 <WRAP indent> <WRAP indent>
  
-<color #4B4B4B>**If utilizing Linux/​BSD:​**</​color>​ +**If utilizing Linux/​BSD:​** 
-  * <color #4B4B4B>Due to the sheer number of distros, and differing means of handling certificate authorities,​ please google:</​color>​ +  * Due to the sheer number of distros, and differing means of handling certificate authorities,​ please google: 
-    - <color #646464>//<your distro name>// install certificate authority</​color>​ +    - //<your distro name>// install certificate authority 
-    - <color #646464>//<your distro name>// install intermediate certificate authority</​color>​+    - //<your distro name>// install intermediate certificate authority
 </​WRAP>​ </​WRAP>​
  
Line 616: Line 600:
 <WRAP indent> <WRAP indent>
  
-<color #4B4B4B>**If utilizing Windows:**</​color>​ +**If utilizing Windows:​** 
-    - <color #4B4B4B>**Download**</​color> ​<color #​C86400>​PEM Association.reg</​color><​color #4B4B4B>**, then import into registry**</​color> ​<​sup><​color #​646464>​(//​Right Click// -> //​Merge//​)</​color></​sup>​ +    - **Download** <color #​C86400>​PEM Association.reg</​color>​**,​ then import into registry** <​sup><​color #​646464>​(//​Right Click// -> //​Merge//​)</​color></​sup>​ 
-      * <color #646464>//This causes Windows to associate the .pem extension as a valid certificate extension//</​color>​\\ \\ +      * //This causes Windows to associate the .pem extension as a valid certificate extension//​\\ \\ 
-    - <color #4B4B4B>**Add your CA cert to the //Trusted Root Certification Authorities//​**</​color> ​<​sup><​color #​646464>​(user must have //​Administrator//​ privileges)</​color></​sup>​ +    - **Add your CA cert to the //Trusted Root Certification Authorities//​** <​sup><​color #​646464>​(user must have //​Administrator//​ privileges)</​color></​sup>​ 
-      - <color #646464>//Right click on//</​color> ​<color #​C86400>​OpenWrt-CA.crt.pem</​color>:​+      - //Right click on// <color #​C86400>​OpenWrt-CA.crt.pem</​color>:​
         - <color #​7D7D7D>​**//​Install Certificate//​** -> **//Local Machine//** -> **//Place all certificates in the following store//** -> **//​Browse//​** -> **//Trusted Root Certification Authorities//​**</​color>​\\ \\         - <color #​7D7D7D>​**//​Install Certificate//​** -> **//Local Machine//** -> **//Place all certificates in the following store//** -> **//​Browse//​** -> **//Trusted Root Certification Authorities//​**</​color>​\\ \\
-    - <color #4B4B4B>**Add your ICA cert to the //​Intermediate Certification Authorities//​**</​color> ​<​sup><​color #​646464>​(user must have //​Administrator//​ privileges)</​color></​sup>​ +    - **Add your ICA cert to the //​Intermediate Certification Authorities//​** <​sup><​color #​646464>​(user must have //​Administrator//​ privileges)</​color></​sup>​ 
-      - <color #646464>//Right click on//</​color> ​<color #​C86400>​OpenVPN-ICA.crt.pem</​color>:​+      - //Right click on// <color #​C86400>​OpenVPN-ICA.crt.pem</​color>:​
         - <color #​7D7D7D>​**//​Install Certificate//​** -> **//Local Machine//** -> **//Place all certificates in the following store//** -> **//​Browse//​** -> **//​Intermediate Certification Authorities//​**</​color>​         - <color #​7D7D7D>​**//​Install Certificate//​** -> **//Local Machine//** -> **//Place all certificates in the following store//** -> **//​Browse//​** -> **//​Intermediate Certification Authorities//​**</​color>​
 </​WRAP>​ </​WRAP>​
Line 646: Line 630:
 <WRAP 60em lo> <WRAP 60em lo>
  
-  - <color #4B4B4B>**Create VPN interface**</​color>​\\ <code bash>uci set network.vpn0=interface ; uci set network.vpn0.ifname=tun0 ; uci set network.vpn0.proto=none</​code>​ +  - **Create VPN interface**\\ <code bash>uci set network.vpn0=interface ; uci set network.vpn0.ifname=tun0 ; uci set network.vpn0.proto=none</​code>​ 
-    - <color #4B4B4B>You can replace</​color> ​''<​color #​647800>//​network.//</​color><​color #​007DC8>​vpn0</​color>'' ​<color #4B4B4B>with</​color> ​''<​color #​647800>//​network.//</​color><​color #​007DC8><​name></​color>''​ +    - You can replace ''<​color #​647800>//​network.//</​color><​color #​007DC8>​vpn0</​color>''​ with ''<​color #​647800>//​network.//</​color><​color #​007DC8><​name></​color>''​ 
-      - <color #646464>If you choose to do so, ''<​color #​007DC8>​vpn</​color>''​ will need to be updated accordingly in [[:​doc:​howto:​openvpn-streamlined-server-setup#​https://​wiki.openwrt.org/​doc/​howto/​openvpn-streamlined-server-setup#​create_rules|Firewall Rules]]</​color>​\\ \\ +      - If you choose to do so, ''<​color #​007DC8>​vpn</​color>''​ will need to be updated accordingly in [[:​doc:​howto:​openvpn-streamlined-server-setup#​https://​wiki.openwrt.org/​doc/​howto/​openvpn-streamlined-server-setup#​create_rules|Firewall Rules]]\\ \\ 
-    - <color #646464>You can replace ''<​color #​647800>//​ifname=//</​color><​color #​007DC8>​tun0</​color>''​ with ''<​color #​647800>//​ifname=//</​color><​color #​007DC8><​name></​color>''​</​color>​ +    - You can replace ''<​color #​647800>//​ifname=//</​color><​color #​007DC8>​tun0</​color>''​ with ''<​color #​647800>//​ifname=//</​color><​color #​007DC8><​name></​color>''​ 
-      - <color #646464>If you choose to do so, ''<​color #​647800>//​option dev//</​color>​ <color #​007DC8>​tun0</​color>''​ will need to be updated accordingly in [[:​doc:​howto:​openvpn-streamlined-server-setup#​config|VPN Server Config]]</​color>​\\ \\ +      - If you choose to do so, ''<​color #​647800>//​option dev//</​color>​ <color #​007DC8>​tun0</​color>''​ will need to be updated accordingly in [[:​doc:​howto:​openvpn-streamlined-server-setup#​config|VPN Server Config]]\\ \\ 
-  - <color #4B4B4B>**Commit changes**</​color>​\\  <code cpp>uci commit network ; /​etc/​init.d/​network reload</​code>​+  - **Commit changes**\\ ​ <code cpp>uci commit network ; /​etc/​init.d/​network reload</​code>​
  
 </​WRAP>​ </​WRAP>​
Line 661: Line 645:
 <wrap right button>​[[doc:​howto:​ddns.client|DDNS Wiki]]</​wrap>​ <wrap right button>​[[doc:​howto:​ddns.client|DDNS Wiki]]</​wrap>​
  
