User Tools

Site Tools


doc:howto:openvpn-streamlined-server-setup

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:openvpn-streamlined-server-setup [2016/09/14 21:45]
geekazoid used IANA names for ciphers
doc:howto:openvpn-streamlined-server-setup [2018/01/18 05:21] (current)
JW0914 [Introduction] Added a wrap box to fix ToC misalignment
Line 1: Line 1:
 ====== OpenVPN Server HowTo (Streamlined) ====== ====== OpenVPN Server HowTo (Streamlined) ======
  
-<​WRAP ​center 90%><​color #960000>**To prevent discombobulation,​ please follow the format already in place within this Wiki when editing** +<​WRAP ​centeralign>​ 
-//(incl. the Table of Contents)//</​color></​WRAP>​+<sup><​color #7D0000>**To prevent discombobulation,​ please follow the format already in place within this Wiki when editing**</​color></​sup>​\\ 
 +<​sup><​color #7D0000>//(incl. the Table of Contents)//</​color>​</​sup>​ 
 +</​WRAP>​
  
-  * <color #​789600>​**//​Five things are required for a SSL VPN://​**</​color>​ 
-    * [[:​doc:​howto:​openvpn-streamlined-server-setup#​encryption|Encryption (Certificates)]] 
-    * [[:​doc:​howto:​openvpn-streamlined-server-setup#​network|Network (VPN Interface Creation)]] 
-      * [[:​doc:​howto:​openvpn-streamlined-server-setup#​create_firewall_rules|Firewall Rules [VPN Traffic]]] 
-    * [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_server|VPN Server [Config]]] 
-    * [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_clients|VPN Clients [Config]]] 
  
-===== Prerequisites ​===== +===== Introduction ​===== 
-=== Install Applicable Packages ===+ 
 +<WRAP box 78em lo> 
 + 
 +<tabbox Purpose>​ 
 +<color #​508CAA>​**VPN Server Purpose**</​color>​ 
 + 
 +  * Provides an encrypted remote connection over WAN to router and downstream devices 
 + 
 +  * If Gateway Redirect is utilized, it provides an encrypted connection for local traffic 
 + 
 +<tabbox Requirements>​ 
 +<color #​508CAA>​**SSL VPN Requirements**</​color>​ 
 + 
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​encryption|Encryption]] [Certificates] 
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​network|Network]] [VPN Interface] 
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​firewall|Firewall]] [Traffic Rules] 
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_server|Server]] [Config] 
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​clients|Clients]] [Config]\\ \\ 
 + 
 +<tabbox Editing>​ 
 +<wrap right button>​[[https://​github.com/​JW0914/​Wikis/​blob/​master/​Scripts%2BConfigs/​Vim/​.vimrc|VimRC]] ​ [[http://​vim.wikia.com/​wiki/​Tutorial|Vim Tutorial]]</​wrap>​ 
 +<color #​508CAA>​**Editing Configs**</​color>​ 
 + 
 +  * Vim is the default command line text editor\\ \\ 
 +  * If you've never utilized Vim before, please see the Vim Tutorial 
 +    * Save the VimRC to ''<​color #​C86400>​~/​.vimrc</​color>''​ 
 +</​tabbox>​ 
 +</​WRAP>​
  
-  * <code bash> 
-opkg update ; opkg install openvpn-easy-rsa openvpn-openssl luci-app-openvpn 
-</​code>​ 
  
-=== File Locations === 
-  * Firewall Config File: ''/​etc/​config/​firewall''​ 
-  * OpenVPN Config File: ''/​etc/​config/​openvpn''​ 
-    ​ 
-=== Folder Locations === 
-  * Easy-RSA Root Folder: ''/​etc/​easy-rsa/''​ 
-  * OpenVPN Root Folder: ''/​etc/​openvpn/''​ 
  
 ===== Encryption ===== ===== Encryption =====
  
-//Due to the limitations of using Vars to generate a CA and certs, ​I've built a custom ​openssl.cnf from the bottom up.  ​While one will have the option of using whichever they prefer, utilizing OpenSSL directly via the aforementioned config ​will provide ​more cohesive experience between the CA and it'​s ​certs, a well as better sercurity.//+<WRAP centeralign 78.25em lo> 
 +<wrap warning><​color #​FFFFFF>​Easy-RSA ​//does not// create secure enough ​certs & has too many limitationstherefore OpenSSL should be utilized directly via an openssl.cnf</​color></​wrap>​ 
 +</​WRAP>​ 
 + 
 + 
 +<WRAP indent>​ 
 + 
 +==== Prerequisites ==== 
 + 
 +<WRAP box lo> 
 +<wrap right button>​[[https://​github.com/​JW0914/​Wikis/​blob/​master/​Scripts%2BConfigs/​OpenSSL/​openssl.cnf|openssl.cnf]]</​wrap>​ 
 + 
 +<tabbox Prerequisites>​ 
 +<wrap right>​Commands are executed ​from within ''<​color #​C86400>/​etc/​ssl/</​color>''</​wrap>​ 
 +<color #​508CAA>​**OpenVPN Prerequisites**</​color>​ 
 + 
 +  - **Install Packages:​** 
 +    - //''<​color #​647D00>​opkg update ; opkg install openvpn-openssl luci-app-openvpn openssl-util</​color>''//​\\ \\ 
 +  - **Download openssl.cnf:** 
 +    - Save as ''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''​\\ \\ 
 +  - **Navaigate to SSL directory & create required directories** 
 +    - //''<​color #​647D00>​cd /etc/ssl ; mkdir -p ca/csr crl openvpn/​clients</​color>''//​\\ \\ 
 +  - **Create Serial file** 
 +    - //''<​color #​647D00>​echo 00 > serial</​color>''//​ 
 +      * Maintains ​the serial for the most recent cert in order to know what serial to next assign 
 +        * Serial is in hex, not dec[//​imal//​] format\\ \\ 
 +  - **Create CRLnumber file** 
 +    - //''<​color #​647D00>​echo 00 > crl/​crlnumber</​color>''//​ 
 +            * CRL should be generated, but will only be utilized once cert is revoked\\ \\ 
 +  - **Create Index file** 
 +    - //''<​color #​647D00>​touch index</​color>''//​ 
 +      * Maintains an index of all certs issued <​sup><​color #​646464>​[lines 644 - 689]</​color></​sup>​ 
 +        * Keeps track of certs issued; extremely important if one has revoked a cert\\ \\ 
 +  - **Create Rand file** 
 +    - //''<​color #​647D00>​touch rand</​color>''//​ 
 +      * Utilized for random characters & is queried by OpenSSL during key creation 
 + 
 + 
 +<tabbox Files & Folders>​ 
 +<color #​508CAA>​**File & Folder Locations**</​color>​ 
 + 
 +  - **Config Locations:​** 
 +    * Firewall: ''<​color #​C86400>/​etc/​config/​firewall</​color>''​ 
 +    * Network: ''<​color #​C86400>/​etc/​config/​network</​color>''​ 
 +    * OpenSSL: ''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''​ 
 +    * OpenVPN: ''<​color #​C86400>/​etc/​config/​openvpn</​color>''​\\ \\ 
 +  - **Folder Locations:​** 
 +    * OpenVPN 
 +      * CA & ICA Certs: ''<​color #​C86400>/​etc/​ssl/​ca/</​color>''​ 
 +        * CSR: ''<​color #​C86400>/​etc/​ssl/​ca/​csr/</​color>''​ 
 +        * CRL: ''<​color #​C86400>/​etc/​ssl/​crl/</​color>''​ 
 +      * Client Certs: ''<​color #​C86400>/​etc/​ssl/​openvpn/​clients/</​color>''​ 
 +      * Server Certs: ''<​color #​C86400>/​etc/​ssl/​openvpn/</​color>''​ 
 + 
 +<tabbox Extensions>​ 
 +<color #​508CAA>​**Certificate Extensions**</​color>​ 
 + 
 +  - **.csr:** 
 +    * //​certificate request//\\ \\ 
 +  - **.key:** 
 +    * //private key// 
 +      * 4All key files, except for a server'​s, ​should be encrypted with passphrase\\ \\ 
 +  - **.crt:** 
 +    * //signed certificate//​\\ \\ 
 +  - **.p12:** 
 +    * //PKCS12 certificate//​ 
 +      * Contains the //CA.crt// or concatenated //​ICA-CA.crt//,​ //​Certificate.crt//,​ and //​CertificateKey.key//​ 
 +</tabbox>​ 
 +</WRAP> 
  
 ==== OpenSSL ==== ==== OpenSSL ====
  
-  * [[https://​github.com/​JW0914/​Wikis/​blob/​master/​Scripts%2BConfigs/​OpenSSL/​OpenSSL.cnf|openssl.cnf]] +<WRAP 76.5em lo>
-    * All needed commands are at the bottom of the openssl.cnf,​ starting at line 321.+
  
 +<tabbox Synopsis>​
 +<wrap right button>​[[https://​www.feistyduck.com/​books/​openssl-cookbook/​|Cookbook]] ​ [[https://​wiki.openssl.org/​index.php/​Main_Page|Wiki]]</​wrap>​
 +<color #​508CAA>​**Section Synopsis**</​color>​
  
-==== Easy-RSA ====+  * **These tabs contain critical information one will likely find helpful while going through the steps in this wiki** 
 +    * Tabs 2 3 contain informational & reference links to the main man pages 
 +    * Tabs 4 - 7 cover the definitions of KUs, EKUs, KEAs, & EC KEAs
  
-=== Edit Vars === 
-  * <code bash>cd /​etc/​easy-rsa ; echo > vars ; vi vars 
-</​code>​ 
-    * Paste the following **//__and edit__//** [whatever you'd like] to show your own custom input 
-    * <code cpp> 
-export EASY_RSA="/​etc/​easy-rsa"​ 
  
-export OPENSSL="​openssl"​ +<tabbox Info> 
-export PKCS11TOOL="​pkcs11-tool"​ +<wrap right button>​[[https://​www.openssl.org/​news/​changelog.html|Changelog]]</​wrap>​ 
-export GREP="​grep"​+<color #​508CAA>​**OpenSSL Information**</​color>​
  
-export KEY_CONFIG=`/​usr/​sbin/​whichopensslcnf $EASY_RSA`+<WRAP centeralign box> 
 +<WRAP third column>
  
-export KEY_DIR="​$EASY_RSA/keys"+<wrap button>​[[https:​//​wiki.openssl.org/​index.php/​Certificate_Lifecycle|Certificates Explained]]</​wrap>​\\ \\ 
 +<wrap button>​[[https://​www.openssl.org/​blog/​|Blog]]</​wrap>​ 
 +<wrap button>​[[https://​www.openssl.org/​news/​vulnerabilities.html|Vulnerabilities]]</​wrap>​ 
 +<wrap button>​[[https://​www.openssl.org/​news/​newslog.html|News]]</​wrap>​ 
 +</​WRAP>​
  
-echo NOTEIf you run clean-all, a rm -rf on $KEY_DIR will be performed+<WRAP third column>​ 
 +<wrap button>​[[https://​wiki.openssl.org/​index.php/​Documentation_Index|Index]]</​wrap>​ 
 +<wrap button>​[[http://​www.oid-info.com/​|OIDs]]</​wrap>​ 
 +<wrap button>​[[https://​www.openssl.org/​docs/​standards.html|Standards]]</​wrap>​\\ \\ 
 +<wrap button>​[[https://​www.openssl.org/​docs/​manmaster/​apps/​config.html|Conf Config]]</​wrap>​ 
 +<wrap button>​[[https://​www.openssl.org/​docs/​manmaster/​apps/​x509v3_config.html|x509 Config]]</​wrap>​ 
 +</​WRAP>​
  
-export PKCS11_MODULE_PATH="​dummy"​ +<WRAP third column> 
-export PKCS11_PIN="​dummy"​+<wrap button>​[[https://​www.openssl.org/​docs/​manmaster/​ssl/​|SSL Library]]</​wrap>​ 
 +<wrap button>​[[https://​wiki.openssl.org/​index.php/​Manual:​Ssl(3)|SSL Manual]]</​wrap>​\\ \\ 
 +<wrap button>​[[https://​www.openssl.org/​docs/​manmaster/​crypto/​|Crypto Library]]</​wrap>​ 
 +<wrap button>​[[https://​wiki.openssl.org/​index.php/​Manual:​Crypto(3)|Crypto Manual]]</​wrap>​ 
 +</​WRAP>​ 
 +</​WRAP>​
  
-export KEY_SIZE=4096 
  
-export CA_EXPIRE=1826+<tabbox Man Pages> 
 +<wrap right button>​[[https://​wiki.openssl.org/​index.php/​Command_Line_Utilities|Command List]] ​ [[https://​wiki.openssl.org/​index.php/​Manual:​Openssl(1)|OpenSSL Utility]]</​wrap>​ 
 +<color #​508CAA>​**Command Manuals**</​color>​
  
-export KEY_EXPIRE=365+<WRAP centeralign box> 
 +<WRAP third column>​ 
 +<wrap button>​[[https://​www.openssl.org/​docs/​manmaster/​apps/​req.html|req]]</​wrap>​ 
 +<wrap button>​[[https://​www.openssl.org/​docs/​manmaster/​apps/​x509.html|x509]]</​wrap>​ 
 +<wrap button>​[[https://​www.openssl.org/​docs/​manmaster/​apps/​pkcs12.html|pkcs12]]</​wrap>​\\ \\ 
 +<wrap button>​[[https://​www.openssl.org/​docs/​manmaster/​apps/​ca.html|ca]]</​wrap>​ 
 +<wrap button>​[[https://​www.openssl.org/​docs/​manmaster/​apps/​crl.html|crl]]</​wrap>​ 
 +<wrap button>​[[https://​www.openssl.org/​docs/​manmaster/​apps/​verify.html|verify]]</​wrap>​ 
 +</​WRAP>​
  
-export KEY_COUNTRY="​[2-letter abbreviation]" +<WRAP third column>​ 
-export KEY_PROVINCE="​[whatever you like]" +<wrap button>[[https://​www.openssl.org/​docs/​manmaster/​apps/​dhparam.html|dhparam]]</​wrap>​ 
-export KEY_CITY="​[whatever you like]" +<wrap button>[[https://​www.openssl.org/​docs/​manmaster/​apps/​ecparam.html|ecparam]]</​wrap>​ 
-export KEY_ORG="​[whatever you like]" +<wrap button>[[https://​www.openssl.org/​docs/​manmaster/​apps/​rsa.html|rsa]]</​wrap>​\\ \\ 
-export KEY_EMAIL="​[whatever you like]" +<wrap button>[[https://​www.openssl.org/​docs/​manmaster/​apps/​ciphers.html|ciphers]]</​wrap>​ 
-export KEY_OU="​[whatever you like]"+<wrap button>[[https://​www.openssl.org/​docs/​manmaster/​apps/​sha256.html|dgst]]</​wrap>​ 
 +<wrap button>[[https://​www.openssl.org/​docs/​manmaster/​apps/​engine.html|engine]]</​wrap>​ 
 +<wrap button>​[[https://​www.openssl.org/​docs/​manmaster/​apps/​list.html|list]]</​wrap>​ 
 +</​WRAP>​
  
-export KEY_NAME="​vpnserver"​ +<WRAP third column> 
-</code+<wrap button>​[[https://​www.openssl.org/​docs/​manmaster/​apps/​speed.html|speed]]</wrap>\\ \\ 
-      ​* ​<color red>**Do not use the same Common Name (CN) for two or more clients**</color+<wrap button>[[https://​www.openssl.org/​docs/​manmaster/​apps/​ocsp.html|oscp]]</wrap
-        * The CN (Common Name) is the name you enter when prompted in uci after running ''​build-key-pkcs12'';​ it should be //unique// to each client+<wrap button>​[[https:​//www.openssl.org/docs/manmaster/​apps/​smime.html|smime]]</​wrap>​ 
 +</​WRAP>​ 
 +</​WRAP>​
  
-=== Create SSL Certificates === 
-  * <code cpp> 
-#--- Deletes everything in the "​key"​ directory and starts fresh ---# 
-clean-all 
  
-#--- Create'​s the Certificate Authority (CA) ---# +<tabbox keyUsage>​ 
-build-ca+<​color ​#508CAA>​**keyUsage**</​color>​
  