-  - <color #4B4B4B>**A DDNS provider or FQDN is required for users who are not assigned static IPs by ISPs**</​color>​ +<wrap indent>**//Applies to connections from WAN//​**</​wrap>​ 
-    - <color #646464>DDNS:</​color>​ +  - **A DDNS provider or FQDN is required for users who are not assigned static IPs by ISPs** 
-      * <color #646464>**D**ynamic **D**omain **N**ame **S**ystem providers provide the user with a dynamically updated DNS name for their public IP</​color>​ +    - DDNS: 
-      * <color #646464>Purchasing occurs as a service subscription fee from DDNS providers</​color>​ +      * **D**ynamic **D**omain **N**ame **S**ervice ​providers provide the user with a dynamically updated DNS name for their public IP 
-    - <color #646464>FQDN</​color>​ +      * Purchasing occurs as a service subscription fee from DDNS providers 
-      * <color #646464>**F**ully **Q**ualified **D**omain **N**ame is a URL <​sup>​(google.com is a FQDN)</sup></color+    - FQDN 
-      * <color #646464>Purchasing a FQDN is for a set period of time, regulated by the non-profit IANA <​sup>​(//​Internet Assigned Numbers Authority//​)</​sup></color>\\ \\ +      * **F**ully **Q**ualified **D**omain **N**ame is a URL <sup><​color #646464>​(google.com is a FQDN)</color></sup
-  - <color #4B4B4B>**Most users will likely configure DDNS**</​color>​ +      * Purchasing a FQDN is for a set period of time, regulated by the non-profit IANA <sup><​color #646464>​(//​Internet Assigned Numbers Authority//​)</​color></sup>\\ \\ 
-    * <color #646464>See the [[doc:​howto:​ddns.client|DDNS Clients]] wiki</​color>​+  - **Most users will likely configure DDNS** 
 +    * See the [[doc:​howto:​ddns.client|DDNS Clients]] wiki
  
 </​WRAP>​ </​WRAP>​
Line 688: Line 673:
  
 <WRAP 76.5em lo> <WRAP 76.5em lo>
-<wrap danger>A non-standard port (**//​not//​** //1194//) should be utilized for the VPN</​wrap>​+<WRAP centeralign>​<wrap danger>A non-standard port (**//​not//​** //1194//) should be utilized for the VPN</​wrap></​WRAP>
  
 <tabbox Information>​ <tabbox Information>​
Line 694: Line 679:
 <color #​508CAA>​**Firewall Info**</​color>​ <color #​508CAA>​**Firewall Info**</​color>​
  
-  - <color #4B4B4B>**Traffic rules should be placed in the following order**</​color>​ +  - **Traffic rules should be placed in the following order** 
-    - <color #646464>Firewall.User Script</​color>​ +    - Firewall.User Script 
-    - <color #646464>Redirect Rules</​color>​ +    - Redirect Rules 
-    - <color #646464>Router Network Default</​color>​ +    - Router Network Default 
-    - <color #646464>VPN Network Default</​color>​ +    - VPN Network Default 
-    - <color #646464>VPN InterZone Forwarding</​color>​ +    - VPN InterZone Forwarding 
-    - <color #646464>VPN Traffic Rules</​color>​\\ \\ +    - VPN Traffic Rules\\ \\ 
-  - <color #4B4B4B>**Rule protocol for VPNs should always be both TCP & UDP for troubleshooting purposes**</​color>​ +  - **Rule protocol for VPNs should always be both TCP & UDP for troubleshooting purposes** 
-    - <color #646464>Allowing both prevents having to edit the firewall every time troubleshooting is needed</​color>​\\ \\ +    - Allowing both prevents having to edit the firewall every time troubleshooting is needed\\ \\ 
-  - <color #4B4B4B>**SSL VPNs should always use UDP**</​color>​ +  - **SSL VPNs should always use UDP** 
-    - <color #646464>//Except under the following two scenarios//</​color>​ +    - //Except under the following two scenarios//​ 
-      - <color #646464>When troubleshooting\\ **OR**</​color>​ +      - When troubleshooting\\ **OR** 
-      - <color #646464>When packet loss is high</​color>​\\ \\ +      - When packet loss is high\\ \\ 
-  - <color #4B4B4B>**A port >1025 but <10000 should be utilized for the VPN**</​color>​ +  - **A port >1025 but <10000 should be utilized for the VPN** 
-    - <color #646464>If using a custom port, update [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_server|VPN Server]] & [[:​doc:​howto:​openvpn-streamlined-server-setup#​clients|VPN Client]] configs accordingly</​color>+    - If using a custom port, update [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_server|VPN Server]] & [[:​doc:​howto:​openvpn-streamlined-server-setup#​clients|VPN Client]] configs accordingly 
 +      - If needing to bypass a strict firewall in front of the router, utilize port 443 <​sup>​[HTTPS]</sup>
  
  
Line 716: Line 702:
  
 <WRAP indent> <WRAP indent>
-<color #4B4B4B>**The following rules are required:**</​color>​+**The following rules are required:**
   - //''<​color #​647D00>​vi /​etc/​config/​firewall</​color>''//​\\ \\ <code cpp>   - //''<​color #​647D00>​vi /​etc/​config/​firewall</​color>''//​\\ \\ <code cpp>
 #::: Traffic Rules :::# #::: Traffic Rules :::#
Line 731: Line 717:
     option ​ path            '/​etc/​firewall.user'​     option ​ path            '/​etc/​firewall.user'​
  
-# Default ​OpenWRT ​Rule #+# Default ​OpenWrt ​Rule #
 config defaults config defaults
     option ​ input           '​ACCEPT'​     option ​ input           '​ACCEPT'​
Line 743: Line 729:
 #​------------------------------------------------ #​------------------------------------------------
 # LuCI: From any host in any zone To any router # LuCI: From any host in any zone To any router
-# IP at port 1194 on this device (Accept Input) ​+# IP at port 5000 on this device (Accept Input) ​
 config rule config rule
     option ​ target ​         '​ACCEPT'​     option ​ target ​         '​ACCEPT'​
Line 749: Line 735:
     option ​ proto           '​tcp udp'     option ​ proto           '​tcp udp'
     option ​ src             '​*'​     option ​ src             '​*'​
-    option ​ dest_port ​      1194+    option ​ dest_port ​      5000
     option ​ name            'Allow Forwarded VPN Request -> <​device>'​     option ​ name            'Allow Forwarded VPN Request -> <​device>'​
  
 # Once Assigned VPN IP, Allow Inbound -> LAN # # Once Assigned VPN IP, Allow Inbound -> LAN #
 #​------------------------------------------------ #​------------------------------------------------
-# LuCI: From IP range 10.1.1.0/24 in any zone To IP +# LuCI: From IP range 10.1.0.0/28 in any zone To IP 
-# range 192.168.1.0/​24 on this device (Accept Input)+# range 192.168.1.0/​28 on this device (Accept Input)
 config rule config rule
     option ​ target ​         '​ACCEPT'​     option ​ target ​         '​ACCEPT'​
Line 761: Line 747:
     option ​ proto           '​tcp udp'     option ​ proto           '​tcp udp'
     option ​ src             '​*'​     option ​ src             '​*'​
-    option ​ src_ip ​         '10.1.1.0/24'+    option ​ src_ip ​         '10.1.0.0/28'
     option ​ dest_ip ​        '​192.168.1.0/​26'​     option ​ dest_ip ​        '​192.168.1.0/​26'​
     option ​ name            'Allow VPN0 -> LAN'     option ​ name            'Allow VPN0 -> LAN'
Line 767: Line 753:
 # Once Assigned VPN IP, Allow Forwarded -> LAN # # Once Assigned VPN IP, Allow Forwarded -> LAN #
 #​------------------------------------------------ #​------------------------------------------------
-# LuCI: From IP range 10.1.1.0/24 in any zone To IP +# LuCI: From IP range 10.1.0.0/28 in any zone To IP 
-# range 192.168.1.0/​24  on this device (Accept Forward)+# range 192.168.1.0/​28  on this device (Accept Forward)
 config rule config rule
     option ​ target ​         '​ACCEPT'​     option ​ target ​         '​ACCEPT'​
Line 774: Line 760:
     option ​ family ​         '​ipv4'​     option ​ family ​         '​ipv4'​
     option ​ src             '​*'​     option ​ src             '​*'​
-    option ​ src_ip ​         '10.1.1.0/24'+    option ​ src_ip ​         '10.1.0.0/28'
     option ​ dest            '​*'​     option ​ dest            '​*'​
     option ​ dest_ip ​        '​192.168.1.0/​26'​     option ​ dest_ip ​        '​192.168.1.0/​26'​
Line 781: Line 767:
 # Allow Outbound ICMP Traffic from VPN # # Allow Outbound ICMP Traffic from VPN #
 #​------------------------------------------------ #​------------------------------------------------
-# LuCI: ICMP From IP range 10.1.1.0/24 in any +# LuCI: ICMP From IP range 10.1.0.0/28 in any 
 # zone To any host in lan (Accept Forward) # zone To any host in lan (Accept Forward)
 config rule config rule
Line 787: Line 773:
     option ​ proto           '​icmp'​     option ​ proto           '​icmp'​
     option ​ src             '​*'​     option ​ src             '​*'​
-    option ​ src_ip ​         '10.1.1.0/24'+    option ​ src_ip ​         '10.1.0.0/28'
     option ​ dest            '​lan'​     option ​ dest            '​lan'​
     option ​ name            'Allow VPN0 (ICMP) -> LAN'     option ​ name            'Allow VPN0 (ICMP) -> LAN'
Line 794: Line 780:
 #​------------------------------------------------ #​------------------------------------------------
 # LuCI: ICMP with type echo-request From IP range # LuCI: ICMP with type echo-request From IP range
-# 10.1.1.0/24 in any zone To any host in wan (Accept Forward)+# 10.1.0.0/28 in any zone To any host in wan (Accept Forward)
 config rule config rule
     option ​ target ​         '​ACCEPT'​     option ​ target ​         '​ACCEPT'​
Line 800: Line 786:
     list    icmp_type ​      '​echo-request'​     list    icmp_type ​      '​echo-request'​
     option ​ src             '​*'​     option ​ src             '​*'​
-    option ​ src_ip ​         '10.1.1.0/24'+    option ​ src_ip ​         '10.1.0.0/28'
     option ​ dest            '​wan'​     option ​ dest            '​wan'​
     option ​ name            'Allow VPN0 (ICMP 8) -> <​device>​ '     option ​ name            'Allow VPN0 (ICMP 8) -> <​device>​ '
Line 857: Line 843:
  
 </​code>​\\ ​ </​code>​\\ ​
-  - <color #4B4B4B>**Commit changes**</​color>​\\ <code cpp>/​etc/​init.d/​firewall restart</​code>​+  - **Commit changes**\\ <code cpp>/​etc/​init.d/​firewall restart</​code>​
 </​WRAP>​ </​WRAP>​
  
Line 868: Line 854:
  
 <WRAP indent> <WRAP indent>
-<color #4B4B4B>**The following rules are required:**</​color>​+**The following rules are required:**
   - //''<​color #​647D00>​vi /​etc/​firewall.user</​color>''//​\\ \\ <code cpp>   - //''<​color #​647D00>​vi /​etc/​firewall.user</​color>''//​\\ \\ <code cpp>
 #::: Traffic Rules :::# #::: Traffic Rules :::#
Line 874: Line 860:
  
   # These rules make the assumption the default port of 1194 is not used for the VPN   # These rules make the assumption the default port of 1194 is not used for the VPN
-   +    ​# Port 5000 is being used arbitrarily for the VPN port
-  ​# Port 5000 is being used arbitrarily for the VPN port+
     ​     ​
  
     # Establish Custom Zones #     # Establish Custom Zones #
 #​--------------------------------------------------- #​---------------------------------------------------
-iptables ​       ​-N ​ DROP-Brute +iptables ​   -N  LOG-VPN 
-iptables ​       ​-N  LOG-VPN +iptables ​   -N  Rate_Limit
-iptables ​       -N  Rate_Limit +
- +
-    # Log All Dropped # +
-#​--------------------------------------------------- +
-iptables ​       -A  DROP-Brute ​             -j  LOG     ​--log-prefix ​   "<​[[--- BRUTE DROPPED ---]]> : " ​       --log-level 4 +
-iptables ​       -A  DROP-Brute ​             -j  DROP+
  
     # Establish Rate Limit #     # Establish Rate Limit #
 #​--------------------------------------------------- #​---------------------------------------------------
-iptables ​       ​-A ​ Rate_Limit ​ -p  tcp     ​--dport ​    ​1194 ​   -m  limit   ​--limit 1/min   ​--limit-burst ​  ​1 ​  ​-j ​ DROP-Brute +iptables ​   -A  Rate_Limit ​ -p  tcp     ​--dport ​    ​5000 ​                               -j  LOG-VPN 
-iptables ​       -A  Rate_Limit ​ -p  udp     ​--dport ​    ​1194 ​   -m  limit   ​--limit 1/min   ​--limit-burst ​  ​1 ​  ​-j ​ DROP-Brute +iptables ​   -A  Rate_Limit ​ -p  udp     ​--dport ​    ​5000 ​                               -j  LOG-VPN 
-iptables ​       ​-A  Rate_Limit ​ -p  tcp     ​--dport ​    ​5000 ​                                                   -j  LOG-VPN +iptables ​   -A  Rate_Limit ​ -p  tcp                                                     ​-j  REJECT ​     --reject-with ​  ​tcp-reset 
-iptables ​       -A  Rate_Limit ​ -p  udp     ​--dport ​    ​5000 ​                                                   -j  LOG-VPN +iptables ​   -A  Rate_Limit ​ -p  udp                                                     ​-j  REJECT ​     --reject-with ​  ​icmp-port-unreachable 
-iptables ​       -A  Rate_Limit ​ -p  tcp                                                                         ​-j  REJECT ​     --reject-with ​  ​tcp-reset +iptables ​   -A  Rate_Limit ​ !   ​-p ​     ICMP                                            -j  LOG         ​--log-prefix ​   "<​[[--- Connection DROPPED ---]]>: " 
-iptables ​       -A  Rate_Limit ​ -p  udp                                                                         ​-j  REJECT ​     --reject-with ​  ​icmp-port-unreachable +iptables ​   -A  Rate_Limit ​                                                             -j  DROP
-iptables ​       -A  Rate_Limit ​ !   ​-p ​     ICMP                                                                -j  LOG         ​--log-prefix ​   "<​[[--- Connection DROPPED ---]]>: " +
-iptables ​       -A  Rate_Limit ​                                                                                 -j  DROP+
  
     # Apply Rate Limit #     # Apply Rate Limit #
 #​--------------------------------------------------- #​---------------------------------------------------
-iptables ​   ​-w  ​-I  INPUT       ​-p ​ tcp     ​--dport ​    1194    ​-m ​ state   ​--state NEW -m  recent ​ --set +iptables ​   -I  INPUT       ​-p ​ tcp     ​--dport ​    5000    ​-m ​ state   ​--state NEW     ​-j ​ Rate_Limit 
-iptables ​   -w  -I  INPUT       ​-p ​ tcp     ​--dport ​    ​1194 ​   -m  state   ​--state NEW             ​--update ​   --seconds ​  ​60 ​ --hitcount ​ 1   -j  Rate_Limit +iptables ​   -I  INPUT       ​-p ​ udp     ​--dport ​    ​5000 ​   -m  state   ​--state NEW     ​-j ​ Rate_Limit
-iptables ​   ​-w  ​-I  INPUT       ​-p ​ udp     --dport ​    ​1194 ​   -m  state   ​--state NEW -m  recent ​ --set +
-iptables ​   -w  -I  INPUT       ​-p ​ udp     ​--dport ​    ​1194 ​   -m  state   ​--state NEW             ​--update ​   --seconds ​  ​60 ​ --hitcount ​ 1   ​-j ​ Rate_Limit +
-iptables ​       -I  INPUT       ​-p ​ tcp     --dport ​    ​5000 ​   -m  state   ​--state NEW                                                         -j  Rate_Limit +
-iptables ​       -I  INPUT       ​-p ​ udp     ​--dport ​    ​5000 ​   -m  state   ​--state NEW                                                         ​-j ​ Rate_Limit +
- +
-    # Check for bans in Rate_Limit # +
-#​--------------------------------------------------- +
-iptables ​   -w  -A  INPUT       ​-p ​ tcp     ​--dport ​    ​1194 ​   ​-j  Rate_Limit+
  