-#--- Creates Server ​certificate ​(DO NOT set password ​for THIS SPECIFIC certificate) ​---# +  ​**digitalSignature** 
-build-key-server my-server+    ​Certificate may be used to apply a digital signature 
 +      - Digital signatures are often used for entity authentication & data origin authentication with integrity\\ \\ 
 +  - **nonRepudiation** 
 +    ​Certificate may be used to sign data as above but the certificate ​public key may be used to provide non-repudiation services 
 +      - This prevents the signing entity from falsely denying some action\\ \\ 
 +  - **keyEncipherment** 
 +    - Certificate may be used to encrypt ​symmetric key which is then transferred to the target 
 +      - Target decrypts key, subsequently using it to encrypt & decrypt data between the entities\\ \\ 
 +  - **dataEncipherment** 
 +    - Certificate may be used to encrypt & decrypt actual application data\\ \\ 
 +  - **keyAgreement** 
 +    - Certificate enables use of a key agreement protocol to establish a symmetric key with a target 
 +    - Symmetric key may then be used to encrypt & decrypt data sent between the entities\\ \\ 
 +  - **keyCertSign** 
 +    - <wrap danger>​CA ONLY</​wrap>​ 
 +      - Subject public key is used to verify signatures on certificates 
 +      - <color #​AF0000>//​This extension must only be used for CA certificates//</​color>​\\ \\ 
 +  ​**cRLSign** 
 +    ​<wrap danger>​CA ONLY</​wrap>​ 
 +      ​Subject public key is to verify signatures on revocation information,​ such as a CRL 
 +      - <​color ​#AF0000>//​This extension must only be used for CA certificates//</​color>​\\ \\ 
 +  **encipherOnly** 
 +    - KU ''<​color #​009B9B>​keyAgreement</​color>''​ is required 
 +    - Public ​key used only for enciphering data while performing key agreement\\ \\ 
 +  ​**decipherOnly** 
 +    ​KU ''<​color #​009B9B>​keyAgreement</​color>''​ is required 
 +    - Public key used only for deciphering data while performing key agreement
  
-#--- Converts Server certificate to a PKCS12 certificate (DO NOT set a password for THIS SPECIFIC certificate) ---# 
-openssl pkcs12 -export -in keys/​my-server.crt -inkey keys/​my-server.key -certfile keys/ca.crt -name My-Server -out keys/​my-server.p12 ; chmod 0600 keys/​my-server.p12 
  
-#--- Creates Client certificates ---# +<tabbox extendedKeyUsage>​ 
-build-key-pkcs12 my-client+<wrap right button> [[http://​www.oid-info.com/​|OID repository]]</​wrap>​ 
 +<​color ​#508CAA>​**extendedKeyUsage**</​color>​
  
-#--- Creates ​the Diffie Hellman (will take long time) ----# +  - **serverAuth** 
-build-dh+    - All VPN servers should be signed with this EKU present 
 +      - SSL/TLS Web/VPN Server authentication EKU, distinguishing a server which clients can authenticate against 
 +      - This supersedes ''<​color ​#009B9B>​nscertype</​color>''​ options (''<​color #​009B9B>​ns</​color>''​ in ''<​color #​009B9B>​nscertype</​color>''​ stands for NetScape [browser])\\ \\ 
 +  ​**clientAuth** 
 +    ​All VPN clients //must// be signed with this EKU present 
 +      ​SSL/TLS Web/VPN Client authentication EKU distinguishing a client as a client only\\ \\ 
 +  - **codeSigning** 
 +    - Code Signing\\ \\ 
 +  - **emailProtection** 
 +    - Email Protection via S/MIME, allows you to send and receive encrypted emails\\ \\ 
 +  - **timeStamping** 
 +    - Trusted Timestamping\\ \\ 
 +  - **OCSPSigning** 
 +    - OCSP Signing\\ \\ 
 +  - **ipsecIKE** 
 +    - IPSec Internet Key Exchange, of which I believe is in the same boat as the three below [#8] 
 +      - Research needs to be performed to determine if this EKU should also no longer be utilized 
 +      - ''<​color #​009B9B>​clientAuth</​color>''​ can be utilized in IPSec VPN client cert\\ \\ 
 +  ​**ipsecEndSystem,​ ipsecTunnel,​ & ipsecUser** 
 +    ​<wrap danger>​SHOULD NOT BE UTILIZED</​wrap>​ 
 +      ​Assigned in 1999, the semantics of these values were never clearly defined 
 +      ​**RFC 4945:** The use of these three EKU values is obsolete and explicitly deprecated by this specification <​sup><​color ​#646464>​[5.1.3.12]</​color></​sup>​\\ \\ 
 +  - **msCodeInd** 
 +    - Microsoft Individual Code Signing (authenticode)\\ \\ 
 +  - **msCodeCom** 
 +    - Microsoft Commerical Code Signing (authenticode)\\ \\ 
 +  - **mcCTLSign** 
 +    - Microsoft Trust List Signing\\ \\ 
 +  - **msEFS** 
 +    Microsoft Encrypted File System Signing\\ \\
  
-#--- Creates the Server'​s TLS Authorization key ---# 
-openvpn --genkey --secret keys/ta.key 
-</​code>​ 
-    *  The above creates a server certificate named <color #​789600>//​my-server//</​color>​ (//.crt//, //.csr//, //.key//, and //.p12//) and a client certificate named <color #​789600>//​my-client//</​color>​ (//.crt//, //.csr//, //.key//, and //.p12//). 
-        * //​**.crt:​**//​ <color #​0080FF>​**signed certificate**</​color>​ 
-        * //​**.csr:​**//​ <color #​0080FF>​**encrypted private key and certificate request**</​color>​ 
-        * //​**.key:​**//​ <color #​0080FF>//​**private key -**//</​color>​ <color #FF0000> **needs to be kept secure at all times**</​color>​ 
-        * //​**.p12:​**//​ <color #​0080FF>​**//​PKCS12 certificate -//​**</​color>​ <color #​FF0000>​**needs to be kept secure at all times**</​color>​ 
-          * Contains the //ca.crt//, //​client.crt//​ or //​server.crt//,​ and //​client.key//​ or //​server.key//​ 
-          * The server certificate cannot be generated as a p12, so the <color #​789600>//​openssl//</​color>​ command is used to create the p12 certificate 
  
-    * It is **highly recommended** to keep your //​Certificate Authority (CA)// in a secure location +<tabbox Key Exchange>​ 
-      ​* ​<​color ​red>**Failure to do so allows anyone who gains access to your Certificate Authority the ability to create client certificates**</​color>​+<​color ​#508CAA>**Key Exchange**</​color>​
  
-    ​It is recommended to add password to //each// client certificate +  - **RSA** 
-      ​*<​color ​red>**Failure to do so enables anyone gaining access to your client certificate(s) unfettered access to your VPN**</​color>​ +    - Key exchange occurs via encryption of random value 
-   +      ​- Client chooses a random value via the server public key 
-    * You will need to run <color #647800>//build-key-pkcs12//</​color> ​for however many clients you're creating certificates for. +      - Server public key must be an RSA key 
-   +      - Server certificate must utilize KU ''​<​color ​#009B9B>keyAgreement</​color>​''​\\ \\ 
-    ​* If using Windows, add your certificate authority (via import) to the //Trusted Root Certificate Authorities/​/ in //​Credential Manager// (//WinKey+R certmgr.msc//​)+  ​- **DH_RSA** 
 +    ​- Key exchange occurs via a static Diffie-Hellman key 
 +      - Server public key must be a Diffie-Hellman key 
 +      - Diffie-Hellman key must have been issued by a CA 
 +      - CA must be using an RSA key signing key\\ \\ 
 +  - **DH_DSA** 
 +    - Like ''​<color #009B9B>DH_RSA</color>'',​ except CA used a DSA key in lieu of RSA\\ \\ 
 +  ​**DHE_RSA** 
 +    - Key exchange occurs via an ephemeral Diffie-Hellman 
 +      - Server dynamically generates & signs a DH public ​key, sending it to the client 
 +      ​Server Public Key must be an RSA key 
 +      - Server certificate must utilize KU ''<​color #​009B9B>​digitalSignature</​color>'​'\\ \\ 
 +  ​- **DHE_DSA** 
 +    ​- Like ''<​color #​009B9B>​DHE_RSA<​/color>'',​ except CA used a DSA key in lieu of RSA
  
-    * [[https://​www.gnupg.org/​|GnuPG]] is a great tool to manage CAs and client certificates,​ as well as non-VPN personal and signing certificates 
  
-=== Create Backup of Certificates === +<tabbox EC Key Exchange>​ 
-  Once **all** certificates have been created and the Diffie-Hellman certificate (//​dh2048.pem//​) is generated:​ +<color #508CAA>**Elliptic-Curve Key Exchange**</color>
-  * <code bash>cp -R keys /​etc/​openvpn</code+
  
-  * To ensure ​the //OpenVPN// and //Easy-RSA// directories ​are included in //sysupgrade// backups +  ​**ECDH_ECDSA** 
-  * <code bash>vi /etc/sysupgrade.conf</​code>​ +    - Like ''<​color #​009B9B>​DH_DSA</​color>'',​ but with elliptic curves 
-    * <color #789600>**//Add: //​**</​color>​ +      - Server public key must be an ECDH key 
-      * <color #6E6E6E>///etc/easy-rsa//</​color>​ +      - Server certificate must be issued by a CA utilizing an ECDSA public key\\ \\ 
-      * <color #6E6E6E>///​etc/​openvpn//</​color>​ +  - **ECDH_RSA** 
-    * <​code ​cpp+    - Like ''<​color #​009B9B>​ECDH_ECDSA</​color>'',​ except CA used an RSA key\\ \\ 
-#::: It Should Resemble ​the Following:::#+  - **ECDHE_ECDSA** 
 +    - Server sends dynamically generated EC Diffie-Hellman key, signing it via it's ECDSA key 
 +      - Equivalent to ''<​color #​009B9B>​DHE_DSS</​color>'',​ but with elliptic curves for both the Diffie-Hellman & signature\\ \\ 
 +  - **ECDHE_RSA** 
 +    - Like ''<​color #​009B9B>​ECDHE_ECDSA<​/color>'',​ except Server public key is an RSA key 
 +      - Server public key signs the ephemeral EC Diffie-Hellman key 
 +</tabbox>​ 
 +</WRAP> 
 + 
 +<WRAP indent>​ 
 + 
 + 
 +=== CA Creation === 
 + 
 +<WRAP indent 75em lo> 
 +<tabbox Prerequisites>​ 
 +<wrap right>''<​color #C86400>/etc/ssl/openssl.cnf</​color>''</​wrap>​ 
 +<color #​508CAA>​**CA OpenSSL Prerequisites**</​color>​ 
 + 
 +<WRAP indent>​ 
 +**Modify the following SubjectAltNames & V3 Profiles** 
 + 
 +  ​**Certificate Authorities** <​sup>​[Line 177]</sup> 
 +    - //Main// 
 +      - **Line 183:** ''<​color #​647D00>​DNS.1 = //​Router.1//</​color>''​ 
 +        * //Change// ''<​color #​007DC8>​Router.1</​color>''​ //to what you'd like the name of your Certificate Authority to be//\\ \\ 
 +  - **Certificate Authority Clients** <​sup><​color #​646464>​[Line 205]</​color></​sup>​ 
 +    - //​Servers//​ 
 +      * **Lines:** 198 - 220 
 +    - //​Clients//​ 
 +      * **Lines:** 222 - 226\\ \\ 
 +</​WRAP>​ 
 + 
 + 
 +<tabbox Commands>​ 
 +<wrap right>​Commands ​are executed from within ''<​color #C86400>/etc/ssl/</color>''</​wrap>​ 
 +<color #​508CAA>​**CA OpenSSL Commands**</​color>​ 
 + 
 +  ​- <color #​4B4B4B4>​**Generate CA**</​color>​\\ ​<code bash>openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ca/​OpenWrt-CA.key.pem -out ca/​OpenWrt-CA.crt.pem -config ./​openssl.cnf -extensions v3_ca</​code>​ 
 +    * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\ 
 +  - <color #​4B4B4B4>​**Generate CA CRL**</​color>​\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenWrt-CA.key.pem -cert ca/​OpenWrt-CA.crt.pem -out crl/​OpenWrt-CA.crl.pem -config ./​openssl.cnf</​code>​ 
 +  - <color #​4B4B4B4>​**Convert CA CRL -> DER CRL**</​color>​\\ <code bash>​openssl crl -inform PEM -in crl/​OpenWrt-CA.crl.pem -outform DER -out crl/​OpenWrt-CA.crl</​code>​ 
 + 
 +</​tabbox>​ 
 +</​WRAP>​ 
 + 
 + 
 +=== ICA Creation === 
 + 
 +<WRAP indent 75em lo> 
 +<tabbox Prerequisites>​ 
 +<wrap right>''<​color #C86400>/etc/ssl/openssl.cnf</​color>''</​wrap>​ 
 +<color #​508CAA>​**ICA OpenSSL Prerequisites**</​color>​ 
 + 
 +<WRAP indent>​ 
 +**Modify the following SubjectAltNames & V3 Profiles** 
 + 
 +  - **Certificate Authorities** <​sup><​color #​646464>​[Line 177]</​color></​sup>​ 
 +    - //Router 2// 
 +      - **Line 188:** ''<​color #​647D00>​DNS.1 = //​Router.2//</​color>''​ 
 +        * //Change// ''<​color #​007DC8>​Router.2</​color>''​ //to what you'd like the name of your Intermediate CA to be//\\ \\ 
 +  - **Intermediate Certificate Authority Clients** <​sup><​color #​646464>​[Line 229]</​color></​sup>​ 
 +    -//​Servers//​ 
 +      * **Lines:** 235 - 251 
 +    - //​Clients//​ 
 +      * **Lines:** 253 - 261:\\ \\ 
 +</​WRAP>​ 
 + 
 + 
 +<tabbox Commands>​ 
 +<wrap right>​Commands are executed from within ''<​color #​C86400>/​etc/​ssl/</​color>''</​wrap>​ 
 +<color #​508CAA>​**ICA OpenSSL Commands**</​color>​ 
 + 
 +  - <color #​4B4B4B4>​**Generate Intermediate CA CSR**</​color>​\\ <code bash>​openssl req -out ca/​csr/​OpenVPN-ICA.csr -new -days 3650 -sha512 -newkey rsa:4096 -keyout ca/​OpenVPN-ICA.key -config ./​openssl.cnf -extensions v3_ica_router2</​code>​ 
 +    * <color #AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\ 
 +  - <color #4B4B4B4>**Create & Sign ICA with CA**</color>\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/csr/​OpenVPN-ICA.csr -CA ca/​OpenWrt-CA.crt.pem -CAkey ca/​OpenWrt-CA.key.pem -CAserial ./serial -out ca/​OpenVPN-ICA.crt.pem -extfile ./​openssl.cnf -extensions v3_ica_router2</​code>​ 
 +  - <color #​4B4B4B4>​**Generate ICA CRL**</​color>​\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenVPN-ICA.key -cert ca/​OpenVPN-ICA.crt.pem -out crl/​OpenVPN-ICA.crl.pem -config ./​openssl.cnf</​code>​ 
 +  - <color #​4B4B4B4>​**Convert ICA CRL -> DER CRL**</​color>​\\ <code bash>​openssl crl -inform PEM -in crl/​OpenVPN-ICA.crl.pem -outform DER -out crl/​OpenVPN-ICA.crl</​code>​ 
 +  - <color #​4B4B4B4>​**Concatenate ICA -> CA Chain**</​color>​\\ <code bash>cat ca/​OpenVPN-ICA.crt.pem ca/​OpenWrt-CA.crt.pem > ca/​OpenWrt-OpenVPN_ICA-Chain.crt.pem</​code>​ 
 +</​tabbox>​ 
 +</​WRAP>​ 
 + 
 + 
 +=== Index File === 
 + 
 +<WRAP indent 75em lo> 
 + 
 +<tabbox Info> 
 +<wrap right>''<​color #​C86400>/​etc/​ssl/​index</​color>''</​wrap>​ 
 +<color #​508CAA>​**Index Info**</​color>​ 
 + 
 +  * **If wishing to maintain the index file automatically,​** ''<​color #​647D00>​openssl ca</​color>''​ **must be used to sign certs** 
 +    * ''​openssl ca''​ is not used in this wiki as it requires additional steps & adds unneeded complexity\\ \\ 
 + 
 + 
 +<tabbox Index> 
 +<wrap right>''<​color #​C86400>/​etc/​ssl/​index</​color>''</​wrap>​ 
 +<color #​508CAA>​**Index File**</​color>​ 
 + 
 +<WRAP indent>​ 
 +**Manually maintaining the index file consists of inputting 1 cert entry per line in the following format** 
 +  * Entering certificate information into the index file takes ~30s per cert 
 +  * Copy & paste DN from the output of'' ​//<color #​647D00>​openssl x509 -in certificate.crt -text -noout</​color>//''​ 
 +<code cpp> 
 +V    261231235959Z ​           0a    unknown ​   /​C=US/​ST=State/​L=Locality/​O=Sophos UTM/​OU=LAN/​CN=Cert Common Name/​emailaddress=whatever@whichever.com 
 +1    2-----------> ​   3-> ​    ​4-> ​  ​5-----> ​   6---------------------------------------------------------------------------------------------------></​code>​ 
 +</​WRAP>​ 
 +  - **Status of Certificate** 
 +    - **''​V''​** [Valid] 
 +    - **''​R''​** [Revoked] 
 +    - **''​E''​** [Expired]\\ \\ 
 +  - **Expiration Date** 
 +    - Format: **''​YYMMDDHHMMSS''​** followed by **''​Z''​** 
 +      * //​2026.12.31 @ 23:​59:​59//​\\ \\ 
 +  - **Revocation Date** 
 +    - Format: **''​YYMMDDHHMMSSZ,​reason''​** 
 +      - Valid reasons are: 
 +        - ''<​color #​009B9B>​keyCompromise</​color>​''​ 
 +        - ''<​color #​009B9B>​CACompromise</​color>''​ 
 +        - ''<​color #​009B9B>​affiliationChanged</​color>''​ 
 +        - ''<​color #​009B9B>​superseded</​color>''​ 
 +        - ''<​color #​009B9B>​cessationOfOperation</​color>''​ 
 +        - ''<​color #​009B9B>​certificateHold</​color>''​ 
 +        - ''<​color #​009B9B>​privilegeWithdrawn</​color>''​ 
 +        - ''<​color #​009B9B>​AACompromise</​color>''​ 
 +    - Empty if not revoked 
 +      * Certain distros were erroring out without a whitespace for 3 in the index file, which is why it's there\\ \\ 
 +  - **Serial number** <sup><color #646464>(//hex// format)</​color></​sup>​ 
 +    - **''​0a''​** is hex for 10 
 +      - **Windows:​** 
 +        * Calculator has programmer feature which can convert dec <-> hex 
 +      - **Linux/​BSD** 
 +        * cli hex -> dec: ''​ //<color #​647D00>​printf '​%d\n'​ 0x0a</​color>//​ ''​ returns ''<​color #​647D00>​10</​color>''​ 
 +        * cli dec -> hex: ''​ //<color #​647D00>​printf '​%x\n'​ 10</​color>//​ ''​ returns ''<​color #​647D00>​0a</​color>''​ \\ \\ 
 +  - **Certificate Filename or Literal String** 
 +    - Certificate Filename or Literal String **''​unknown''​**\\ \\ 
 +  - **Distinguished Name** 
 +</​tabbox>​ 
 +</​WRAP>​ 
 + 
 +=== Server Cert === 
 + 
 +<WRAP indent 75em lo> 
 +<tabbox Prerequisites>​ 
 +<wrap right>''<​color #C86400>/etc/ssl/​openssl.cnf</​color>''</​wrap>​ 
 +<color #​508CAA>​**Server Cert OpenSSL Prerequisites**</​color>​ 
 + 
 +<WRAP indent>​ 
 +**Modify the following SubjectAltNames & V3 Profiles** 
 +<WRAP indent>​ 
 +**__SubjectAltNames Profile__** 
 + 
 +  ​**Intermediate Certificate Authority Clients** <​sup>​(Line 229)</sup> 
 +    - //Change the server'​s SAN IP from// ''<​color #​647D00>​10.0.1.1</​color>​''​ //to match your VPN Server IP// 
 +      ​- **Line 250:*''​<color #647D00>IP.1 = //10.0.1.1//</​color>''​\\ \\ 
 +    - //Change the SAN DNS from// ''<​color #​647D00>​your.ddns.com</​color>''​ //to match your own DDNS and/or FQDN// 
 +      - **Line 251:** ''<​color #​647D00>​DNS.1 = //​your.ddns.com//</​color>''​ 
 +        * //For each additional DNS or FQDN, add a new line in sequential order// (i.e. DNS.2, DNS.3, ​etc.) 
 +</WRAP> 
 +</​WRAP>​ 
 + 
 + 
 +<tabbox Commands>​ 
 +<wrap right>​Commands are executed from within ''<​color #​C86400>/​etc/​ssl/</​color>''</​wrap>​ 
 +<color #​508CAA>​**Server Cert OpenSSL Commands**</​color>​ 
 + 
 +  - **Generate VPN Server CSR**\\ <code bash>​openssl req -out ca/​csr/​vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout ​openvpn/vpn-server.key.pem -config ./openssl.cnf -extensions v3_vpn_server -nodes</​code>​ 
 +    * **''​-nodes''​** creates a signing key without encryption 
 +      * For server certs **//​only//​**,​ as a passphrase prevents the server from starting/​restarting without manual intervention\\ \\ 
 +  - **Create & Sign Cert with CA**\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​vpn-server.csr -CA ca/​OpenVPN-ICA.crt.pem -CAkey ca/​OpenVPN-ICA.key -CAserial ./serial -out certs/​vpn-server.crt.pem -extfile ./​openssl.cnf -extensions v3_vpn_server</​code>​ 
 +  - **Export to PKCS12**\\ <code bash>​openssl pkcs12 -export -out openvpn/​vpn-server.p12 -inkey openvpn/​vpn-server.key.pem -in certs/​vpn-server.crt.pem -certfile ca/​OpenWrt-OpenVPN_CA-Chain.crt.pem</​code>​ 
 +    * <color #​AF0000>​**//​Do not encrypt this PKCS12//**</​color>​\\ \\ 
 +    * ICA is still used to sign the certs it issues 
 +      * ICA - CA chain cert must be exported with the client cert & key to maintain the certificate chain of trust 
 +        * //Chain of Trust hierarchy: CA -> Intermediate CA -> Client// 
 +</​tabbox>​ 
 +</​WRAP>​ 
 + 
 + 
 +=== Client Certs === 
 + 
 +<WRAP indent 75em lo> 
 +<WRAP centeralign><​wrap danger>​Do not use the same Common Name (CN) on more than one certificate</​wrap></​WRAP>​ 
 + 
 +<tabbox Prerequisites>​ 
 +<wrap right>''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''</​wrap>​ 
 +<color #​508CAA>​**Client Cert OpenSSL Prerequisites**</​color>​ 
 + 
 +<WRAP indent>​ 
 +**Modify the following SubjectAltNames & V3 Profiles** 
 + 
 +<WRAP indent>​ 
 +**__SubjectAltNames Profile__** 
 + 
 +  - **Intermediate Certificate Authority Clients** <​sup><​color #​646464>​(Line 229)</​color></​sup>​ 
 +    - //Change the SAN DNS from// ''<​color #​647D00>​VPNserver-Client1-Device-Hostname</​color>''​ //to match client username//​ 
 +      - **Line 255:** ''<​color #​647D00>​DNS.1 = //​VPN-<​username>​-Hostname//</​color>''​ 
 +        * //This makes configuring CCD more convenient//​\\ \\ 
 +    - //Change the SAN email from// ''<​color #​647D00>​user1@email.com</​color>''​ //to user's email// 
 +      - **Line 256** ''<​color #​647D00>​email.1 = //​user1@email.com//</​color>''​ 
 +</​WRAP>​ 
 +</​WRAP>​ 
 + 
 + 
 +<tabbox Commands>​ 
 +<wrap right>​Commands are executed from within ''<​color #​C86400>/​etc/​ssl/</​color>''</​wrap>​ 
 +<color #​508CAA>​**Client Cert OpenSSL Commands**</​color>​ 
 + 
 +  - **Generate VPN Client Certs**\\ ​<​code ​bash>​openssl req -out ca/​csr/​vpn-client1.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.key.pem -config ./​openssl.cnf -extensions v3_vpn2_user1</​code
 +    * <​color ​#AF0000>​Key passphrase should be a 20 character minimum, containing at least//2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\ 
 +  - **Sign Cert with CA**\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​vpn-client1.csr -CA ca/​OpenWrt-CA.crt.pem -CAkey ca/​OpenWrt-CA.key -CAserial ./serial -out openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.crt.pem -extfile ./​openssl.cnf -extensions v3_vpn2_user1</​code>​ 
 +  - **Export to PKCS12**\\ <code bash>​openssl pkcs12 -export -out openvpn/​clients/​vpn-client1.p12 -inkey openvpn/​clients/​vpn-client1.key.pem -in openvpn/​clients/​vpn-client1.crt.pem -certfile ca/​OpenWrt-OpenVPN_ICA-Chain.crt.pem</​code>​ 
 +</​tabbox>​ 
 +</​WRAP>​ 
 + 
 + 
 +=== Diffie-Hellman Key === 
 + 
 +<WRAP indent 75em lo> 
 +<wrap right button>​[[https://​wiki.openssl.org/​index.php/​Diffie_Hellman|DH Wiki]] ​ [[https://​wiki.openssl.org/​index.php/​Elliptic_Curve_Cryptography|EC Wiki]]</​wrap>​ 
 +</​WRAP>​ 
 + 
 +<WRAP 51.5em lo> 
 + 
 +  - **Generate DH Key** <​sup><​color #​646464>​(executed from ''<​color #​C86400>/​etc/​ssl/</​color>''​)</​color></​sup>​\\ <code bash>​openssl dhparam -out openvpn/​dh2048.pem 2048</​code>​ 
 +    * **Generating DH keys takes substantial amounts of time**\\ \\     
 +    * **You may wish to generate 3072bit and 4096bit DH keys as well** 
 +      * Generating multiple DH keys at once takes substantially less time due to the rand file\\ \\ 
 +    * **OpenVPN will add support for EC [//Elliptic Curve//] ciphers in v2.4** 
 +      * For EC, the Diffie-Hellman key must be generated with a value **//greater than//** the encryption key 
 +        * For example, if you generate 2048bit cert keys, your dh.pem must exceed that value 
 +</​WRAP>​ 
 + 
 + 
 +=== TLS-Auth Key === 
 + 
 +<WRAP 51.5em lo> 
 + 
 +  - **Generate TLS-Auth key** <​sup>​(<​color #​646464>​executed from</​color>​ ''<​color #​C86400>/​etc/​ssl/</​color>''​)</​sup>​\\ <code bash>​openvpn --genkey --secret openvpn/​tls-auth.key</​code>​ 
 +    * This ensures **P**erfect **F**orward **S**ecrecy is maintained when utilizing a SSL cipher\\ \\ 
 +    * ''​tls-auth''​ requires a static **P**re-**S**hared **K**ey, generated in advance, and shared among all clients 
 +      * This requires incoming packets to have a valid signature generated using the PSK key 
 +        * If key is changed, it must be changed on all clients at the same time (no support for rollover)\\ \\ 
 +</​WRAP>​ 
 + 
 +</​WRAP>​ 
 + 
 + 
 +==== Import & Backup ==== 
 + 
 +<WRAP 76.5em lo> 
 +<WRAP centeralign><​wrap safety>​GnuPG is a great tool to manage CAs and client certificates</​wrap> ​ <wrap right button>​[[https://​www.gnupg.org/​|GnuPG]]</​wrap></​WRAP>​ 
 + 
 +<tabbox Backup>​ 
 +<wrap right>''<​color #​C86400>/​etc/​sysupgrade.conf</​color>''</​wrap>​ 
 +<color #​508CAA>​**Backup**</​color>​ 
 +<WRAP indent>​ 
 + 
 +**Create a backup:** 
 +  - **Apply correct permissions:**\\ <code bash> 
 +chmod 600 /​etc/​ssl/​ca/​* /​etc/​ssl/​ca/​csr/​* /​etc/​ssl/​crl/​* /​etc/​ssl/​openvpn/​* /​etc/​ssl/​openvpn/​clients/​* ; chmod 644 /​etc/​ssl/​ca/​*.crt* /​etc/​ssl/​openvpn/​*.crt* /​etc/​ssl/​openvpn/​clients/​*.crt* /​etc/​ssl/​crl/​*.crl</​code>​ 
 +  - **Utilize GnuPG to encrypt a copy of** ''<​color ​#C86400>/​etc/​ssl/</​color>''​ 
 +    - **Create separate encryption tars for:** 
 +      * ''<​color #​C86400>/​etc/​ssl/​ca/</​color>''​ 
 +      * ''<​color #​C86400>/​etc/​ssl/​openvpn/</​color>''​ 
 +      * ''<​color #​C86400>/​etc/​ssl/​openvpn/​clients/</​color>''​\\ \\ 
 +    - **After creating encrypted backups:​** 
 +      - Copy p12s to their respective clients 
 +      - Securely erase unencrypted client, CA, & ICA keys and PKCS12s, overwriting freespace at least 5x\\ \\ 
 +  - **Add directories & files to** ''<​color #​C86400>/​etc/​sysupgrade.conf</​color>''​ 
 +    - //''<​color #​647D00>​vi /​etc/​sysupgrade.conf</​color>''//​ 
 +      - <color #​789600>​**//​Add://​**</​color>​ 
 +        * ''<​color #​C86400>/​etc/​config/</​color>''​ 
 +        * ''<​color #​C86400>/​etc/​openvpn/</​color>''​ 
 +        * ''<​color #​C86400>/​etc/​ssl/</​color>''​ 
 +        * ''<​color #​C86400>/​etc/​firewall.user</​color>''​ 
 +        * ''<​color #​C86400>/​etc/​sysupgrade.conf</​color>''​ 
 +    - <code cpp>
 # LuCI: System - Backup/​Flash Firmware - Configuration # LuCI: System - Backup/​Flash Firmware - Configuration
  
-## This file contains files and directories that should +    ​Directories ​
-## be preserved during an upgrade.+#--------------------------------------------------- 
 +/​etc/​config/​ 
 +/​etc/​openvpn/​ 
 +/etc/ssl/
  
-/​etc/​example.conf +    # Files 
-/​etc/​openvpn +#​--------------------------------------------------
-/etc/easy-rsa +/etc/firewall.user 
-/etc/config +/etc/sysupgrade.conf
-/etc/samba+
 </​code>​ </​code>​
 +</​WRAP>​
 +
 +
 +<tabbox Linux/​BSD>​
 +<color #​508CAA>​**Linux & BSD**</​color>​
 +<WRAP indent>
 +
 +**If utilizing Linux/​BSD:​**
 +  * Due to the sheer number of distros, and differing means of handling certificate authorities,​ please google:
 +    - //<your distro name>// install certificate authority
 +    - //<your distro name>// install intermediate certificate authority
 +</​WRAP>​
 +
 +
 +<tabbox Windows>
 +<color #​508CAA>​**Windows**</​color>​
 +<wrap right button>​[[https://​github.com/​JW0914/​Wikis/​blob/​master/​Scripts%2BConfigs/​OpenSSL/​PEM%20Association.reg|PEM Association.reg]]</​wrap>​
 +<WRAP indent>
 +
 +**If utilizing Windows:**
 +    - **Download** <color #​C86400>​PEM Association.reg</​color>​**,​ then import into registry** <​sup><​color #​646464>​(//​Right Click// -> //​Merge//​)</​color></​sup>​
 +      * //This causes Windows to associate the .pem extension as a valid certificate extension//​\\ \\
 +    - **Add your CA cert to the //Trusted Root Certification Authorities//​** <​sup><​color #​646464>​(user must have //​Administrator//​ privileges)</​color></​sup>​
 +      - //Right click on// <color #​C86400>​OpenWrt-CA.crt.pem</​color>:​
 +        - <color #​7D7D7D>​**//​Install Certificate//​** -> **//Local Machine//** -> **//Place all certificates in the following store//** -> **//​Browse//​** -> **//Trusted Root Certification Authorities//​**</​color>​\\ \\
 +    - **Add your ICA cert to the //​Intermediate Certification Authorities//​** <​sup><​color #​646464>​(user must have //​Administrator//​ privileges)</​color></​sup>​
 +      - //Right click on// <color #​C86400>​OpenVPN-ICA.crt.pem</​color>:​
 +        - <color #​7D7D7D>​**//​Install Certificate//​** -> **//Local Machine//** -> **//Place all certificates in the following store//** -> **//​Browse//​** -> **//​Intermediate Certification Authorities//​**</​color>​
 +</​WRAP>​
 +
 +</​tabbox>​
 +</​WRAP>​
 +
 +</​WRAP>​
 +
 +
 ===== Network ===== ===== Network =====
  