     # Log VPN Traffic #     # Log VPN Traffic #
 #​--------------------------------------------------- #​---------------------------------------------------
-iptables ​       -A  LOG-VPN ​                                    ​-j  LOG         ​--log-prefix ​   "<​[[--- ​ VPN Traffic ---]]> : " ​        ​--log-level 4 +iptables ​   -A  LOG-VPN ​                                                                ​-j  LOG         ​--log-prefix ​   "<​[[--- ​ VPN Traffic ---]]> : " ​        ​--log-level 4 
-iptables ​       -A  LOG-VPN ​                                    ​-j  ACCEPT+iptables ​   -A  LOG-VPN ​                                                                ​-j  ACCEPT
  
 </​code>​\\ </​code>​\\
-  - <color #4B4B4B>**Commit changes**</​color>​\\ <code cpp>/​etc/​init.d/​firewall restart</​code>​ +  - **Commit changes**\\ <code cpp>/​etc/​init.d/​firewall restart</​code>​ 
-  - <color #646464>**Please also see:**</​color>​+  - **Please also see:**
     * [[doc:​howto:​log.essentials|Log Essentials]]     * [[doc:​howto:​log.essentials|Log Essentials]]
     * [[doc:​howto:​log.overview|Logging Servers]]     * [[doc:​howto:​log.overview|Logging Servers]]
Line 944: Line 913:
  
 <WRAP 76.5em lo> <WRAP 76.5em lo>
-<wrap warning><​color #​FFFFFF>​It'​s //strongly encouraged//​ to read through the OpenVPN HowTo & Man Page</​color></​wrap>​+<WRAP centeralign>​<wrap warning><​color #​FFFFFF>​It'​s //strongly encouraged//​ to read through the OpenVPN HowTo & Man Page</​color></​wrap></​WRAP>
  
 <tabbox Information>​ <tabbox Information>​
Line 950: Line 919:
 <color #​508CAA>​**OpenVPN Information**</​color>​ <color #​508CAA>​**OpenVPN Information**</​color>​
  
-  * <color #4B4B4B>**This specific configuration has been designed to give the best performance possible, via** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|MTU & Buffer]] **Tuning recommendations**</​color>​ +  * **This specific configuration has been designed to give the best performance possible, via** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|MTU & Buffer]] **Tuning recommendations** 
-    * <color #646464>DNS primary & secondary are [[https://developers.google.com/speed/public-dns/​docs/​using|Google's]]</​color>​ +    * DNS primary & secondary are [[https://www.opendns.com/setupguide/?​url=familyshield|OpenDNS']] 
-    * <color #646464>NTP is garnished from [[http://​tf.nist.gov/​tf-cgi/​servers.cgi|NIST]] (time-c) and can be updated to your NTP server of choice</​color>​ +    * NTP is garnished from [[http://​tf.nist.gov/​tf-cgi/​servers.cgi|NIST]] (time-c) and can be updated to your NTP server of choice 
-      * <color #646464>NTP should be specified, but doesn'​t need to be NIST, as encryption handshakes, both server & client, must be accurate to within milliseconds</​color>​\\ \\ +      * NTP should be specified, but doesn'​t need to be NIST, as encryption handshakes, both server & client, must be accurate to within milliseconds\\ \\ 
-  * <color #4B4B4B>**//CCD directives//​ (under //Client Config//) are commented out, as one will need to read the** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|OpenVPN HowTo]] **to understand how it's used**</​color>​ +  * **//CCD directives//​ (under //Client Config//) are commented out, as one will need to read the** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|OpenVPN HowTo]] **to understand how it's used** 
-      * <color #646464>CCD adds an extra layer of protection, allowing only those CNs specified to connect to the VPN, even if a valid client cert is used</​color>​\\ \\ +      * CCD adds an extra layer of protection, allowing only those CNs specified to connect to the VPN, even if a valid client cert is used\\ \\ 
-  * <color #4B4B4B>**Two or more servers can be run from this config file**</​color>​ +  * **Two or more servers can be run from this config file** 
-    * <color #646464>To add additional servers, copy & paste first config directly below itself, with a blank line separating the two</​color>​\\ \\ +    * To add additional servers, copy & paste first config directly below itself, with a blank line separating the two\\ \\ 
-  * <color #4B4B4B>**The OpenVPN** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|HowTo & Man Page]] **provide every possible option for the Server & Client Configs**</​color>​+  * **The OpenVPN** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|HowTo & Man Page]] **provide every possible option for the Server & Client Configs** ​\\ \\ 
 +  * **OpenVPN 2.4 added TLS Elliptic-Curve** ''​[EC]''​ **support** 
 +    * EC ciphers are faster & more efficient to process than SSL ciphers, resulting in higher throughput & less load 
 +    * OpenVPN on OpenWrt only supports a //maximum of 256 characters//​ for ''​ <color #​647D00>​option ​ tls_cipher</​color>​''​ 
 +      * Ciphers are listed in a hierarchical,​ chronological order of most secure & efficient to least efficient 
 +      * Disabled ciphers are specified at the end with an **''<​color #​960000>​!</​color>''​** in front of the cipher\\ \\ 
 +  * **Ciphers must match the capabilities of the server & clients** 
 +    * Available TLS ciphers: ''​ <color #​647D00>​openssl --show-tls</​color>​ ''​ or ''​ <color #​647D00>​openssl ciphers -V | grep TLS</​color>''​ 
 +    * Available SSL ciphers: ''​ <color #​647D00>​openssl ciphers -V | grep SSL</​color>''​ 
 +      * For Windows client: ''​ <color #​647D00>​openssl ciphers -V | findstr /R SSL</​color>''​
  
  
Line 965: Line 943:
 <color #​508CAA>​**OpenVPN Server Config**</​color>​ <color #​508CAA>​**OpenVPN Server Config**</​color>​
  
-  - <color #4B4B4B>**Create config:**</​color>​\\ <code cpp>echo > /​etc/​config/​openvpn ; vi /​etc/​config/​openvpn</​code>​ +  - **Create config:**\\ <code cpp>echo > /​etc/​config/​openvpn ; vi /​etc/​config/​openvpn</​code>​ 
-    - <color #646464>**Paste the following & edit accordingly**</​color>​\\ \\ <code cpp> +    - **Paste the following & edit accordingly**\\ \\ <code cpp>
 config openvpn '​VPNserver'​ config openvpn '​VPNserver'​
- 
     option ​ enabled ​            1     option ​ enabled ​            1
  
Line 978: Line 954:
     option ​ topology ​           '​subnet'​     option ​ topology ​           '​subnet'​
     option ​ proto               '​udp'​     option ​ proto               '​udp'​
-    option ​ port                ​1194+    option ​ port                ​5000
  
     # Routes #      # Routes # 
Line 996: Line 972:
     list    push                '​dhcp-option ​   DNS 192.168.1.1'​     list    push                '​dhcp-option ​   DNS 192.168.1.1'​
     list    push                '​dhcp-option ​   WINS 192.168.1.1'​     list    push                '​dhcp-option ​   WINS 192.168.1.1'​
-    list    push                '​dhcp-option ​   DNS 8.8.8.8+    list    push                '​dhcp-option ​   DNS 208.67.222.123
-    list    push                '​dhcp-option ​   DNS 8.8.4.4'+    list    push                '​dhcp-option ​   DNS 208.67.220.123'
     list    push                '​dhcp-option ​   NTP 129.6.15.30'​     list    push                '​dhcp-option ​   NTP 129.6.15.30'​
  