-=== Create VPN interface ===+<WRAP indent>
  
-  * <code bash> +<WRAP 76.5em lo
-uci set network.vpn0=interface ; uci set network.vpn0.ifname=tun0 ; uci set network.vpn0.proto=none</​code+<wrap right button>[[doc:uci:network|Network Wiki]]</wrap
-    * You can replace ​<color #647800>//​network.//</​color><​color #​FF8000>​**vpn0**</​color>​ with <color #​647800>//​network.//</​color><​color #​FF8000>​**[whatever you'd like]**</​color>​ +</WRAP>
-      * If you choose to do so, <color #​647800>//​network=//</​color><​color #​FF8000>​**vpn0**</​color>​ will need to be updated accordingly in [[:doc:howto:openvpn-streamlined-server-setup#​allow_openvpn_tunnel_utilization|Allow OpenVPN Tunnel Utilization]] +
-    * You can replace ​<color #647800>//​ifname=//</​color><​color #​FF8000>​**tun0**</​color>​ with <color #​647800>//​ifname=//</​color><​color #​FF8000>​**[whatever you'd like]**</​color+
-      * If you choose to do so, <color #647800>//option dev//</​color'<​color #​FF8000>​**tun0**</​color>'​ will need to be updated accordingly in [[:​doc:​howto:​openvpn-streamlined-server-setup#​create_vpn_server_config|Create VPN Server Config]]+
  
-=== Allow VPN Tunnel Utilization === 
  
-  * <code bash> +==== Interface Creation ====
-uci add firewall zone ; uci set firewall.@zone[-1].name=vpn ; uci set firewall.@zone[-1].input=ACCEPT ; uci set firewall.@zone[-1].forward=ACCEPT ; uci set firewall.@zone[-1].output=ACCEPT ; uci set firewall.@zone[-1].network=vpn0+
  
-uci add firewall forwarding ; uci set firewall.@forwarding[-1].src='​vpn'​ ; uci set firewall.@forwarding[-1].dest='​lan'​ ; uci add firewall forwarding ; uci set firewall.@forwarding[-1].src='​lan'​ ; uci set firewall.@forwarding[-1].dest='​vpn'​ +<WRAP 60em lo>
-</code> +
-    * You can replace <color #​647800>//​name=//</​color><​color #​FF8000>​**vpn**</​color>​ with <color #​647800>//​name=//</​color><​color #​FF8000>​**[whatever you'd like]**</​color>​ +
-      * If you choose to do so, <color #​647800>//​src=//</​color><​color #​FF8000>​**'​vpn'​**</​color>​ will need to be updated accordingly +
-=== Create Firewall Rules ===+
  
-  * VPN traffic rules should go as close to the top of the //firewall// config as possiblewhile interzone forwarding rules are input at the bottom ​//(iptables is a hierarchical firewall)// +  ​**Create ​VPN interface**\\ <code bash>uci set network.vpn0=interface ; uci set network.vpn0.ifname=tun0 ; uci set network.vpn0.proto=none<​/code> 
-    ​* After the rules have been committedverify in <color #00A3FF>**LuCI**</colorthe rules are in the order shown below.+    - You can replace ''<​color #647800>//network.//</​color><​color #​007DC8>​vpn0</​color>''​ with ''<​color #​647800>//​network.//</​color><​color #​007DC8><​name></​color>''​ 
 +      - If you choose to do so''<​color #​007DC8>​vpn<​/color>''​ will need to be updated accordingly in [[:​doc:​howto:​openvpn-streamlined-server-setup#​https:​//wiki.openwrt.org/doc/​howto/​openvpn-streamlined-server-setup#​create_rules|Firewall Rules]]\\ \\ 
 +    ​- You can replace ''<​color #​647800>//​ifname=//</​color><​color #​007DC8>​tun0</​color>''​ with ''<​color #​647800>//​ifname=//</​color><​color #​007DC8><​name></​color>''​ 
 +      - If you choose to do so''​<color #647800>//option dev//</​color>​ <color #​007DC8>​tun0</​color>''​ will need to be updated accordingly in [[:​doc:​howto:​openvpn-streamlined-server-setup#​config|VPN Server Config]]\\ \\ 
 +  - **Commit changes**\\  ​<code cpp>uci commit network ; /etc/init.d/network reload</​code>​
  
-  * <code bash> +</WRAP>
-vi /​etc/​config/​firewall +
-</code> +
-  * Rule protocol for VPNs should always be both TCP & UDP for troubleshooting purposes+
  
-  * VPNs should always use the UDP protocol, only utilizing TCP for troubleshooting ​ <​sup>//​(except in rare instances when packet loss is high)//</​sup>​ 
-    * Allowing both prevents from having to edit the firewall every time troubleshooting is needed 
  
-  ​* <color red>**It is recommended to use non-standard port for the VPN //(i.e. not 1194; VPN port should be >1025 but <10000)//​**</​color>​ +==== Configure DDNS ==== 
-    * If using a custom port, update [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_server|VPN Server ​Config]] and [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_clients|VPN Client ​Config]] accordingly + 
-     +<WRAP 76.5em lo> 
-    * <code cpp>+<wrap right button>​[[doc:​howto:​ddns.client|DDNS Wiki]]</​wrap>​ 
 + 
 +<wrap indent>​**//​Applies to connections from WAN//**</wrap> 
 +  - **A DDNS provider or FQDN is required for users who are not assigned static IPs by ISPs** 
 +    - DDNS: 
 +      * **D**ynamic **D**omain **N**ame **S**ervice providers provide the user with dynamically updated DNS name for their public IP 
 +      * Purchasing occurs as a service subscription fee from DDNS providers 
 +    ​FQDN 
 +      * **F**ully **Q**ualified **D**omain **N**ame is a URL <​sup><​color #​646464>​(google.com is a FQDN)</​color></​sup>​ 
 +      * Purchasing a FQDN is for a set period of time, regulated by the non-profit IANA <​sup><​color #​646464>​(//Internet Assigned Numbers Authority//​)</​color></​sup>​\\ \\ 
 +  - **Most users will likely configure DDNS** 
 +    * See the [[doc:​howto:​ddns.client|DDNS Clients]] wiki 
 + 
 +</​WRAP>​ 
 + 
 +</​WRAP>​ 
 + 
 + 
 +===== Firewall ===== 
 + 
 +<WRAP indent>​ 
 + 
 +<WRAP 76.5em lo> 
 +<wrap right button>​[[doc:​uci:​firewall|Firewall Wiki]]</​wrap>​ 
 +</​WRAP>​ 
 + 
 + 
 +==== Create Rules ==== 
 + 
 +<WRAP 76.5em lo> 
 +<WRAP centeralign><​wrap danger>A non-standard port (**//not//** //1194//) should be utilized for the VPN</​wrap></WRAP> 
 + 
 +<tabbox Information>​ 
 +<wrap right>''<​color #C86400>/etc/​config/​firewall</​color>''</​wrap>​ 
 +<color #​508CAA>​**Firewall Info**</​color>​ 
 + 
 +  - **Traffic rules should be placed in the following order** 
 +    ​- Firewall.User Script 
 +    - Redirect Rules 
 +    - Router Network Default 
 +    - VPN Network Default 
 +    - VPN InterZone Forwarding 
 +    - VPN Traffic Rules\\ \\ 
 +  - **Rule protocol for VPNs should always be both TCP & UDP for troubleshooting purposes** 
 +    - Allowing both prevents having to edit the firewall every time troubleshooting is needed\\ \\ 
 +  - **SSL VPNs should always use UDP** 
 +    - //Except under the following two scenarios//​ 
 +      - When troubleshooting\\ **OR** 
 +      - When packet loss is high\\ \\ 
 +  - **A port >1025 but <10000 should be utilized for the VPN** 
 +    - If using a custom port, update [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_server|VPN Server]] ​[[:​doc:​howto:​openvpn-streamlined-server-setup#​clients|VPN Client]] ​configs ​accordingly 
 +      - If needing to bypass a strict firewall in front of the router, utilize port 443 <​sup>​[HTTPS]</​sup>​ 
 + 
 + 
 +<tabbox Rules> 
 +<wrap right>''<​color #​C86400>/​etc/​config/​firewall</​color>''</​wrap>​ 
 +<color #508CAA>**Firewall Rules**</​color>​ 
 + 
 +<WRAP indent>​ 
 +**The following rules are required:​** 
 +  - //''<​color #​647D00>​vi /​etc/​config/​firewall</​color>''//​\\ \\ <code cpp>
 #::: Traffic Rules :::# #::: Traffic Rules :::#
 # LuCI: Network - Firewall - Traffic Rules # LuCI: Network - Firewall - Traffic Rules
  
-#--- Allow initial VPN connection ---# 
-# LuCI: From any host in any zone To any router IP at port 1194 on this  
-# device (Accept Input) ​ 
-config rule 
- option target '​ACCEPT'​ 
- option proto 'tcp udp' 
- option family '​ipv4'​ 
- option src '​*'​ 
- option dest_port '​1194'​ 
- option name 'Allow Inbound VPN0' 
  
-#--- Once Assigned a VPN IP, Allow Inbound Traffic to LAN ---# +#::: Defaults :::# 
-# LuCI: From IP range 10.1.1.0/24 in any zone To IP range 192.168.1.0/​24 ​ +# LuCI: Network ​Firewall 
-# on this device (Accept Input)+#------------------------------------------------ 
 + 
 +#::: Firewall.User Rules :::
 +# LuCI: Network - Firewall - Custom Rules 
 +config include 
 +    option ​ path            '/​etc/​firewall.user'​ 
 + 
 +# Default OpenWrt Rule # 
 +config defaults 
 +    option ​ input           '​ACCEPT'​ 
 +    option ​ output ​         '​ACCEPT'​ 
 +    option ​ forward ​        '​DROP'​ 
 +    option ​ syn_flood ​      1 
 +    option ​ drop_invalid ​   ​1 
 + 
 + 
 +# Allow initial VPN connection # 
 +#​------------------------------------------------ 
 +# LuCI: From any host in any zone To any router 
 +IP at port 5000 on this device (Accept Input) ​
 config rule config rule
- option target '​ACCEPT'​ +    ​option ​ target ​         '​ACCEPT'​ 
- option ​proto 'tcp udp+    option ​ ​family ​         ​'ipv4
- option ​family ​'ipv4+    option ​ ​proto ​          'tcp udp
- option src '​*'​ +    option ​ src             ​'​*'​ 
- option ​src_ip '​10.1.1.0/​24'​ +    option ​ ​dest_port ​      5000 
- option dest_ip '​192.168.1.0/​26'​ +    option ​ name            '​Allow ​Forwarded VPN Request -> <​device>​'
- option name '​Allow ​Inbound VPN0 Traffic to LAN'+
  
-#--- Once Assigned ​VPN IP, Allow Forwarded Traffic to LAN ---# +# Once Assigned VPN IP, Allow Inbound -> LAN 
-# LuCI: From IP range 10.1.1.0/24 in any zone To IP range 192.168.1.0/​24  +#​------------------------------------------------ 
-on this device (Accept ​Forward)+# LuCI: From IP range 10.1.0.0/28 in any zone To IP 
 +range 192.168.1.0/​28 on this device (Accept ​Input)
 config rule config rule
- option target '​ACCEPT'​ +    ​option ​ target ​         '​ACCEPT'​ 
- option ​proto 'tcp udp+    option ​ ​family ​         ​'ipv4
- option ​family ​'ipv4+    option ​ ​proto ​          'tcp udp
- option src '​*'​ +    option ​ src             ​'​*'​ 
- option src_ip '10.1.1.0/24' +    option ​ src_ip ​         '10.1.0.0/28
- option dest '*+    option ​ dest_ip ​        ​'​192.168.1.0/​26'​ 
- option dest_ip '​192.168.1.0/​26'​ +    option ​ name            'Allow VPN0 -> LAN'
- option name '​Allow ​Forwarded ​VPN0 Traffic to LAN'+
  
-#--- Allow Outbound ICMP Traffic from VPN ---# +Once Assigned VPN IP, Allow Forwarded -> LAN # 
-# LuCI: ICMP From IP range 10.1.1.0/24 in any zone To any host in lan  +#​------------------------------------------------ 
-# (Accept Forward)+# LuCI: From IP range 10.1.0.0/28 in any zone To IP 
 +range 192.168.1.0/​28 ​ on this device ​(Accept Forward)
 config rule config rule
- option target '​ACCEPT'​ +    ​option ​ target ​         '​ACCEPT'​ 
- option proto 'icmp+    option ​ proto           ​'tcp udp
- option src_ip '10.1.1.0/24+    option ​ ​family ​         '​ipv4'​ 
- option ​src '​*'​ +    option ​ src             '​*'​ 
- option ​dest 'lan+    option  ​src_ip ​         '10.1.0.0/28
- option name '​Allow ​Inbound ICMP Traffic from VPN0 to LAN'+    option ​ ​dest ​           ​'​*'​ 
 +    option ​ ​dest_ip ​        '192.168.1.0/​26
 +    option ​ name            '​Allow ​Forwarded ​VPN0 -> LAN'
  
-#--- Allow Outbound ​Ping Requests ​from VPN ---# +# Allow Outbound ​ICMP Traffic ​from VPN 
-# LuCI: ICMP with type echo-request ​From IP range 10.1.1.0/24 in any +#​------------------------------------------------ 
-# zone To any host in wan (Accept Forward)+# LuCI: ICMP From IP range 10.1.0.0/28 in any  
 +# zone To any host in lan (Accept Forward)
 config rule config rule
- option target '​ACCEPT'​ +    ​option ​ target ​         '​ACCEPT'​ 
- option proto '​icmp'​ +    option ​ proto           ​'​icmp'​ 
- option src '​*'​ +    option ​ src             ​'​*'​ 
- option src_ip '10.1.1.0/24+    option ​ src_ip ​         '10.1.0.0/28
- option dest 'wan+    option ​ dest            'lan
- option name '​Allow ​Outbound ​ICMP Echo Request (8from VPN0'​ +    option ​ name            '​Allow ​VPN0 (ICMP) -> LAN'
- list icmp_type 'echo-request'+
  
- +Allow Outbound Ping Requests from VPN 
-#::: Defaults :::+#------------------------------------------------ 
-LuCI: Network ​Firewall +LuCI: ICMP with type echo-request From IP range 
- +# 10.1.0.0/28 in any zone To any host in wan (Accept Forward) 
-#--- Default OpenWRT Rule ---# +config ​rule 
-config ​defaults +    option ​ ​target ​         ​'ACCEPT
- option ​syn_flood ​'1+    option ​ ​proto ​          'icmp
- option ​input 'ACCEPT+    ​list ​   icmp_type ​      '​echo-request'​ 
- option ​output ​'ACCEPT+    ​option ​ ​src ​            '*
- option ​drop_invalid ​'​1'​ +    option ​ ​src_ip ​         ​'10.1.0.0/28
- option ​forward ​'DROP'+    option ​ ​dest ​           ​'wan' 
 +    option ​ name            'Allow VPN0 (ICMP 8) -> <​device> ​'
  
  
 #::: Zones :::# #::: Zones :::#
 # LuCI: Network - Firewall - Zones # LuCI: Network - Firewall - Zones
 +#​------------------------------------------------
  
-#--- LAN ---#+# LAN #
 config zone config zone
- option name '​lan'​ +    ​option ​ name            '​lan'​ 
- option ​input 'ACCEPT+    option ​ ​network ​        'lan
- option ​output ​'​ACCEPT'​ +    option ​ ​input ​          '​ACCEPT'​ 
- option ​network ​'lan+    option ​ ​output ​         ​'ACCEPT
- option forward '​DROP'​+    option ​ forward ​        ​'​DROP'​
  
-#--- VPN ---#+# VPN #
 config zone config zone
- option name '​vpn'​ +    ​option ​ name            '​vpn'​ 
- option ​input 'ACCEPT+    option ​ ​network ​        'vpn0
- option ​forward ​'​ACCEPT'​ +    option ​ ​input ​          '​ACCEPT'​ 
- option output '​ACCEPT'​ +    option ​ output ​         '​ACCEPT'​ 
- option ​network ​'vpn0'​ +    option ​ ​forward ​        'ACCEPT'
- option family 'ipv4'+
  
-#--- WAN ---#+# WAN #
 config zone config zone
- option name '​wan'​ +    ​option ​ name            '​wan'​ 
- option ​output '​ACCEPT'​ +    option ​ network ​        ​'wan wan6'​ 
- option masq '​1'​ +    option ​ input           ​'​DROP'​ 
- option mtu_fix '​1'​ +    option ​ ​output ​         '​ACCEPT'​ 
- option ​network 'wan wan6'​ +    option  ​forward ​        ​'​DROP'​ 
- option input '​DROP'​ +    ​option ​ masq            1 
- option forward '​DROP'​ +    option ​ ​mtu_fix ​        1
- +
- +
-#::: Firewall.User Rules :::# +
-# LuCI: Network - Firewall - Custom Rules +
- +
-config include +
- option ​path '/​etc/​firewall.user'​+
  
  
 #::: InterZone Forwarding :::# #::: InterZone Forwarding :::#
-# LuCI: Network - Firewall - Zones - VPN - Edit - Inter-Zone Forwarding+# LuCI: Network -Firewall -Zones - 
 +VPN - Edit - Inter-Zone Forwarding 
 +#​------------------------------------------------
  
-#--- LAN to WAN ---#+# LAN to VPN    
 config forwarding config forwarding
- option dest 'wan+    ​option ​ dest            'vpn
- option src '​lan'​+    option ​ src             ​'​lan'​
  
-#--- VPN to LAN ---# +# LAN to WAN #
 config forwarding config forwarding
- option dest 'lan+    ​option ​ dest            'wan
- option src 'vpn'+    option ​ src             ​'lan'
  
-#--- LAN to VPN ---# +# VPN to LAN    
 config forwarding config forwarding
- option dest 'vpn+    ​option ​ dest            'lan
- option src 'lan'+    option ​ src             ​'vpn'
  
-</​code>​+</code>\\  
 +  - **Commit changes**\\ <code cpp>/​etc/​init.d/​firewall restart</​code>​ 
 +</WRAP>
  
  
-=== Commit ​Changes ===+<tabbox Logging>​ 
 +<color #​508CAA>​**firewall.user Script**</​color>​ 
 +<wrap right button>​[[doc:​howto:​log.messages#​netfilter|Netfilter Log]]</​wrap>​\\ \\ 
 +<wrap right>''<​color #​C86400>/​etc/​firewall.user</​color>''</​wrap>​ 
 + 
 + 
 +<WRAP indent>​ 
 +**The following rules are required:​** 
 +  - //''<​color #​647D00>​vi /​etc/​firewall.user</​color>''//​\\ \\ <code cpp> 
 +#::: Traffic Rules :::# 
 +# LuCI: Network - Firewall - Custom Rules 
 + 
 +  # These rules make the assumption the default port of 1194 is not used for the VPN 
 +    # Port 5000 is being used arbitrarily for the VPN port 
 +     
 + 
 +    # Establish Custom Zones # 
 +#​--------------------------------------------------- 
 +iptables ​   -N  LOG-VPN 
 +iptables ​   -N  Rate_Limit 
 + 
 +    # Establish Rate Limit # 
 +#​--------------------------------------------------- 
 +iptables ​   -A  Rate_Limit ​ -p  tcp     ​--dport ​    ​5000 ​                               -j  LOG-VPN 
 +iptables ​   -A  Rate_Limit ​ -p  udp     ​--dport ​    ​5000 ​                               -j  LOG-VPN 
 +iptables ​   -A  Rate_Limit ​ -p  tcp                                                     ​-j ​ REJECT ​     --reject-with ​  ​tcp-reset 
 +iptables ​   -A  Rate_Limit ​ -p  udp                                                     ​-j ​ REJECT ​     --reject-with ​  ​icmp-port-unreachable 
 +iptables ​   -A  Rate_Limit ​ !   ​-p ​     ICMP                                            -j  LOG         ​--log-prefix ​   "<​[[--- Connection DROPPED ---]]>: " 
 +iptables ​   -A  Rate_Limit ​                                                             -j  DROP 
 + 
 +    # Apply Rate Limit # 
 +#​--------------------------------------------------- 
 +iptables ​   -I  INPUT       ​-p ​ tcp     ​--dport ​    ​5000 ​   -m  state   ​--state NEW     ​-j ​ Rate_Limit 
 +iptables ​   -I  INPUT       ​-p ​ udp     ​--dport ​    ​5000 ​   -m  state   ​--state NEW     ​-j ​ Rate_Limit 
 + 
 +    # Log VPN Traffic # 
 +#​--------------------------------------------------- 
 +iptables ​   -A  LOG-VPN ​                                                                ​-j ​ LOG         ​--log-prefix ​   "<​[[--- ​ VPN Traffic ---]]> : " ​        ​--log-level 4 
 +iptables ​   -A  LOG-VPN ​                                                                ​-j ​ ACCEPT 
 + 
 +</​code>​\\ 
 +  - **Commit ​changes**\\ <code cpp>/​etc/​init.d/​firewall restart</​code>​ 
 +  - **Please also see:** 
 +    * [[doc:​howto:​log.essentials|Log Essentials]] 
 +    * [[doc:​howto:​log.overview|Logging Servers]] 
 +    * [[doc:​howto:​netfilter#​log|Netfilter Logging]] 
 +    * [[doc:​uci:​system|System Log]] 
 +</​WRAP>​ 
 + 
 +</​tabbox>​ 
 +</​WRAP>​ 
 + 
 +</​WRAP>​ 
  
-  * <code bash> 
-uci commit network ; /​etc/​init.d/​network reload ; uci commit firewall ; /​etc/​init.d/​firewall restart 
-</​code>​ 
-    * //There have been a few instances where rules input in the above order to <color #​606060>​**/​etc/​config/​firewall**</​color>​ aren't applied in the same order under <color #​606060>​**LuCI - Network - Firewall - Traffic Rules**</​color>​. ​ If this occurs, delete the problem rule(s) from <color #​606060>​**/​etc/​config/​firewall**</​color>​ and add manually via LuCI.// 
 =====  VPN Server ===== =====  VPN Server =====
-=== Add minimum TLS version parameter to openvpn === 
-  * As of now the openvpn-openssl package (2.3.6-5) does not support setting a minimum TLS version (1.2 in this case). 
-  * We need to add **tls_version_min** to the append_params section in the file **/​etc/​init.d/​openvpn** 
-    * <code bash> vi /​etc/​init.d/​openvpn </​code>​ 
  
 +<WRAP indent>
 +<WRAP 76.5em lo>
 +<wrap right button>​[[doc:​howto:​vpn.overview|VPN Overview]]</​wrap>​
 +</​WRAP>​
  
-=== Create Config File === 
  
-  * <code bash> +==== Config ====
-echo > /​etc/​config/​openvpn ; vi /​etc/​config/​openvpn +
-</​code>​ +
-    * Paste the following //**and**// <color #​0080FF>//​**__edit__**//</​color>​ accordingly for custom locations, subnets, port, etc. +
-    * <code cpp>+
  
-config openvpn '​VPNserver'+<WRAP 76.5em lo> 
 +<WRAP centeralign><​wrap warning><​color #​FFFFFF>​It's //strongly encouraged//​ to read through the OpenVPN HowTo & Man Page</​color></​wrap></​WRAP>​
  
-        option enabled ​    '1'+<tabbox Information>​ 
 +<wrap right>''​<color #​C86400>/​etc/​config/​openvpn</​color>''</​wrap>​ 
 +<color #​508CAA>​**OpenVPN Information**</​color>​
  
-    # --- Protocol ​---# +  * **This specific configuration has been designed to give the best performance possible, via** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|MTU & Buffer]] **Tuning recommendations** 
-        option ​dev         'tun+    * DNS primary & secondary are [[https://​www.opendns.com/​setupguide/?​url=familyshield|OpenDNS'​]] 
-        option ​dev         'tun0+    * NTP is garnished from [[http://​tf.nist.gov/​tf-cgi/​servers.cgi|NIST]] (time-c) and can be updated to your NTP server of choice 
-        ​option topology ​   '​subnet+      * NTP should be specified, but doesn'​t need to be NIST, as encryption handshakes, both server & client, must be accurate to within milliseconds\\ \\ 
-        ​option proto       'udp+  * **//CCD directives//​ (under //Client Config//) are commented out, as one will need to read the** [[:​doc:​howto:​openvpn-streamlined-server-setup#openvpn|OpenVPN HowTo]] **to understand how it's used** 
-        ​option port        ​'1194'+      * CCD adds an extra layer of protection, allowing only those CNs specified to connect to the VPN, even if a valid client cert is used\\ \\ 
 +  * **Two or more servers can be run from this config file** 
 +    * To add additional servers, copy & paste first config directly below itself, with a blank line separating the two\\ \\ 
 +  * **The OpenVPN** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|HowTo & Man Page]] **provide every possible ​option ​for the Server & Client Configs** \\ \\ 
 +  * **OpenVPN 2.4 added TLS Elliptic-Curve** ​''​[EC]''​ **support** 
 +    * EC ciphers are faster & more efficient to process than SSL ciphers, resulting in higher throughput & less load 
 +    * OpenVPN on OpenWrt only supports a //maximum of 256 characters//​ for ''​ <color #647D00>option ​ ​tls_cipher</​color>​''​ 
 +      * Ciphers are listed in a hierarchical,​ chronological order of most secure & efficient to least efficient 
 +      * Disabled ciphers are specified at the end with an **''<​color #​960000>​!</​color>''​** in front of the cipher\\ \\ 
 +  * **Ciphers must match the capabilities of the server & clients** 
 +    * Available TLS ciphers: ''​ <color #​647D00>​openssl --show-tls</​color>​ ''​ or ''​ <color #​647D00>​openssl ciphers -V | grep TLS</​color>​''​ 
 +    * Available SSL ciphers: ''​ <color #​647D00>​openssl ciphers -V | grep SSL</​color>​''​ 
 +      * For Windows client: ''​ <color #​647D00>​openssl ciphers -V | findstr /R SSL</​color>​''​
  
-    #--- Routes ---# 
-        option server ​   '​10.1.1.0 255.255.255.0'​ 
-        option ifconfig ​ '​10.1.1.1 255.255.255.0'​ 
-        ​ 
-    #--- Client Config ---# 
-#       ​option ccd_exclusive ​          '​1'​ 
-#       ​option ifconfig_pool_persist ​  '/​etc/​openvpn/​clients/​ipp.txt'​ 
-#       ​option client_config_dir ​      '/​etc/​openvpn/​clients/'​ 
  
-    #--- Pushed Routes ---# +<tabbox Config> 
-        list push    ​'route 192.168.1.0 255.255.255.0' +<wrap right>''​<color #​C86400>/​etc/​config/​openvpn</​color>​''​</​wrap>​ 
-        list push    ​'dhcp-option DNS 192.168.1.1+<color #​508CAA>​**OpenVPN Server Config**</​color>​
-        list push    '​dhcp-option WINS 192.168.1.1'​ +
-        list push    '​dhcp-option DNS 8.8.8.8'​ +
-        list push    '​dhcp-option DNS 8.8.4.4'​ +
-        list push    '​dhcp-option NTP 129.6.15.30'​+
  
-    #--- Encryption ---# +  ​**Create config:**\\ <code cpp>echo > /etc/config/​openvpn ​; vi /etc/config/openvpn</code> 
-        option cipher ​         '​AES-256-CBC'​ +    ​**Paste the following & edit accordingly**\\ \\ <code cpp> 
-        option auth            '​SHA384'​ +config ​openvpn ​'​VPNserver
-        option remote_cert_tls '​client'​ +    option ​ ​enabled ​            1
-        option dh              '/​etc/​openvpn/​keys/dh4096.pem'​ +
-        option pkcs12 ​         '/etc/openvpn/keys/my-server.p12'​ +
-        ​option tls_auth ​       '/etc/openvpn/​keys/​ta.key 0+
-#        ​option ​tls_version_min '1.2' +
-#        option tls_cipher ​     '​DHE-RSA-AES256-GCM-SHA384:​DHE-RSA-AES256-SHA256:​DHE-RSA-AES128-GCM-SHA256:​DHE-RSA-AES128-SHA256'​ +
-        option tls_cipher ​     '​TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:​TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:​TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:​TLS-DHE-RSA-WITH-AES-128-CBC-SHA256'​+
  
-    #--- Logging ​---# +    ​# Protocol # 
-        option ​log           '/​tmp/​openvpn.log+#------------------------------------------------ 
-        option ​status ​       ​'/​tmp/​openvpn-status.log+    option ​ ​dev ​                'tun
-        option ​verb          ​'7'+    option ​ ​dev ​                'tun0
 +    option ​ ​topology ​           ​'subnet' 
 +    option ​ proto               '​udp'​ 
 +    option ​ port                5000
  
-    #--- Connection Options ​---# +    ​# Routes #  
-        option ​keepalive ​       ​'​10 ​120+#------------------------------------------------ 
-        option ​comp_lzo ​        'yes'+    option ​ ​server ​             ​'10.1.0.0 255.255.255.240
 +    option ​ ​ifconfig ​           ​'10.1.0.1 255.255.255.240' ​       
  
-    #--- Connection Reliability ​---# +    ​# Client Config #  
-        option ​client_to_client '1' +#------------------------------------------------ 
-        option ​persist_key ​     ​'1+    # ​  option ​ ​ccd_exclusive ​          
-        option ​persist_tun ​     ​'1'+    # ​  option ​ ​ifconfig_pool_persist ​  '/​etc/​openvpn/​clients/​ipp.txt
 +    # ​  option ​ ​client_config_dir ​      '/​etc/​openvpn/​clients/​'
  
-    #--- Connection Speed ---#    ​ +    ​# Pushed Routes #  
-        ​option sndbuf ​           ​'393216+#------------------------------------------------ 
-        option ​rcvbuf ​           '​393216+    ​list ​   push                ​'route 192.168.1.0 255.255.255.0
-        option ​fragment ​         '0+    ​list ​   push                'dhcp-option ​   DNS 192.168.1.1
-        ​option mssfix ​           ​'0+    ​list ​   push                'dhcp-option ​   WINS 192.168.1.1
-        option ​tun_mtu ​          '24000'+    ​list ​   push                ​'dhcp-option ​   DNS 208.67.222.123
 +    ​list ​   push                'dhcp-option ​   DNS 208.67.220.123' 
 +    list    push                '​dhcp-option ​   NTP 129.6.15.30'
  
-    #--- Pushed Buffers ​---# +    ​# Encryption #  
-        list push    '​sndbuf 393216'​ +#------------------------------------------------ 
-        list push    '​rcvbuf 393216'+    ​# Diffie-Hellman:​ 
 +    ​option ​ dh                  ​'/​etc/​ssl/​openvpn/​dh2048.pem'
  
-    #--- Permissions ---# +    # PKCS12: 
-        option ​user     'nobody'​ +    option ​ ​pkcs12 ​             ​'/etc/ssl/openvpn/vpn-server.p12' 
-        option group    '​nogroup'​ + 
-</code> +    # SSL: 
-      * This specific configuration has been designed to give the best performance possible, via [[https://community.openvpn.net/​openvpn/​wiki/​Gigabit_Networks_Linux|MTU]] and [[http://​winaero.com/​blog/​speed-up-openvpn-and-get-faster-speed-over-its-channel/​|buffer]] tuning recommendations +    option ​ cipher ​             AES-256-CBC 
-        * DNS primary and secondary is [[https://​developers.google.com/​speed/​public-dns/​docs/​using|Google's]] +    ​option ​ auth                '​SHA512
-        * NTP is garnished from [[http://tf.nist.gov/tf-cgi/servers.cgi|NIST]] (time-c) and can be updated to your NTP server of choice +    ​option ​ tls_auth ​           '/etc/ssl/openvpn/tls-auth.key 0'
-          * NTP should be specified, but doesn't need to be NIST. When dealing with encryption handshakes, time on both the server and the client must be accurate to within milliseconds.+
     ​     ​
-    ​* The <​color ​#606060>//​**CCD directives**//</​color>​ (under <color #​6E6E6E>//​Client Config//</​color>​) are commented out, as you will need to read the [[https://openvpn.net/​index.php/​open-source/​documentation/​howto.html#​policy|OpenVPN HowTo]] to understand what it is and how to use it.+    # TLS: 
 +    option ​ tls_server ​         1 
 +    option ​ tls_version_min ​    1.
 +    option ​ tls_cipher ​         'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:​TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:​TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:​TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:​!aNULL:​!eNULL:​!LOW:​!3DES:​!MD5:​!SHA:​!EXP:​!PSK:​!SRP:​!DSS:​!RC4:​!kRSA'​
  
-    ​* **Two or more servers can be run from this config file** +    ​# Logging #  
-      * To add additional servers, simply copy and paste the first config directly below itself, with a blank line separating the two.  Customize the second server config, making sure not to forget to change the second <​color ​#647800>//​option ​dev//</​color>​ (under <color #​6E6E6E>//​Protocol//</​color>​) to the correct interface name.+#------------------------------------------------ 
 +    option ​ log_append ​         '/tmp/openvpn.log'​ 
 +    ​option ​ ​status ​             '/tmp/openvpn-status.log' 
 +    option ​ verb                4
  
-    ​* <​color ​#C80000>//​**I __strongly encourage__ taking the 45 min or so to read through the OpenVPN HowTO & OpenVPN Man Page, located in the**//</​color>​ **//​[[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_wikis|VPN Wiki Links]]//** <color #​C80000>//​**section at the bottom of this Wiki; both provide __every possible option__ for the Server and Client Configs, allowing for a truly customizable VPN solution.**//</​color>​+    # Connection Options #  
 +#------------------------------------------------ 
 +    option ​ keepalive ​          '​10 120' 
 +    option ​ comp_lzo ​           '​yes'​
  