Line 1011: Line 987:
     option ​ cipher ​             AES-256-CBC     option ​ cipher ​             AES-256-CBC
     option ​ auth                '​SHA512'​     option ​ auth                '​SHA512'​
-    option ​ tls_auth ​           '/​etc/​ssl/​openvpn/​ta.key 0'+    option ​ tls_auth ​           '/​etc/​ssl/​openvpn/​tls-auth.key 0'
     ​     ​
     # TLS:     # TLS:
     option ​ tls_server ​         1     option ​ tls_server ​         1
     option ​ tls_version_min ​    1.2     option ​ tls_version_min ​    1.2
-    option ​ tls_cipher ​         '​TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:​TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384:​TLS-RSA-WITH-AES-256-CBC-SHA256:​!aNULL:​!eNULL:​!LOW:​!3DES:​!MD5:​!SHA:​!EXP:​!PSK:​!SRP:​!DSS:​!RC4'​ +    option ​ tls_cipher ​         '​TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:​TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:​!aNULL:​!eNULL:​!LOW:​!3DES:​!MD5:​!SHA:​!EXP:​!PSK:​!SRP:​!DSS:​!RC4:!kRSA' 
-    option ​ remote-cert-eku ​    ​'TLS Web Client Authentication'​+ 
 +    option remote-cert-eku ​     'TLS Web Client Authentication'​
  
     # Logging #      # Logging # 
Line 1023: Line 1000:
     option ​ log_append ​         '/​tmp/​openvpn.log'​     option ​ log_append ​         '/​tmp/​openvpn.log'​
     option ​ status ​             '/​tmp/​openvpn-status.log'​     option ​ status ​             '/​tmp/​openvpn-status.log'​
-    option ​ verb                ​7+    option ​ verb                ​4
  
     # Connection Options #      # Connection Options # 
Line 1061: Line 1038:
     # chroot would be ~11MB in size.     # chroot would be ~11MB in size.
  
-    ​# Modify if chroot is configured #+        ​# Modify if chroot is configured #
     #​--------------------------------------------     #​--------------------------------------------
         # option ​ ccd_exclusive ​            1         # option ​ ccd_exclusive ​            1
Line 1070: Line 1047:
         # option ​ dh                        /​var/​chroot-openvpn/​etc/​ssl/​openvpn/​dh2048.pem         # option ​ dh                        /​var/​chroot-openvpn/​etc/​ssl/​openvpn/​dh2048.pem
         # option ​ pkcs12 ​                   /​var/​chroot-openvpn/​etc/​ssl/​openvpn/​vpn-server.p12         # option ​ pkcs12 ​                   /​var/​chroot-openvpn/​etc/​ssl/​openvpn/​vpn-server.p12
-        # option ​ tls_auth ​                 '/​var/​chroot-openvpn/​etc/​ssl/​openvpn/​ta.key 0'+        # option ​ tls_auth ​                 '/​var/​chroot-openvpn/​etc/​ssl/​openvpn/​tls-auth.key 0'
 </​code>​ </​code>​
-  - <color #4B4B4B>**Commit changes**</​color>​\\ +  - **Commit changes**\\ <code bash>/​etc/​init.d/​openvpn enable ; /​etc/​init.d/​openvpn start ; sleep 2 ; cat /​tmp/​openvpn.log</​code>​ 
-<code bash>/​etc/​init.d/​openvpn ​enable ​; /​etc/​init.d/​openvpn start ; sleep 2 ; cat /​tmp/​openvpn.log</​code>​+ 
 + 
 +<tabbox CCD> 
 +<wrap right>''​<color #C86400>/​etc/​openvpn/​clients</​color>''</​wrap>​ 
 +<color #508CAA>**OpenVPN Server CCD Config**</​color>​ 
 + 
 +  - **Enable CCD within Server config:** 
 +    - //''<​color #​647D00>​vi /​etc/​config/​openvpn</​color>''// ​\\ <code cpp> 
 +   option ​ ccd_exclusive ​          1 
 +   ​option ​ ifconfig_pool_persist ​  '/​etc/​openvpn/​clients/​ipp.txt'​ 
 +   ​option ​ client_config_dir ​      '/​etc/​openvpn/​clients/'​ 
 +</​code>​ 
 +      * ''<​color #​647D00>​ccd_exclusive</​color>'':​ enables CCD 
 +      * ''<​color #​647D00>​client_config_dir</​color>'':​ Directory housing CCD client files 
 +      * ''<​color #​647D00>​ifconfig_pool_persist</​color>'':​ File containing common names from client files, followed by static IP for device\\ \\ 
 +  - **Configure CCD files** 
 +    - For each VPN client, a file must be created which exactly mirrors the common name of each client cert 
 +      - File should contain an ''​ifconfig''​ command pushing a static IP to the client 
 +        - Client Certificate CN: ''<​color #​647D00>​John Doe (OpenWrt VPNserver Client)</​color>''​ 
 +          - Client File: ''<​color #​C86400>/​etc/​openvpn/​clients/​John Doe (OpenWrt VPNserver Client)</​color>''​ 
 +            - File Output: ''//<​color #​647D00>​ifconfig-push 10.1.0.6 255.255.255.240</​color>//''​\\ \\ 
 +  - **Configure IPP file** 
 +    - One per line, each VPN client'​s CN needs to be specified, followed by their static IP 
 +      - IPP File: ''<​color #​C86400>/​etc/​openvpn/​clients/​ipp.txt</​color>''​ 
 +        - File Output: ''<​color #​647D00>​John Doe (OpenWrt VPNserver Client),​10.1.0.6</​color>''​\\ \\ 
 +  - **Start/​Restart OpenVPN** 
 +    - Connect with each client to test\\ ​<code bash>/​etc/​init.d/​openvpn ​stop ; /​etc/​init.d/​openvpn start ; tail -f /​tmp/​openvpn.log</​code>​ 
 </​tabbox>​ </​tabbox>​
 </​WRAP>​ </​WRAP>​
Line 1091: Line 1095:
 Thu Oct 20 13:35:00 2016 us=668891 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09 Thu Oct 20 13:35:00 2016 us=668891 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09
 Thu Oct 20 13:35:00 2016 us=669836 Diffie-Hellman initialized with 2048 bit key Thu Oct 20 13:35:00 2016 us=669836 Diffie-Hellman initialized with 2048 bit key
-Thu Oct 20 13:35:00 2016 us=705181 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​ta.key' as a OpenVPN static key file+Thu Oct 20 13:35:00 2016 us=705181 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​tls-auth.key' as a OpenVPN static key file
 Thu Oct 20 13:35:00 2016 us=705286 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication Thu Oct 20 13:35:00 2016 us=705286 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication
 Thu Oct 20 13:35:00 2016 us=705351 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication Thu Oct 20 13:35:00 2016 us=705351 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication
Line 1125: Line 1129:
 Thu Oct 20 13:35:30 2016 us=653403 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09 Thu Oct 20 13:35:30 2016 us=653403 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09
 Thu Oct 20 13:35:30 2016 us=654598 Diffie-Hellman initialized with 2048 bit key Thu Oct 20 13:35:30 2016 us=654598 Diffie-Hellman initialized with 2048 bit key
-Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​ta.key' as a OpenVPN static key file+Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​tls-auth.key' as a OpenVPN static key file
 Thu Oct 20 13:35:30 2016 us=706592 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication Thu Oct 20 13:35:30 2016 us=706592 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication
 Thu Oct 20 13:35:30 2016 us=706679 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication Thu Oct 20 13:35:30 2016 us=706679 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication
Line 1147: Line 1151:
 Thu Oct 20 13:35:30 2016 us=715095 ifconfig_pool_read(),​ in='​vpn-client1-foobar1-device1,​10.1.0.5',​ TODO: IPv6 Thu Oct 20 13:35:30 2016 us=715095 ifconfig_pool_read(),​ in='​vpn-client1-foobar1-device1,​10.1.0.5',​ TODO: IPv6
 Thu Oct 20 13:35:30 2016 us=715138 succeeded -> ifconfig_pool_set() Thu Oct 20 13:35:30 2016 us=715138 succeeded -> ifconfig_pool_set()
-Thu Oct 20 13:35:30 2016 us=715176 ifconfig_pool_read(),​ in='vpn-client2-foobar2-device1,​10.1.0.6',​ TODO: IPv6+Thu Oct 20 13:35:30 2016 us=715176 ifconfig_pool_read(),​ in='John Doe (OpenWrt VPNserver Client),​10.1.0.6',​ TODO: IPv6
 Thu Oct 20 13:35:30 2016 us=715213 succeeded -> ifconfig_pool_set() Thu Oct 20 13:35:30 2016 us=715213 succeeded -> ifconfig_pool_set()
 Thu Oct 20 13:35:30 2016 us=715249 IFCONFIG POOL LIST Thu Oct 20 13:35:30 2016 us=715249 IFCONFIG POOL LIST
 Thu Oct 20 13:35:30 2016 us=715287 vpn-client1-foobar1-device1,​10.1.0.5 Thu Oct 20 13:35:30 2016 us=715287 vpn-client1-foobar1-device1,​10.1.0.5
-Thu Oct 20 13:35:30 2016 us=715331 ​vpn-client2-foobar2-device1,10.1.0.6+Thu Oct 20 13:35:30 2016 us=715331 ​John Doe (OpenWrt VPNserver Client),10.1.0.6
 Thu Oct 20 13:35:30 2016 us=715428 MULTI: TCP INIT maxclients=1024 maxevents=1028 Thu Oct 20 13:35:30 2016 us=715428 MULTI: TCP INIT maxclients=1024 maxevents=1028
 Thu Oct 20 13:35:30 2016 us=715971 Initialization Sequence Completed Thu Oct 20 13:35:30 2016 us=715971 Initialization Sequence Completed
Line 1165: Line 1169:
  