-=== Enable and Start OpenVPN ===+    # Connection Reliability #  
 +#​------------------------------------------------ 
 +    option ​ client_to_client ​   1 
 +    option ​ persist_key ​        1 
 +    option ​ persist_tun ​        1
  
-  * <code bash> +    # Connection Speed #  
-/etc/init.d/​openvpn ​enable ; /etc/init.d/​openvpn ​start ; sleep 2 ; cat /tmp/openvpn.log+#​------------------------------------------------ 
 +    option ​ sndbuf ​             393216 
 +    option ​ rcvbuf ​             393216 
 +    option ​ fragment ​           0 
 +    option ​ mssfix ​             0 
 +    option ​ tun_mtu ​            ​48000 
 + 
 +    # Pushed Buffers #  
 +#​------------------------------------------------ 
 +    list    push                '​sndbuf 393216'​ 
 +    list    push                '​rcvbuf 393216'​ 
 + 
 +    # Permissions #  
 +#​------------------------------------------------ 
 +    option ​ user                '​nobody'​ 
 +    option ​ group               '​nogroup'​ 
 + 
 + 
 +    # chroot # 
 +#​------------------------------------------------ 
 +    # chroot should be utilized in case the VPN is ever exploited; however, most commercial 
 +    # routers don't have internal flash storage large enough to support it.  An OpenVPN  
 +    # chroot would be ~11MB in size. 
 + 
 +        # Modify if chroot is configured # 
 +    #​-------------------------------------------- 
 +        # option ​ ccd_exclusive ​            1 
 +        # option ​ ifconfig_pool_persist ​    /​var/​chroot-openvpn/etc/openvpn/​clients/​ipp.txt 
 +        # option ​ client_config_dir ​        /var/chroot-openvpn/​etc/​openvpn/​clients 
 + 
 +        # option ​ cipher ​                   AES-256-CBC 
 +        # option ​ dh                        /​var/​chroot-openvpn/​etc/​ssl/​openvpn/​dh2048.pem 
 +        # option ​ pkcs12 ​                   ​/var/chroot-openvpn/etc/ssl/openvpn/​vpn-server.p12 
 +        # option ​ tls_auth ​                 '/​var/​chroot-openvpn/​etc/​ssl/​openvpn/​tls-auth.key 0'
 </​code>​ </​code>​
-===== Log File Output =====+  - **Commit changes**\\ <code bash>/​etc/​init.d/​openvpn enable ; /​etc/​init.d/​openvpn start ; sleep 2 ; cat /​tmp/​openvpn.log</​code>​
  
-=== Correct Log Output w/o CCD === + 
-  ​* ​<code cpp> +<​tabbox ​CCD> 
-root@OpenWRT:/​cat /tmp/openvpn.log +<wrap right>''<​color ​#C86400>/etc/openvpn/​clients</​color>''</​wrap>​ 
-Tue Jul  7 19:57:02 2015 us=55343 ​OpenVPN ​2.3.6 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun  2 2015 +<color #​508CAA>​**OpenVPN ​Server CCD Config**</​color>​ 
-Tue Jul  7 19:57:02 2015 us=55674 library versions: OpenSSL 1.0.2a 19 Mar 2015, LZO 2.08 + 
-Tue Jul  7 19:57:02 2015 us=454270 Diffie-Hellman initialized with 4096 bit key +  ​- **Enable CCD within Server config:** 
-Tue Jul  7 19:57:02 2015 us=546774 Control Channel Authentication:​ using '/​etc/​openvpn/​keys/ta.key' ​as a OpenVPN static key file +    //''<color #​647D00>​vi ​/etc/config/openvpn</color>''// ​\\ <code cpp> 
-Tue Jul  7 19:57:02 2015 us=547010 Outgoing Control Channel Authentication:​ Using 384 bit message hash 'SHA384'​ for HMAC authentication +   option ​ ccd_exclusive ​          1 
-Tue Jul  7 19:57:02 2015 us=547197 Incoming Control Channel Authentication:​ Using 384 bit message hash '​SHA384'​ for HMAC authentication +   option ​ ifconfig_pool_persist ​  '/​etc/​openvpn/clients/ipp.txt' 
-Tue Jul  7 19:57:02 2015 us=547412 TLS-Auth MTU parms [ L:48058 D:166 EF:66 EB:0 ET:0 EL:0 ] +   option ​ client_config_dir ​      '​/etc/​openvpn/​clients/'​
-Tue Jul  7 19:57:02 2015 us=547644 Socket Buffers: R=[163840->​327680] S=[163840->​327680] +
-Tue Jul  7 19:57:02 2015 us=567559 TUN/TAP device tun0 opened +
-Tue Jul  7 19:57:02 2015 us=567788 TUN/TAP TX queue length set to 100 +
-Tue Jul  7 19:57:02 2015 us=567990 do_ifconfig,​ tt->​ipv6=0,​ tt->​did_ifconfig_ipv6_setup=0 +
-Tue Jul  7 19:57:02 2015 us=568318 ​/sbin/ifconfig tun0 10.1.1.1 netmask 255.255.255.0 mtu 48000 broadcast 10.1.1.255 +
-Tue Jul  7 19:57:02 2015 us=608940 Data Channel MTU parms [ L:48058 D:48058 EF:58 EB:135 ET:0 EL:0 AF:3/1 ] +
-Tue Jul  7 19:57:02 2015 us=609448 GID set to nogroup +
-Tue Jul  7 19:57:02 2015 us=609690 UID set to nobody +
-Tue Jul  7 19:57:02 2015 us=609897 UDPv4 link local (bound): [undef] +
-Tue Jul  7 19:57:02 2015 us=610077 UDPv4 link remote: [undef] +
-Tue Jul  7 19:57:02 2015 us=610251 MULTI: multi_init called, r=256 v=256 +
-Tue Jul  7 19:57:02 2015 us=610560 IFCONFIG POOL: base=10.1.1.2 size=252, ipv6=0 +
-Tue Jul  7 19:57:02 2015 us=614653 Initialization Sequence Completed+
 </​code>​ </​code>​
 +      * ''<​color #​647D00>​ccd_exclusive</​color>'':​ enables CCD
 +      * ''<​color #​647D00>​client_config_dir</​color>'':​ Directory housing CCD client files
 +      * ''<​color #​647D00>​ifconfig_pool_persist</​color>'':​ File containing common names from client files, followed by static IP for device\\ \\
 +  - **Configure CCD files**
 +    - For each VPN client, a file must be created which exactly mirrors the common name of each client cert
 +      - File should contain an ''​ifconfig''​ command pushing a static IP to the client
 +        - Client Certificate CN: ''<​color #​647D00>​John Doe (OpenWrt VPNserver Client)</​color>''​
 +          - Client File: ''<​color #​C86400>/​etc/​openvpn/​clients/​John Doe (OpenWrt VPNserver Client)</​color>''​
 +            - File Output: ''//<​color #​647D00>​ifconfig-push 10.1.0.6 255.255.255.240</​color>//''​\\ \\
 +  - **Configure IPP file**
 +    - One per line, each VPN client'​s CN needs to be specified, followed by their static IP
 +      - IPP File: ''<​color #​C86400>/​etc/​openvpn/​clients/​ipp.txt</​color>''​
 +        - File Output: ''<​color #​647D00>​John Doe (OpenWrt VPNserver Client),​10.1.0.6</​color>''​\\ \\
 +  - **Start/​Restart OpenVPN**
 +    - Connect with each client to test\\ <code bash>/​etc/​init.d/​openvpn stop ; /​etc/​init.d/​openvpn start ; tail -f /​tmp/​openvpn.log</​code>​
 +
 +</​tabbox>​
 +</​WRAP>​
 +
 +
 +==== Log Output ====
 +
 +<WRAP 76.5em lo>
 +
 +<tabbox CCD Disabled>​
 +<wrap right>''<​color #​C86400>/​tmp/​openvpn.log</​color>''</​wrap>​
 +<color #​508CAA>​**Log Output w/o CCD Enabled**</​color>​
  
-=== Correct Log Output w/ CCD enabled=== +<code cpp> 
-  * <code cpp> +root@OpenWrt ~ # cat /​tmp/​openvpn.log 
-root@OpenWRT:/# cat /​tmp/​openvpn.log +Thu Oct 20 13:35:00 2016 us=668816 ​OpenVPN 2.3.11 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] 
-Tue Jul  7 19:57:02 2015 us=55343 OpenVPN 2.3.arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] ​built on Jun  2 2015 +Thu Oct 20 13:35:00 2016 us=668891 ​library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09 
-Tue Jul  7 19:57:02 2015 us=55674 library versions: OpenSSL 1.0.2a 19 Mar 2015, LZO 2.08 +Thu Oct 20 13:35:00 2016 us=669836 ​Diffie-Hellman initialized with 2048 bit key 
-Tue Jul  7 19:57:02 2015 us=454270 ​Diffie-Hellman initialized with 4096 bit key +Thu Oct 20 13:35:00 2016 us=705181 ​Control Channel Authentication:​ using '/etc/ssl/openvpn/tls-auth.key' as a OpenVPN static key file 
-Tue Jul  7 19:57:02 2015 us=546774 ​Control Channel Authentication:​ using '/​etc/​openvpn/​keys/ta.key' as a OpenVPN static key file +Thu Oct 20 13:35:00 2016 us=705286 ​Outgoing Control Channel Authentication:​ Using 512 bit message hash 'SHA512' for HMAC authentication 
-Tue Jul  7 19:57:02 2015 us=547010 ​Outgoing Control Channel Authentication:​ Using 384 bit message hash 'SHA384' for HMAC authentication +Thu Oct 20 13:35:00 2016 us=705351 ​Incoming Control Channel Authentication:​ Using 512 bit message hash 'SHA512' for HMAC authentication 
-Tue Jul  7 19:57:02 2015 us=547197 ​Incoming Control Channel Authentication:​ Using 384 bit message hash 'SHA384' for HMAC authentication +Thu Oct 20 13:35:00 2016 us=705387 crypto_adjust_frame_parameters:​ Adjusting frame parameters for crypto by 100 bytes 
-Tue Jul  7 19:57:02 2015 us=547412 ​TLS-Auth MTU parms [ L:48058 D:166 EF:66 EB:0 ET:0 EL:+Thu Oct 20 13:35:00 2016 us=705489 crypto_adjust_frame_parameters:​ Adjusting frame parameters for crypto by 72 bytes 
-Tue Jul  7 19:57:02 2015 us=547644 ​Socket Buffers: R=[163840->​327680] S=[163840->​327680] +Thu Oct 20 13:35:00 2016 us=705535 ​TLS-Auth MTU parms [ L:48104 D:1138 EF:112 EB:0 ET:0 EL:
-Tue Jul  7 19:57:02 2015 us=567559 ​TUN/TAP device tun0 opened +Thu Oct 20 13:35:00 2016 us=705589 ​Socket Buffers: R=[87380->​327680] S=[16384->​327680] 
-Tue Jul  7 19:57:02 2015 us=567788 ​TUN/TAP TX queue length set to 100 +Thu Oct 20 13:35:00 2016 us=706121 ​TUN/TAP device tun0 opened 
-Tue Jul  7 19:57:02 2015 us=567990 ​do_ifconfig,​ tt->​ipv6=0,​ tt->​did_ifconfig_ipv6_setup=0 +Thu Oct 20 13:35:00 2016 us=706200 ​TUN/TAP TX queue length set to 100 
-Tue Jul  7 19:57:02 2015 us=568318 ​/sbin/ifconfig ​tun0 10.1.1.1 netmask 255.255.255.0 mtu 48000 broadcast 10.1.1.255 +Thu Oct 20 13:35:00 2016 us=706254 ​do_ifconfig,​ tt->​ipv6=0,​ tt->​did_ifconfig_ipv6_setup=0 
-Tue Jul  7 19:57:02 2015 us=608940 ​Data Channel MTU parms [ L:48058 D:48058 EF:58 EB:135 ET:0 EL:AF:3/1 ] +Thu Oct 20 13:35:00 2016 us=706327 ​/sbin/ip link set dev tun0 up mtu 48000 
-Tue Jul  7 19:57:02 2015 us=609448 ​GID set to nogroup +Thu Oct 20 13:35:00 2016 us=708260 /sbin/ip addr add dev tun0 10.1.0.1/28 broadcast 10.1.0.15 
-Tue Jul  7 19:57:02 2015 us=609690 ​UID set to nobody +Thu Oct 20 13:35:00 2016 us=713288 ​Data Channel MTU parms [ L:48104 D:48104 EF:104 EB:143 ET:0 EL:AF:3/1 ] 
-Tue Jul  7 19:57:02 2015 us=609897 UDPv4 link local (bound): [undef] +Thu Oct 20 13:35:00 2016 us=713438 ​GID set to nogroup 
-Tue Jul  7 19:57:02 2015 us=610077 UDPv4 link remote: [undef] +Thu Oct 20 13:35:00 2016 us=713500 ​UID set to nobody 
-Tue Jul  7 19:57:02 2015 us=610251 ​MULTI: multi_init called, r=256 v=256 +Thu Oct 20 13:35:00 2016 us=713746 Listening for incoming TCP connection on [undef] 
-Tue Jul  7 19:57:02 2015 us=610560 ​IFCONFIG POOL: base=10.1.1.2 size=252, ipv6=0 +Thu Oct 20 13:35:00 2016 us=713811 TCPv4_SERVER ​link local (bound): [undef] 
-Tue Jul  7 19:57:02 2015 us=610897 ifconfig_pool_read(),​ in='​OpenWRT-VPNclient1,​10.1.1.5',​ TODOIPv6 +Thu Oct 20 13:35:00 2016 us=713857 TCPv4_SERVER ​link remote: [undef] 
-Tue Jul  7 19:57:02 2015 us=612378 succeeded -> ifconfig_pool_set() +Thu Oct 20 13:35:00 2016 us=713922 ​MULTI: multi_init called, r=256 v=256 
-Tue Jul  7 19:57:02 2015 us=612581 ifconfig_pool_read(),​ in='​OpenWRT-VPNclient2,​10.1.1.6',​ TODO: IPv6 +Thu Oct 20 13:35:00 2016 us=714000 ​IFCONFIG POOL: base=10.1.0.2 size=12, ipv6=0 
-Tue Jul  7 19:57:02 2015 us=612747 succeeded -> ifconfig_pool_set() +Thu Oct 20 13:35:00 2016 us=714070 MULTITCP INIT maxclients=1024 maxevents=1028 
-Tue Jul  7 19:57:02 2015 us=612912 IFCONFIG POOL LIST +Thu Oct 20 13:35:00 2016 us=714678 ​Initialization Sequence Completed
-Tue Jul  7 19:57:02 2015 us=613077 OpenWRT-VPNclient1,​10.1.1.5 +
-Tue Jul  7 19:57:02 2015 us=613349 OpenWRT-VPNclient2,​10.1.1.6 +
-Tue Jul  7 19:57:02 2015 us=614653 ​Initialization Sequence Completed+
 </​code>​ </​code>​
  
-===== VPN Clients ===== 
  
-  * The server's TLS key (text from //ta.key//) goes in the blank xml space between //Begin// and //End//+<tabbox CCD Enabled>​ 
 +<wrap right>''<​color #C86400>/tmp/openvpn.log</color>''<​/wrap> 
 +<color #​508CAA>​**Log Output wCCD Enabled**<​/color>
  