 <WRAP 76.5em lo> <WRAP 76.5em lo>
-<wrap warning><​color #​FFFFFF>​Server'​s TLS-Auth key goes within the inline XML space</​color></​wrap>​+<WRAP centeralign>​<wrap warning><​color #​FFFFFF>​Server'​s TLS-Auth key goes within the inline XML space</​color></​wrap></​WRAP>
 </​WRAP>​ </​WRAP>​
  
Line 1173: Line 1177:
 ==== Android ==== ==== Android ====
  
-<WRAP 76.5em lo>+<​WRAP ​indent ​76.5em lo>
  
 <tabbox Information>​ <tabbox Information>​
-<wrap right button>​[[https://​play.google.com/​store/​apps/​details?​id=de.blinkt.openvpn&​hl=en|OpenVPN ​Client]]</​wrap> ​+<wrap right button>​[[https://​play.google.com/​store/​apps/​details?​id=de.blinkt.openvpn&​hl=en|OpenVPN ​for Android]]</​wrap> ​
 <color #​508CAA>​**Android Client Information**</​color>  ​ <color #​508CAA>​**Android Client Information**</​color>  ​
  
-  * <color #4B4B4B>​**//​OpenVPN for Android// is the best app for VPNs on Android**</​color>​\\ \\ +<WRAP centeralign>​<color #960000>**For compatibility with exFAT, Android sdcards have a non-customizable 771 permission structure**\\ It's //​imperative//,​ for the security of the VPN, to ensure the certificate key is encrypted as specified under [[doc:​howto:​openvpn-streamlined-server-setup#​client_certs|Client Certs]]</​color></​WRAP>​ 
-  * <color #4B4B4B>**PKCS12 certs are installed into the //Android Keychain//​**</​color>​ + 
-    * <color #646464>As a security feature, a warning toast will always appear in the notification area due to user installed certs</​color>​ +  * **//OpenVPN for Android// is the best app for VPNs on Android**\\ \\ 
-      * <color #646464>This toast can be removed if you have a rooted device by following Toast Removal tutorial</​color>​ +  * **PKCS12 certs are installed into the //Android Keychain//​** 
-    * <color #646464>Another option is to include all certs & keys via inline XML within the client config file</color>\\ \\ +    * As a security feature, a warning toast will always appear in the notification area due to user installed certs 
-  * <color #4B4B4B>**If you choose to reference the ''//​ta.key//'',​ instead of utilizing inline XML**</​color>​+      * This toast can be removed if you have a rooted device by following Toast Removal tutorial ​\\ \\ 
 +    * Another option is to include all certs & keys via inline XML within the client config file 
 +      * //​Regardless if all certs are referenced as inline xml or not, the final generated config inlines all certs//\\ \\ 
 +  * **If you choose to reference the ''//​tlsauth.key//'',​ instead of utilizing inline XML**
     - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp>     - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp>
 +    # Encryption #
 +#​------------------------------------------------
 key-direction 1 key-direction 1
 +
 <​tls-auth>​ <​tls-auth>​
 -----BEGIN OpenVPN Static key V1----- -----BEGIN OpenVPN Static key V1-----
Line 1193: Line 1203:
 </​tls-auth></​code>​ </​tls-auth></​code>​
     - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>     - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>
-tls-auth ​  ​/path/to/ta.key 1 +    # Encryption # 
-</​code>​ +#​------------------------------------------------ 
-  * <color #4B4B4B>**Some Android devices are not able to convert PKCS12 certs to x509 certs**</​color>​ +tls-auth ​   '​/path/to/tlsauth.key' ​1</​code>​ 
-    * <color #646464>If your device is affected, you will need to reference your individual certs in your Server Config</​color>​ +  * <color #960000>**Some Android devices are not able to convert PKCS12 certs to x509 certs**</​color>​ 
-      - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp> +    * If your device is affected, you will need to reference your individual certs in your Server Config
- # Encryption # +
-pkcs12 ​    '/​sdcard/​openvpn/​vpn-client1.p12'</​code>​+
       - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>       - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>
- # Encryption # +    ​# Encryption # 
-ca         ​'/​sdcard/​openvpn/​OpenWrt-OpenVPN_ICA-Chain.crt.pem'​ +#​------------------------------------------------ 
-cert       ​'/​sdcard/​openvpn/​vpn-client1.crt.pem'​ +ca      '/​sdcard/​openvpn/​OpenWrt-OpenVPN_ICA-Chain.crt.pem'​ 
-key        '/​sdcard/​openvpn/​vpn-client1.key.pem'</​code>​ +cert    '/​sdcard/​openvpn/​vpn-client1.crt.pem'​ 
-<WRAP centeralign><​wrap danger>​For compatibility with exFAT, Android sdcards have a non-customizable 664 permission structure</​wrap>​\\ <color #​AF0000>​Therefore it's //crucial// to the security of the VPN to ensure the certificate key is encrypted as specified under [[doc:​howto:​openvpn-streamlined-server-setup#​client_certs|Client Certs]]</​color></​WRAP>​ +key     ​'/​sdcard/​openvpn/​vpn-client1.key.pem'</​code>​
  
 <tabbox Config> <tabbox Config>
Line 1213: Line 1220:
  
 <code cpp> <code cpp>
-# Config Type #+    ​# Config Type #
 #​------------------------------------------------ #​------------------------------------------------
 client client
  
-# Connection ​ #+    ​# Connection ​ #
 #​------------------------------------------------ #​------------------------------------------------
 dev tun dev tun
 proto udp proto udp
-remote your.ddns.com ​1194+remote your.ddns.com ​5000
  
-# Speed #+    ​# Speed #
 #​------------------------------------------------ #​------------------------------------------------
 +mssfix 0
 fragment 0 fragment 0
-mssfix 0 
 tun-mtu 48000 tun-mtu 48000
  
-# Reliability #+    ​# Reliability #
 #​------------------------------------------------ #​------------------------------------------------
-comp-lzo 
 float float
 nobind nobind
 +comp-lzo
 +
 persist-key persist-key
 persist-tun persist-tun
 resolv-retry infinite resolv-retry infinite
  
-# Encryption #+    ​# Encryption #
 #​------------------------------------------------ #​------------------------------------------------
 +auth SHA512
 auth-nocache auth-nocache
 +
 +# --- SSL --- #
 cipher AES-256-CBC cipher AES-256-CBC
-remote-cert-eku ​"TLS Web Server Authentication"+ 
 +# --- TLS --- # 
 +key-direction 1 
 +tls-version-min 1.2 
 + 
 +remote-cert-eku ​'TLS Web Server Authentication'
  
 <​tls-auth>​ <​tls-auth>​
Line 1250: Line 1266:
 </​tls-auth>​ </​tls-auth>​
  
-key-direction 1 +    ​# Logging #
- +
-# Logging #+
 #​------------------------------------------------ #​------------------------------------------------
 verb 5 verb 5
 </​code>​ </​code>​
 +
 +<tabbox Inline XML>
 +<color #​508CAA>​**Referencing certs via Inline XML**</​color>​
 +
 +  - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp>
 +    # Encryption #
 +#​------------------------------------------------
 +ca        '/​sdcard/​openvpn/​OpenWrt-OpenVPN_ICA-Chain.crt.pem'​
 +cert      '/​sdcard/​openvpn/​vpn-client1.crt.pem'​
 +key       '/​sdcard/​openvpn/​vpn-client1.key.pem'​
 +tls-auth ​ '/​path/​to/​tlsauth.key'​ 1</​code>​
 +  - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>
 +    # Encryption #
 +#​------------------------------------------------
 +
 +# --- TLS --- #
 +key-direction 1
 +
 +<ca>
 +#​PASTE-CA-CERT-INLINE-HERE#​
 +</ca>
 +
 +<​cert>​
 +#​PASTE-VPN-SERVER-CERT-INLINE-HERE#​
 +</​cert>​
 +
 +<key>
 +#​PASTE-VPN-SERVER-KEY-INLINE-HERE#​
 +</​key>​
 +
 +<​tls-auth>​
 +-----BEGIN OpenVPN Static key V1-----
 +#​PASTE-KEY-INLINE-HERE#​
 +-----END OpenVPN Static key V1-----
 +</​tls-auth></​code>​
  
 <tabbox Toast Removal> <tabbox Toast Removal>
Line 1261: Line 1310:
 <color #​508CAA>​**Certificate Warning Toast Removal**</​color>​ <color #​508CAA>​**Certificate Warning Toast Removal**</​color>​
  
-<wrap indent><​color #4B4B4B>If ''<​color #​C86400>/​system/​etc/​security/​cacerts.bks</​color>''​ exists on your device, refer to CAcert wiki, then continue</​color>​</​wrap>​ +<wrap indent>​If ''<​color #​C86400>/​system/​etc/​security/​cacerts.bks</​color>''​ exists on your device, refer to CAcert wiki, then continue</​wrap>​ 
-  - <color #4B4B4B>​**Method 1:​**</​color>​ +  - <color #789600>​**Method 1:​**</​color>​ 
-    - <color #646464>**Add certificate to Android Keychain**</​color>​ +    - **Add certificate to Android Keychain** 
-      - <color #7D7D7D>**//​Settings//​ –> //​Security//​ –> //Install from Storage//**</​color>​\\ \\ +      - **//​Settings//​ –> //​Security//​ –> //Install from Storage//​**\\ \\ 
-    - <color #646464>**Move certificate from userland to system trusted**</​color>​ +    - **Move certificate from userland to system trusted** 
-      - <color #7D7D7D>**Android < 5.0:**</​color>​ +      - **Android < 5.0:** 
-        - <color #646464>Move new file</​color>​+        - Move new file
           - <color #​960000>​**From:​**</​color>​ ''​ <color #​C86400>/​data/​misc/​keychain/​cacertsadded/</​color>''​           - <color #​960000>​**From:​**</​color>​ ''​ <color #​C86400>/​data/​misc/​keychain/​cacertsadded/</​color>''​
           - <color #​789600>​**To:​**</​color>​ ''​ <color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​\\ \\           - <color #​789600>​**To:​**</​color>​ ''​ <color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​\\ \\
-      - <color #7D7D7D>**Android > 5.0:**</​color>​ +      - **Android > 5.0:** 
-        - <color #646464>Move new file</​color>​+        - Move new file
           - <color #​960000>​**From:​**</​color>​ ''​ <color #​C86400>/​data/​misc/​user/​0/​cacerts-added/</​color>''​           - <color #​960000>​**From:​**</​color>​ ''​ <color #​C86400>/​data/​misc/​user/​0/​cacerts-added/</​color>''​
           - <color #​789600>​**To:​**</​color>​ ''​ <color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​\\ \\           - <color #​789600>​**To:​**</​color>​ ''​ <color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​\\ \\
-  - <color #4B4B4B>​**Method 2:​**</​color>​ +  - <color #789600>​**Method 2:​**</​color>​ 
-    - <color #646464>**Save certificate with .pem extension**</​color>​\\ \\ +    - **Save certificate with** ''​.pem''​ **extension**\\ \\ 
-    - <color #646464>**Garnish subject of certificate:​**</​color>​+    - **Garnish subject of certificate:​**
       - ''//<​color #​647D00>​openssl x509 -inform PEM -subject_hash -in 0b112a89.0</​color>//''​       - ''//<​color #​647D00>​openssl x509 -inform PEM -subject_hash -in 0b112a89.0</​color>//''​
-        - <color #646464>Should be similar to:</​color> ​<color #​647D00>​0b112a89</​color>​\\ \\ +        - Should be similar to: <color #​647D00>​0b112a89</​color>​\\ \\ 
-    - <color #646464>**Save certificate as text:**</​color>​+    - **Save certificate as text:**
       - ''//<​color #​647D00>​openssl x509 -inform PEM -text -in 0b112a89.0 > 0b112a89.0.txt</​color>//''​\\ \\       - ''//<​color #​647D00>​openssl x509 -inform PEM -text -in 0b112a89.0 > 0b112a89.0.txt</​color>//''​\\ \\
-    - <color #646464>**Swap PEM section and text:**</​color>​ +    - **Swap PEM section and text:** 
-      - ''<​color #​647D00>//​-----BEGIN CERTIFICATE-----//</​color>'' ​<color #646464>must be at top of file</​color>​\\ \\ +      - ''<​color #​647D00>//​-----BEGIN CERTIFICATE-----//</​color>''​ must be at top of file\\ \\ 
-    - <color #646464>**Rename file:**</​color> ​''<​color #​647D00>​0b112a89.0</​color>''​ +    - **Rename file:** ''<​color #​647D00>​0b112a89.0</​color>''​ 
-      - <color #646464>Replace with subject from //step b//</​color>​\\ \\ +      - Replace with subject from //step b//\\ \\ 
-    - <color #646464>**Copy file to:**</​color> ​''<​color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​\\ \\ +    - **Copy file to:** ''<​color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​\\ \\ 
-    - <color #646464>**Set permissions:​**</​color>​+    - **Set permissions:​**
       - ''//<​color #​647D00>​chmod 644 0b112a89.0</​color>//''​\\ \\       - ''//<​color #​647D00>​chmod 644 0b112a89.0</​color>//''​\\ \\
-    - <color #646464>**Certificate should be listed under:**</​color>​ +    - **Certificate should be listed under:** 
-      - <color #7D7D7D>**//​Settings//​ –> //​Security//​ –> //Trusted Credentials//​ - //​System//​**</​color>​ +      - **//​Settings//​ –> //​Security//​ –> //Trusted Credentials//​ - //​System//​** 
-        - <color #646464>If it's still under</​color>​ <color #7D7D7D>**//​User//​**</​color>​+        - If it's still under **//​User//​**:​ 
-          - <color #646464>Disable/​Re-Enable certificate in Android Settings</​color>​ +          - Disable/​Re-Enable certificate in Android Settings 
-            - <color #646464>This creates a file in</​color> ​''<​color #​C86400>/​data/​misc/​keychain/​cacertsadded/</​color>''​ +            - This creates a file in ''<​color #​C86400>/​data/​misc/​keychain/​cacertsadded/</​color>''​ 
-          - <color #646464>Move that file to</​color> ​''<​color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​ +          - Move that file to ''<​color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​ 
-          - <color #646464>Delete original file from //step f//</​color>​+          - Delete original file from //step f//
  
 </​tabbox>​ </​tabbox>​
Line 1302: Line 1351:
 ==== BSD/Linux ==== ==== BSD/Linux ====
  