-=== Windows Config ​===+<code cpp> 
 +root@OpenWrt ~ # cat /​tmp/​openvpn.log 
 +Thu Oct 20 13:35:30 2016 us=653309 OpenVPN 2.3.11 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] 
 +Thu Oct 20 13:35:30 2016 us=653403 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09 
 +Thu Oct 20 13:35:30 2016 us=654598 Diffie-Hellman initialized with 2048 bit key 
 +Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​tls-auth.key'​ as a OpenVPN static key file 
 +Thu Oct 20 13:35:30 2016 us=706592 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication 
 +Thu Oct 20 13:35:30 2016 us=706679 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication 
 +Thu Oct 20 13:35:30 2016 us=706722 crypto_adjust_frame_parameters:​ Adjusting frame parameters for crypto by 100 bytes 
 +Thu Oct 20 13:35:30 2016 us=706760 crypto_adjust_frame_parameters:​ Adjusting frame parameters for crypto by 72 bytes 
 +Thu Oct 20 13:35:30 2016 us=706804 TLS-Auth MTU parms [ L:48104 D:1138 EF:112 EB:0 ET:0 EL:3 ] 
 +Thu Oct 20 13:35:30 2016 us=706857 Socket Buffers: R=[87380->​327680] S=[16384->​327680] 
 +Thu Oct 20 13:35:30 2016 us=707392 TUN/TAP device tun0 opened 
 +Thu Oct 20 13:35:30 2016 us=707465 TUN/TAP TX queue length set to 100 
 +Thu Oct 20 13:35:30 2016 us=707517 do_ifconfig,​ tt->​ipv6=0,​ tt->​did_ifconfig_ipv6_setup=0 
 +Thu Oct 20 13:35:30 2016 us=707587 /sbin/ip link set dev tun0 up mtu 48000 
 +Thu Oct 20 13:35:30 2016 us=709190 /sbin/ip addr add dev tun0 10.1.0.1/28 broadcast 10.1.0.15 
 +Thu Oct 20 13:35:30 2016 us=714514 Data Channel MTU parms [ L:48104 D:48104 EF:104 EB:143 ET:0 EL:3 AF:3/1 ] 
 +Thu Oct 20 13:35:30 2016 us=714630 GID set to nogroup 
 +Thu Oct 20 13:35:30 2016 us=714680 UID set to nobody 
 +Thu Oct 20 13:35:30 2016 us=714859 Listening for incoming TCP connection on [undef] 
 +Thu Oct 20 13:35:30 2016 us=714908 TCPv4_SERVER link local (bound): [undef] 
 +Thu Oct 20 13:35:30 2016 us=714945 TCPv4_SERVER link remote: [undef] 
 +Thu Oct 20 13:35:30 2016 us=714986 MULTI: multi_init called, r=256 v=256 
 +Thu Oct 20 13:35:30 2016 us=715050 IFCONFIG POOL: base=10.1.0.2 size=12, ipv6=0 
 +Thu Oct 20 13:35:30 2016 us=715095 ifconfig_pool_read(),​ in='​vpn-client1-foobar1-device1,​10.1.0.5',​ TODO: IPv6 
 +Thu Oct 20 13:35:30 2016 us=715138 succeeded -> ifconfig_pool_set() 
 +Thu Oct 20 13:35:30 2016 us=715176 ifconfig_pool_read(),​ in='​John Doe (OpenWrt VPNserver Client),​10.1.0.6',​ TODO: IPv6 
 +Thu Oct 20 13:35:30 2016 us=715213 succeeded -> ifconfig_pool_set() 
 +Thu Oct 20 13:35:30 2016 us=715249 IFCONFIG POOL LIST 
 +Thu Oct 20 13:35:30 2016 us=715287 vpn-client1-foobar1-device1,​10.1.0.5 
 +Thu Oct 20 13:35:30 2016 us=715331 John Doe (OpenWrt VPNserver Client),​10.1.0.6 
 +Thu Oct 20 13:35:30 2016 us=715428 MULTI: TCP INIT maxclients=1024 maxevents=1028 
 +Thu Oct 20 13:35:30 2016 us=715971 Initialization Sequence Completed 
 +</​code>​
  
-  * <code cpp+</tabbox
-# --- Config Type --- # +</​WRAP>​
- client+
  
-# --- Protocol ---# +</​WRAP>​
- dev tun +
- proto udp+
  
-# --- DDNS --- # 
- remote your.ddns.com 1194 
  
-# --- Encryption --- # +===== Clients =====
- auth-nocache +
- cipher AES-256-CBC +
-        auth            SHA384 +
-        tls_version_min 1.2 +
-        tls_cipher ​     TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:​TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:​TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:​TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 +
- pkcs12 OpenWRT-VPNclient1.p12+
  
-# --- Server Security --- # +<WRAP 76.5em lo> 
- key-direction 1 +<WRAP centeralign><​wrap warning><​color ​#FFFFFF>​Server'​s TLS-Auth key goes within the inline XML space</​color></​wrap></​WRAP>​ 
- remote-cert-tls server+</​WRAP>​ 
 + 
 +<WRAP indent>​ 
 + 
 + 
 +==== Android ==== 
 + 
 +<WRAP indent 76.5em lo> 
 + 
 +<tabbox Information>​ 
 +<wrap right button>​[[https://​play.google.com/​store/​apps/​details?​id=de.blinkt.openvpn&​hl=en|OpenVPN for Android]]</​wrap>​  
 +<color #​508CAA>​**Android Client Information**</​color> ​  
 + 
 +<WRAP centeralign><​color #​960000>​**For compatibility with exFAT, Android sdcards have a non-customizable 771 permission structure**\\ It's //​imperative//,​ for the security of the VPN, to ensure the certificate key is encrypted as specified under [[doc:​howto:​openvpn-streamlined-server-setup#client_certs|Client Certs]]</​color></​WRAP>​ 
 + 
 +  * **//OpenVPN for Android// is the best app for VPNs on Android**\\ \\ 
 +  * **PKCS12 certs are installed into the //Android Keychain//​** 
 +    * As a security feature, a warning toast will always appear in the notification area due to user installed certs 
 +      * This toast can be removed if you have a rooted device by following Toast Removal tutorial \\ \\ 
 +    * Another option is to include all certs & keys via inline XML within the client config file 
 +      * //​Regardless if all certs are referenced as inline xml or not, the final generated config inlines all certs//\\ \\ 
 +  * **If you choose to reference the ''//​tlsauth.key//'',​ instead of utilizing inline XML** 
 +    ​<color #​960000>​**//​Remove://​**</​color>​\\ <code cpp> 
 +    # Encryption # 
 +#------------------------------------------------ 
 +key-direction 1
  
 <​tls-auth>​ <​tls-auth>​
 -----BEGIN OpenVPN Static key V1----- -----BEGIN OpenVPN Static key V1-----
-#---PASTE KEY HERE---#+#PASTED-KEY-INLINE-HERE#
 -----END OpenVPN Static key V1----- -----END OpenVPN Static key V1-----
-</​tls-auth>​+</​tls-auth></​code>​ 
 +    - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp> 
 +    # Encryption # 
 +#​------------------------------------------------ 
 +tls-auth ​   '/​path/​to/​tlsauth.key'​ 1</​code>​ 
 +  * <color #​960000>​**Some Android devices are not able to convert PKCS12 certs to x509 certs**</​color>​ 
 +    * If your device is affected, you will need to reference your individual certs in your Server Config 
 +      - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp> 
 +    # Encryption # 
 +#​------------------------------------------------ 
 +ca      '/​sdcard/​openvpn/​OpenWrt-OpenVPN_ICA-Chain.crt.pem'​ 
 +cert    '/​sdcard/​openvpn/​vpn-client1.crt.pem'​ 
 +key     '/​sdcard/​openvpn/​vpn-client1.key.pem'</​code>
  
---- Logging --- # +<tabbox Config>​ 
- verb 5+<wrap right>''<​color ​#C86400>/​sdcard/​OpenVPN/​OpenWrt/​VPNserver.ovpn</​color>''</​wrap>​ 
 +<color #​508CAA>​**Android Client Config**</​color>​
  
-# --- Connection ​--- +<code cpp> 
- comp-lzo +    # Config Type # 
- float +#------------------------------------------------ 
- nobind +client
- resolv-retry infinite+
  
-# --- Connection Reliability ​--- +    # Connection ​ # 
- persist-key +#------------------------------------------------ 
- persist-tun+dev tun 
 +proto udp 
 +remote your.ddns.com 5000
  
-# --- Connection Speed ---# +    # Speed # 
- fragment +#------------------------------------------------ 
- mssfix +mssfix ​
- tun-mtu 24000+fragment ​
 +tun-mtu ​48000
  
-</​code>​ +    # Reliability # 
-    * In Windows, if the p12 certificate isn't stored in the same directory as the ovpn config file, you will need to reference the path to the p12 cert  +#------------------------------------------------ 
-      * In Windows you must use double backslashes,​ i.e. <​color ​#6E6E6E>//"​C:​\\Program Files\\OpenVPN\\Config\\"//</​color>​+float 
 +nobind 
 +comp-lzo
  
-=== Android Config ===+persist-key 
 +persist-tun 
 +resolv-retry infinite
  
-  * <code cpp> +    # Encryption # 
-# --- Config Type --- # +#------------------------------------------------ 
- client+auth SHA512 
 +auth-nocache
  
-# --- Protocol ​---# +# --- SSL --- # 
- dev tun +cipher AES-256-CBC
- proto udp+
  
-# --- DDNS --- # +# --- TLS --- # 
- remote your.ddns.com 1194+key-direction 1 
 +tls-version-min 1.2
  
---- Encryption --- # +remote-cert-eku 'TLS Web Server Authentication'​
- auth-nocache +
- cipher AES-256-CBC +
-        auth            SHA384 +
-        tls_version_min 1.2 +
-        tls_cipher ​     ​TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:​TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:​TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:​TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 +
- pkcs12 OpenWRT-VPNclient1.p12+
  
---- Server Security ​--- # +<tls-auth> 
- key-direction 1 +-----BEGIN OpenVPN Static key V1----- 
- remote-cert-tls server+#​PASTE-KEY-INLINE-HERE
 +-----END OpenVPN Static ​key V1----- 
 +</tls-auth>
  
-# --- Logging ​--- # +    # Logging # 
- verb 5+#------------------------------------------------ 
 +verb 5 
 +</​code>​
  
---- Connection --- # +<tabbox Inline XML> 
- comp-lzo +<​color ​#508CAA>​**Referencing certs via Inline XML**</​color>​
- float +
- nobind +
- resolv-retry infinite+
  
-# --- Connection Reliability ​--- # +  - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp> 
- persist-key +    # Encryption # 
- persist-tun+#------------------------------------------------ 
 +ca        '/​sdcard/​openvpn/​OpenWrt-OpenVPN_ICA-Chain.crt.pem'​ 
 +cert      '/​sdcard/​openvpn/​vpn-client1.crt.pem'​ 
 +key       '/​sdcard/​openvpn/​vpn-client1.key.pem'​ 
 +tls-auth ​ '/​path/​to/​tlsauth.key'​ 1</​code>​ 
 +  - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp> 
 +    # Encryption # 
 +#​------------------------------------------------
  
-# --- Connection Speed ---# +# --- TLS --- #
- fragment 0 +
- mssfix 0 +
- tun-mtu 24000 +
-</​code>​ +
-    * [[https://​play.google.com/​store/​apps/​details?​id=de.blinkt.openvpn&​hl=en|OpenVPN for Android]] is the best app for VPNs on Android +
-    * There'​s no need to reference a p12 cert as it's installed into the <color #​6E6E6E>//​Android Keychain//</​color>;​ a security feature will cause a warning toast to always appear in the notification area due to user installed certs. +
-      * This warning can be removed if you have a rooted or bootloader unlocked device by following [[http://​forum.xda-developers.com/​google-nexus-5/​help/​howto-install-custom-cert-network-t2533550|this]] tutorial on XDA Developers. ​ It involves a minor edit and permissions change, ​ transferring the p12 cert from userland to system trusted. +
-    * If you choose to reference the //ta.key//, instead of utilizing XML +
-      * <color #​C80000>//​**Remove:​**//</​color>​ +
-      * <code cpp>+
 key-direction 1 key-direction 1
 +
 +<ca>
 +#​PASTE-CA-CERT-INLINE-HERE#​
 +</ca>
 +
 +<​cert>​
 +#​PASTE-VPN-SERVER-CERT-INLINE-HERE#​
 +</​cert>​
 +
 +<key>
 +#​PASTE-VPN-SERVER-KEY-INLINE-HERE#​
 +</​key>​
 +
 <​tls-auth>​ <​tls-auth>​
 -----BEGIN OpenVPN Static key V1----- -----BEGIN OpenVPN Static key V1-----
 +#​PASTE-KEY-INLINE-HERE#​
 +-----END OpenVPN Static key V1-----
 +</​tls-auth></​code>​
  
 +<tabbox Toast Removal>
 +<wrap right button>​[[http://​wiki.cacert.org/​FAQ/​ImportRootCert#​Android_Phones_.26_Tablets|CAcert Wiki]] ​ [[https://​github.com/​JW0914/​Wikis/​blob/​master/​OpenVPN/​Documentation/​Android%20Certificate%20Toast%20Removal.pdf|PDF]]</​wrap>​
 +<color #​508CAA>​**Certificate Warning Toast Removal**</​color>​
 +
 +<wrap indent>​If ''<​color #​C86400>/​system/​etc/​security/​cacerts.bks</​color>''​ exists on your device, refer to CAcert wiki, then continue</​wrap>​
 +  - <color #​789600>​**Method 1:​**</​color>​
 +    - **Add certificate to Android Keychain**
 +      - **//​Settings//​ –> //​Security//​ –> //Install from Storage//​**\\ \\
 +    - **Move certificate from userland to system trusted**
 +      - **Android < 5.0:**
 +        - Move new file
 +          - <color #​960000>​**From:​**</​color>​ ''​ <color #​C86400>/​data/​misc/​keychain/​cacertsadded/</​color>''​
 +          - <color #​789600>​**To:​**</​color>​ ''​ <color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​\\ \\
 +      - **Android > 5.0:**
 +        - Move new file
 +          - <color #​960000>​**From:​**</​color>​ ''​ <color #​C86400>/​data/​misc/​user/​0/​cacerts-added/</​color>''​
 +          - <color #​789600>​**To:​**</​color>​ ''​ <color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​\\ \\
 +  - <color #​789600>​**Method 2:​**</​color>​
 +    - **Save certificate with** ''​.pem''​ **extension**\\ \\
 +    - **Garnish subject of certificate:​**
 +      - ''//<​color #​647D00>​openssl x509 -inform PEM -subject_hash -in 0b112a89.0</​color>//''​
 +        - Should be similar to: <color #​647D00>​0b112a89</​color>​\\ \\
 +    - **Save certificate as text:**
 +      - ''//<​color #​647D00>​openssl x509 -inform PEM -text -in 0b112a89.0 > 0b112a89.0.txt</​color>//''​\\ \\
 +    - **Swap PEM section and text:**
 +      - ''<​color #​647D00>//​-----BEGIN CERTIFICATE-----//</​color>''​ must be at top of file\\ \\
 +    - **Rename file:** ''<​color #​647D00>​0b112a89.0</​color>''​
 +      - Replace with subject from //step b//\\ \\
 +    - **Copy file to:** ''<​color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​\\ \\
 +    - **Set permissions:​**
 +      - ''//<​color #​647D00>​chmod 644 0b112a89.0</​color>//''​\\ \\
 +    - **Certificate should be listed under:**
 +      - **//​Settings//​ –> //​Security//​ –> //Trusted Credentials//​ - //​System//​**
 +        - If it's still under **//​User//​**:​
 +          - Disable/​Re-Enable certificate in Android Settings
 +            - This creates a file in ''<​color #​C86400>/​data/​misc/​keychain/​cacertsadded/</​color>''​
 +          - Move that file to ''<​color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​
 +          - Delete original file from //step f//
 +
 +</​tabbox>​
 +</​WRAP>​
 +
 +
 +==== BSD/Linux ====
 +
 +<WRAP indent 76.5em lo>
 +
 +<tabbox Information>​
 +<wrap button right>​[[https://​openvpn.net/​index.php/​open-source/​downloads.html|OpenVPN Client]]</​wrap>​
 +<color #​508CAA>​**BSD/​Linux Client Information**</​color>​
 +
 +  * Due to the sheer number of distros & variances from one to the other, only the client config is being provided
 +
 +<tabbox Config>
 +<wrap right>''<​color #​C86400>/​etc/​openvpn/​VPNserver.conf</​color>''</​wrap>​
 +<color #​508CAA>​**Linux/​BSD Client Config**</​color>​
 +
 +<code cpp>
 +# Config Type #
 +#​------------------------------------------------
 +client
 +
 +# Connection ​ #
 +#​------------------------------------------------
 +dev tun
 +proto udp
 +remote your.ddns.com 5000
 +
 +# Speed #
 +#​------------------------------------------------
 +mssfix 0
 +fragment 0
 +tun-mtu 48000
 +
 +# Reliability #
 +#​------------------------------------------------
 +float
 +nobind
 +comp-lzo
 +
 +persist-key
 +persist-tun
 +resolv-retry infinite
 +
 +    # Encryption #
 +#​------------------------------------------------
 +auth SHA512
 +auth-nocache
 +
 +# --- SSL --- #
 +cipher AES-256-CBC
 +
 +# --- TLS --- #
 +key-direction 1
 +tls-version-min 1.2
 +
 +pkcs12 '/​etc/​ssl/​openvpn/​vpn-client1.p12'​
 +remote-cert-eku 'TLS Web Server Authentication'​
 +
 +<​tls-auth>​
 +-----BEGIN OpenVPN Static key V1-----
 +#​PASTE-KEY-INLINE-HERE#​
 -----END OpenVPN Static key V1----- -----END OpenVPN Static key V1-----
 </​tls-auth>​ </​tls-auth>​
 +
 +# Logging #
 +#​------------------------------------------------
 +verb 5
 </​code>​ </​code>​
-      * <color #​789600>//​**Add:​**//</​color>​ 
-      * <code cpp> 
-tls-auth /​path/​to/​ta.key 1</​code>​ 
-    * <color #​C80000>//​**There is an issue with some Android devices not being able to convert PKCS12 certs to X509 certs**//</​color>  ​ 
-      * <color #​C80000>//​If you've **__verified__** your device is one of the ones affected, **__and__** you're having issues connecting to your VPN on Android, you may need to reference your individual certs in your Server Config://</​color>​ 
-        * <color #​C80000>//​**Remove:​**//</​color>​ 
-        * <code cpp> 
- #--- Encryption ---# 
-        option pkcs12 ​    '/​etc/​openvpn/​keys/​my-server.p12'</​code>​ 
-        * <color #​789600>//​**Add:​**//</​color>​ 
-        * <code cpp> 
- #--- Encryption ---# 
-        option ca         '/​etc/​openvpn/​keys/​ca.crt'​ 
-        option cert       '/​etc/​openvpn/​keys/​my-server.crt'​ 
-        option key        '/​etc/​openvpn/​keys/​my-server.key'</​code>​ 
  
-----+</​tabbox>​ 
 +</​WRAP>​
  
  
 +==== Windows ====
 +
 +<WRAP indent 76.5em lo>
 +
 +<tabbox Information>​
 +<wrap button right>​[[https://​openvpn.net/​index.php/​open-source/​downloads.html|OpenVPN Client]]</​wrap>​
 +<color #​508CAA>​**Windows Client Information**</​color>​
 +
 +  * **If PKCS12 cert isn't stored in the same directory as the ovpn config , the path to the PKCS12 cert must be referenced**
 +    * You must use double backslashes for the path: ''<​color #​C86400>​C:​\\Path\\to\\PKCS.p12</​color>''​
 +
 +
 +<tabbox Config>
 +<wrap right>''<​color #​C86400>​C:​\Program Files\OpenVPN\config\OpenWrt\VPNserver.ovpn</​color>''</​wrap>​
 +<color #​508CAA>​**Windows Client Config**</​color>​
 +
 +<code cpp>
 +# Config Type #
 +#​------------------------------------------------
 +client
 +
 +# Connection ​ #
 +#​------------------------------------------------
 +dev tun
 +proto udp
 +remote your.ddns.com 5000
 +
 +# Speed #
 +#​------------------------------------------------
 +mssfix 0
 +fragment 0
 +tun-mtu 48000
 +
 +# Reliability #
 +#​------------------------------------------------
 +float
 +nobind
 +comp-lzo
 +
 +persist-key
 +persist-tun
 +resolv-retry infinite
 +
 +    # Encryption #
 +#​------------------------------------------------
 +auth SHA512
 +auth-nocache
 +
 +# --- SSL --- #
 +cipher AES-256-CBC
 +
 +# --- TLS --- #
 +key-direction 1
 +tls-version-min 1.2
 +
 +pkcs12 vpn-client1.p12
 +remote-cert-eku "TLS Web Server Authentication"​
 +
 +<​tls-auth>​
 +-----BEGIN OpenVPN Static key V1-----
 +#​PASTE-KEY-INLINE-HERE#​
 +-----END OpenVPN Static key V1-----
 +</​tls-auth>​
 +
 +# Logging #
 +#​------------------------------------------------
 +verb 5
 +</​code>​
 +</​tabbox>​
 +</​WRAP>​
 +
 +</​WRAP>​
 ---- ----
-====== Optional: ====== 
  
 ---- ----
  
-=====  Redirect Gateway (Same Subnet) ===== 
-  * <color #​C80000>//​**Please read __prior__ to going forward**//</​color>​ 
-    * [[https://​openvpn.net/​index.php/​open-source/​documentation/​howto.html#​redirect|Routing All Client Traffic (Including Web-Traffic) through the VPN]]  
-=== Server VPN Config === 
-  * Pushed Routes 
-    * <color #​C80000>//​**Remove:​**//</​color>​ 
-    * <code cpp> 
-list push    '​dhcp-option DNS 8.8.8.8'​ 
-list push    '​dhcp-option DNS 8.8.4.4 
-</​code>​ 
-    * <color #​789600>//​**Add:​**//</​color>​ 
-    * <code cpp> 
-list push    '​redirect-gateway def1 local' 
-list push    '​dhcp-option DNS 10.1.1.1'​ 
-</​code>​ 
  
 +===== Optional =====
  
 +<WRAP indent>
  
-=== Server Firewall Config === 
-  * <color #​789600>//​**Add:​**//</​color>​ 
-  * <code cpp> 
-#::: InterZone Forwarding :::# 
-# LuCI: Network - Firewall - Zones - VPN - Edit - Inter-Zone Forwarding 
  
-#--- Allow forwarding from VPN to WAN ---# +==== Redirect Gateway (Same Subnet) ==== 
-config forwarding + 
- option dest '​wan'​ +<WRAP 76.5em lo> 
- option src '​vpn'​ + 
-</code+<wrap warning><​color ​#FFFFFF>​It'​s recommended ​to read Gateway Redirect **//prior to//** continuing</​color></​wrap> ​ <wrap right button>​[[https://​openvpn.net/​index.php/​open-source/​documentation/​howto.html#redirect|Gateway Redirect]]</​wrap>​ 
-  ​<color #789600>//**Add:**//</​color>​ + 
-  * <code cpp>+<tabbox Firewall Config> 
 +<wrap right><​color #​C86400>/​etc/​config/​firewall</​color></​wrap>​ 
 +<color #​508CAA>​**LAN Zone & InterZone Forwarding**</color> 
 + 
 +  ​<color #​789600>​**//Add://**</​color>​\\ <code cpp>
 #::: Zones :::# #::: Zones :::#
 # LuCI: Network - Firewall - Zones # LuCI: Network - Firewall - Zones
  
-#--- Add: option masq '​1' ​---#+# Add: LAN Masquerade # 
 +#------------------------------------------------
 config zone config zone
- option name '​lan'​ +    ​option ​ name            '​lan'​ 
- option ​input 'ACCEPT+    option ​ ​network ​        'lan
- option ​output ​'​ACCEPT'​ +    option ​ ​input ​          '​ACCEPT'​ 
- option ​network ​'lan+    option ​ ​output ​         ​'ACCEPT
- option forward '​DROP'​ +    option ​ forward ​        ​'​DROP'​ 
- option masq '1' +    option ​ masq            1</​code>​ 
-</​code>​+  - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp> 
 +#::: InterZone Forwarding :::# 
 +# LuCI: Network -> Firewall -> Zones -> VPN -  
 +# Edit - Inter-Zone Forwarding 
 + 
 +# Allow Forwarding VPN -> WAN # 
 +#​------------------------------------------------ 
 +config forwarding 
 +    option ​ dest            'wan
 +    ​option ​ src             '​vpn'​</code
 +  - **Commit changes**\\ <code bash>/​etc/​init.d/​firewall restart</​code>​ 
 + 
 + 
 +<tabbox Server Config>​ 
 +<wrap right>''<​color #​C86400>/​etc/​config/​openvpn</​color>''</​wrap>​ 
 +<color #​508CAA>​**Pushed Routes**</​color>
  
-=== Apply Changes === +  - <color #​960000>​**//​Remove://​**</​color>​\\ ​<​code ​cpp> 
-  ​* <​code ​bash>/etc/init.d/firewall restart ; /​etc/​init.d/​openvpn restart</​code>​+    list    push                '​dhcp-option ​       DNS 208.67.222.123'​ 
 +    list    push                '​dhcp-option ​       DNS 208.67.220.123'<​/code> 
 +  - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp> 
 +    list    push                '​redirect-gateway ​  def1 local'​ 
 +    list    push                '​dhcp-option ​       DNS 10.1.0.1'<​/code> 
 +  - **Commit changes**\\ <code bash>/​etc/​init.d/​openvpn restart</​code
 +</​tabbox>​ 
 +</WRAP>
  
 +</​WRAP>​
 ---- ----
  
 ---- ----
 +
 +
 ===== VPN Wikis ===== ===== VPN Wikis =====
  
-=== OpenSSL === +<WRAP indent>
-  * <color #0080FF>//​**Guides**//</​color>​ +
-    * [[https://​www.openssl.org/​docs/​|OpenSSL Documents]] +
-    * [[https://​www.openssl.org/​docs/​HOWTO/​|OpenSSL HowTo]] +
-    * [[https://​www.openssl.org/​docs/​apps/​openssl.html|OpenSSL Man Page]]+
  
-  * <color #​0080FF>//​**Info**//</​color>​ 
-    * [[http://​archive.oreilly.com/​pub/​a/​security/​2004/​10/​21/​vpns_and_pki.html?​page=1|Deploying a VPN with PKI on GNU/Linux]] 
  
-=== OpenVPN ​=== +==== OpenSSL ====
-  * <color #​0080FF>//​**Android**//</​color>​ +
-    * [[https://​docs.openvpn.net/​docs/​openvpn-connect/​openvpn-connect-android-faq.html|OpenVPN on Android]] +
-    * [[http://​forum.xda-developers.com/​google-nexus-5/​help/​howto-install-custom-cert-network-t2533550|Remove "Your Network Could be Monitored"​ Toast]] +
-    * [[http://​wiki.cacert.org/​FAQ/​ImportRootCert#​Android_Phones|Trust CA cert's Root Certificate]]+
  
-  * <color #​0080FF>//​**Forum**//</​color>​ +<WRAP 76.5em lo>
-    * [[https://​forums.openvpn.net/​|OpenVPN Forum]] <color #​789600>//​** <---- For Help**//</​color>+
  
-  * <color #0080FF>//**Guides**//</​color>​ +<tabbox Guides>​ 
-    * [[https://openvpn.net/index.php/open-source/documentation/howto.html|OpenVPN HowTo]] <color #789600>//** <​----  ​Highly Recommended**//</​color>​ +<color #508CAA>**OpenSSL ​Guides**</​color>​ 
-    * [[https://​community.openvpn.net/​openvpn/​wiki/​Openvpn23ManPage|OpenVPN Man Page]] <color #789600>//** <----  Highly Recommended**//</​color>​+ 
 +  ​* [[https://www.openssl.org/docs/​|OpenSSL Documents]] 
 +  * [[https://​www.openssl.org/docs/HOWTO/|OpenSSL HowTo]] 
 +  * [[https://​www.openssl.org/​docs/​apps/​openssl.html|OpenSSL Man Page]] 
 + 
 + 
 +<tabbox Info> 
 +<color #508CAA>**OpenSSL Info**</color> 
 + 
 +  * [[http://​archive.oreilly.com/​pub/​a/​security/​2004/​10/​21/​vpns_and_pki.html?​page=1|Deploying a VPN with PKI on GNU/​Linux]] 
 +</​tabbox>​ 
 +</​WRAP>​ 
 + 
 + 
 +==== OpenVPN ==== 
 + 
 +<WRAP 76.5em lo> 
 + 
 +<tabbox Android>​ 
 +<color #​508CAA>​**Android**</​color>​ 
 + 
 +  * [[https://​docs.openvpn.net/​docs/​openvpn-connect/​openvpn-connect-android-faq.html|OpenVPN on Android]] 
 +  ​* ​[[http://​forum.xda-developers.com/​google-nexus-5/​help/​howto-install-custom-cert-network-t2533550|Remove "Your Network Could be Monitored"​ Toast]] 
 +  ​[[http://wiki.cacert.org/​FAQ/​ImportRootCert#​Android_Phones|Trust CA cert's Root Certificate]] 
 + 
 + 
 +<tabbox Guides>​ 
 +<color #​508CAA>​**Guides**</color
 + 
 +<wrap safety indent>​Highly Recommended</​wrap> 
 +    * [[https://​openvpn.net/​index.php/​open-source/​documentation/​howto.html|OpenVPN HowTo]] ​ 
 +    * [[https://​community.openvpn.net/​openvpn/​wiki/​Openvpn23ManPage|OpenVPN Man Page]] 
 + 
 + 
 +<tabbox Help> 
 +<color #508CAA>**If needing help**</​color>​ 
 + 
 +  ​* ​[[https://forums.openvpn.net/​|OpenVPN Forum]] 
 + 
 +<tabbox Tuning>​ 
 +<color #​508CAA>​**Tuning**</​color>​
  
-  * <color #​0080FF>//​**Tuning**//</​color>​ 
     * [[http://​winaero.com/​blog/​speed-up-openvpn-and-get-faster-speed-over-its-channel/​|Buffer Tuning]]     * [[http://​winaero.com/​blog/​speed-up-openvpn-and-get-faster-speed-over-its-channel/​|Buffer Tuning]]
     * [[https://​community.openvpn.net/​openvpn/​wiki/​Gigabit_Networks_Linux|MTU Tuning]]     * [[https://​community.openvpn.net/​openvpn/​wiki/​Gigabit_Networks_Linux|MTU Tuning]]
 +</​tabbox>​
 +</​WRAP>​
  
-=== OpenWRT === 
-  * <color #​0080FF>//​**Forum**//</​color>​ 
-    * [[https://​forum.openwrt.org/​|OpenWRT Forum]] 
  
-  * <color #0080FF>//​**Wiki**//</​color>​ +==== OpenWrt ==== 
-    * [[doc:​howto:​vpn.openvpn|VPN Guide for Beginners]] + 
-    * [[inbox:​vpn.howto|VPN Server HowTo]] +<WRAP 76.5em lo> 
-    * [[doc:​howto:​vpn.server.openvpn.tun|VPN TUN Server ]]+ 
 +<tabbox Help> 
 +<color #508CAA>**If needing help**</color> 
 + 
 +    * [[https://​forum.openwrt.org/​|OpenWrt Forum]] 
 + 
 + 
 +<tabbox Wiki> 
 +<color #508CAA>**Wiki**</​color>​ 
 + 
 +  ​* [[doc:​howto:​vpn.openvpn|VPN Guide for Beginners]] 
 +  * [[inbox:​vpn.howto|VPN Server HowTo]] 
 +  * [[doc:​howto:​vpn.server.openvpn.tun|VPN TUN Server ]] 
 +</​tabbox>​ 
 +</​WRAP>​ 
 + 
 +</​WRAP>​
  
  
 ---- ----
-===== Questions (Please Help Yourself) ===== 
-  * <color #​C80000>//​**__Please__ take the time to read**//</​color>​ 
-    * <color #​C80000>//​If you refuse to help yourself, don't expect someone else to help you//</​color>​ 
  
-  * <color #​C80000>//​**The answer to any question one could possibly have about an OpenVPN Client or Server configuration is contained within the [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_wikis|VPN Wiki Section]], specifically the OpenVPN [[https://​openvpn.net/​index.php/​open-source/​documentation/​howto.html|HowTO]] and [[https://​community.openvpn.net/​openvpn/​wiki/​Openvpn23ManPage|Man Pages]]**//</​color>​ 
-    * <color #​C80000>//​If,​ after reading, one still is unable to find a solution to their issue or question, please post a question in the applicable device or topic thread in the [[https://​forum.openwrt.org/​|OpenWRT Forum]] or [[https://​forums.openvpn.net/​|OpenVPN Forum]]//</​color>​ 
  
-  * <color #​C80000>//​**__Please__ do not publish questions directly to this Wiki, as:​**//</​color>​ +===== Questions ===== 
-    * <color #​C80000>//​Most importantly,​ it's __not__ monitored for questions//</​color>​ + 
-    * <color #​C80000>//​It clutters the Wiki, possibly making it more difficult for others to navigate//</color>+<WRAP 76.5em lo>
  
 +  * **//Please take the time to read//**
 +    * //If you refuse to help yourself, don't expect someone else to help you//\\ \\
 +  * **//The answer to any question about an OpenVPN Client or Server configuration is contained within the//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_wikis|VPN Wiki]]// **//or//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​openssl|OpenSSL]]//​ **//​sections//​**
 +    * //If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the [[:​doc:​howto:​openvpn-streamlined-server-setup#​openwrt|OpenWrt]] or [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|OpenVPN]] forums//\\ \\
 +  * <color #​960000>​**//​Please do not publish questions directly to this Wiki, as://​**</​color>​
 +    * //Most importantly,​ it's __not__ monitored for questions//
 +    * //It clutters the Wiki, possibly making it more difficult for others to navigate//
 +</​WRAP>​
doc/howto/openvpn-streamlined-server-setup.1473882300.txt.bz2 · Last modified: 2016/09/14 21:45 by geekazoid