-<WRAP 76.5em lo>+<​WRAP ​indent ​76.5em lo>
  
 <tabbox Information>​ <tabbox Information>​
Line 1308: Line 1357:
 <color #​508CAA>​**BSD/​Linux Client Information**</​color>​ <color #​508CAA>​**BSD/​Linux Client Information**</​color>​
  
-  * <color #4B4B4B>Due to the sheer number of distros & variances from one to the other, only the client config is being provided</​color>​+  * Due to the sheer number of distros & variances from one to the other, only the client config is being provided
  
 <tabbox Config> <tabbox Config>
Line 1323: Line 1372:
 dev tun dev tun
 proto udp proto udp
-remote your.ddns.com ​1194+remote your.ddns.com ​5000
  
 # Speed # # Speed #
 #​------------------------------------------------ #​------------------------------------------------
-fragment 0 
 mssfix 0 mssfix 0
 +fragment 0
 tun-mtu 48000 tun-mtu 48000
  
 # Reliability # # Reliability #
 #​------------------------------------------------ #​------------------------------------------------
-comp-lzo 
 float float
 nobind nobind
 +comp-lzo
 +
 persist-key persist-key
 persist-tun persist-tun
 resolv-retry infinite resolv-retry infinite
  
-# Encryption #+    ​# Encryption #
 #​------------------------------------------------ #​------------------------------------------------
 +auth SHA512
 auth-nocache auth-nocache
 +
 +# --- SSL --- #
 cipher AES-256-CBC cipher AES-256-CBC
-pkcs12 /​etc/​ssl/​openvpn/​vpn-client1.p12 + 
-remote-cert-eku ​"TLS Web Server Authentication"+# --- TLS --- # 
 +key-direction 1 
 +tls-version-min 1.2 
 + 
 +pkcs12 ​'/​etc/​ssl/​openvpn/​vpn-client1.p12' 
 +remote-cert-eku ​'TLS Web Server Authentication'
  
 <​tls-auth>​ <​tls-auth>​
Line 1352: Line 1410:
 -----END OpenVPN Static key V1----- -----END OpenVPN Static key V1-----
 </​tls-auth>​ </​tls-auth>​
- 
-key-direction 1 
  
 # Logging # # Logging #
Line 1366: Line 1422:
 ==== Windows ==== ==== Windows ====
  
-<WRAP 76.5em lo>+<​WRAP ​indent ​76.5em lo>
  
 <tabbox Information>​ <tabbox Information>​
Line 1372: Line 1428:
 <color #​508CAA>​**Windows Client Information**</​color>​ <color #​508CAA>​**Windows Client Information**</​color>​
  
-  * <color #4B4B4B>**If PKCS12 cert isn't stored in the same directory as the ovpn config , the path to the PKCS12 cert must be referenced**</​color>​ +  * **If PKCS12 cert isn't stored in the same directory as the ovpn config , the path to the PKCS12 cert must be referenced** 
-    * <color #646464>You must use double backslashes for the path: ''<​color #​C86400>​C:​\\Path\\to\\PKCS12</​color>''​</​color>​+    * You must use double backslashes for the path: ''<​color #​C86400>​C:​\\Path\\to\\PKCS.p12</​color>''​
  
  
Line 1389: Line 1445:
 dev tun dev tun
 proto udp proto udp
-remote your.ddns.com ​1194+remote your.ddns.com ​5000
  
 # Speed # # Speed #
 #​------------------------------------------------ #​------------------------------------------------
-fragment 0 
 mssfix 0 mssfix 0
 +fragment 0
 tun-mtu 48000 tun-mtu 48000
  
 # Reliability # # Reliability #
 #​------------------------------------------------ #​------------------------------------------------
-comp-lzo 
 float float
 nobind nobind
 +comp-lzo
 +
 persist-key persist-key
 persist-tun persist-tun
 resolv-retry infinite resolv-retry infinite
  
-# Encryption #+    ​# Encryption #
 #​------------------------------------------------ #​------------------------------------------------
 +auth SHA512
 auth-nocache auth-nocache
 +
 +# --- SSL --- #
 cipher AES-256-CBC cipher AES-256-CBC
 +
 +# --- TLS --- #
 +key-direction 1
 +tls-version-min 1.2
 +
 pkcs12 vpn-client1.p12 pkcs12 vpn-client1.p12
 remote-cert-eku "TLS Web Server Authentication"​ remote-cert-eku "TLS Web Server Authentication"​
Line 1418: Line 1483:
 -----END OpenVPN Static key V1----- -----END OpenVPN Static key V1-----
 </​tls-auth>​ </​tls-auth>​
- 
-key-direction 1 
  
 # Logging # # Logging #
Line 1472: Line 1535:
     option ​ dest            '​wan'​     option ​ dest            '​wan'​
     option ​ src             '​vpn'</​code>​     option ​ src             '​vpn'</​code>​
-  - <color #4B4B4B>**Commit changes**</​color>​\\ <code bash>/​etc/​init.d/​firewall restart</​code>​+  - **Commit changes**\\ <code bash>/​etc/​init.d/​firewall restart</​code>​
  
  
Line 1480: Line 1543:
  
   - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp>   - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp>
-    list    push                '​dhcp-option ​   DNS 8.8.8.8+    list    push                '​dhcp-option ​       DNS 208.67.222.123
-    list    push                '​dhcp-option ​   DNS 8.8.4.4'</​code>​+    list    push                '​dhcp-option ​       DNS 208.67.220.123'</​code>​
   - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>   - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>
     list    push                '​redirect-gateway ​  def1 local'     list    push                '​redirect-gateway ​  def1 local'
     list    push                '​dhcp-option ​       DNS 10.1.0.1'</​code>​     list    push                '​dhcp-option ​       DNS 10.1.0.1'</​code>​
-  - <color #4B4B4B>**Commit changes**</​color>​\\ <code bash>/​etc/​init.d/​openvpn restart</​code>​+  - **Commit changes**\\ <code bash>/​etc/​init.d/​openvpn restart</​code>​
 </​tabbox>​ </​tabbox>​
 </​WRAP>​ </​WRAP>​
Line 1583: Line 1646:
 <WRAP 76.5em lo> <WRAP 76.5em lo>
  
-  * <color #4B4B4B>**//Please take the time to read//**</​color>​ +  * **//Please take the time to read//** 
-    * <color #646464>//If you refuse to help yourself, don't expect someone else to help you//</​color>​\\ \\ +    * //If you refuse to help yourself, don't expect someone else to help you//\\ \\ 
-  * <color #4B4B4B>**//The answer to any question about an OpenVPN Client or Server configuration is contained within the//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_wikis|VPN Wiki Section]]//</color> +  * **//The answer to any question about an OpenVPN Client or Server configuration is contained within the//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_wikis|VPN Wiki]]// ​**//or//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​openssl|OpenSSL]]//​ **//​sections//​** 
-    * <color #646464>//If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the [[:​doc:​howto:​openvpn-streamlined-server-setup#​openwrt|OpenWRT]] or [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|OpenVPN]] forums//</​color>​\\ \\ +    * //If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the [[:​doc:​howto:​openvpn-streamlined-server-setup#​openwrt|OpenWrt]] or [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|OpenVPN]] forums//\\ \\ 
-  * <color #4B4B4B>​**//​Please do not publish questions directly to this Wiki, as://​**</​color>​ +  * <color #960000>​**//​Please do not publish questions directly to this Wiki, as://​**</​color>​ 
-    * <color #646464>//Most importantly,​ it's __not__ monitored for questions//</​color>​ +    * //Most importantly,​ it's __not__ monitored for questions//​ 
-    * <color #646464>//It clutters the Wiki, possibly making it more difficult for others to navigate//</​color>​+    * //It clutters the Wiki, possibly making it more difficult for others to navigate//
 </​WRAP>​ </​WRAP>​
doc/howto/openvpn-streamlined-server-setup.txt · Last modified: 2018/02/03 14:28 by ssdnvv