This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
doc:howto:openvpn-streamlined-server-setup [2016/10/22 06:28] JW0914 [Network] Corrected mislabeled interwiki link |
doc:howto:openvpn-streamlined-server-setup [2018/02/03 14:28] (current) ssdnvv alte Version wiederhergestellt (2018/01/18 05:21) |
||
---|---|---|---|
Line 9: | Line 9: | ||
===== Introduction ===== | ===== Introduction ===== | ||
- | <WRAP indent> | + | <WRAP box 78em lo> |
+ | <tabbox Purpose> | ||
+ | <color #508CAA>**VPN Server Purpose**</color> | ||
- | ==== VPN Requirements ==== | + | * Provides an encrypted remote connection over WAN to router and downstream devices |
- | <WRAP 75em lo> | + | * If Gateway Redirect is utilized, it provides an encrypted connection for local traffic |
- | Five things are required for a SSL VPN: | + | |
- | - [[:doc:howto:openvpn-streamlined-server-setup#encryption|Encryption (Certificates)]] | + | |
- | - [[:doc:howto:openvpn-streamlined-server-setup#network|Network (VPN Interface Creation)]] | + | |
- | - [[:doc:howto:openvpn-streamlined-server-setup#firewall|Firewall Rules [VPN Traffic]]] | + | |
- | - [[:doc:howto:openvpn-streamlined-server-setup#vpn_server|VPN Server [Config]]] | + | |
- | - [[:doc:howto:openvpn-streamlined-server-setup#clients|VPN Clients [Config]]] | + | |
- | </WRAP> | + | |
+ | <tabbox Requirements> | ||
+ | <color #508CAA>**SSL VPN Requirements**</color> | ||
+ | |||
+ | - [[:doc:howto:openvpn-streamlined-server-setup#encryption|Encryption]] [Certificates] | ||
+ | - [[:doc:howto:openvpn-streamlined-server-setup#network|Network]] [VPN Interface] | ||
+ | - [[:doc:howto:openvpn-streamlined-server-setup#firewall|Firewall]] [Traffic Rules] | ||
+ | - [[:doc:howto:openvpn-streamlined-server-setup#vpn_server|Server]] [Config] | ||
+ | - [[:doc:howto:openvpn-streamlined-server-setup#clients|Clients]] [Config]\\ \\ | ||
+ | |||
+ | <tabbox Editing> | ||
+ | <wrap right button>[[https://github.com/JW0914/Wikis/blob/master/Scripts%2BConfigs/Vim/.vimrc|VimRC]] [[http://vim.wikia.com/wiki/Tutorial|Vim Tutorial]]</wrap> | ||
+ | <color #508CAA>**Editing Configs**</color> | ||
+ | |||
+ | * Vim is the default command line text editor\\ \\ | ||
+ | * If you've never utilized Vim before, please see the Vim Tutorial | ||
+ | * Save the VimRC to ''<color #C86400>~/.vimrc</color>'' | ||
+ | </tabbox> | ||
</WRAP> | </WRAP> | ||
+ | |||
Line 29: | Line 42: | ||
<WRAP centeralign 78.25em lo> | <WRAP centeralign 78.25em lo> | ||
- | <wrap danger>Easy-RSA //does not// create secure enough certs & has too many limitations, therefore OpenSSL should be utilized directly via an openssl.cnf</wrap> | + | <wrap warning><color #FFFFFF>Easy-RSA //does not// create secure enough certs & has too many limitations, therefore OpenSSL should be utilized directly via an openssl.cnf</color></wrap> |
</WRAP> | </WRAP> | ||
+ | |||
<WRAP indent> | <WRAP indent> | ||
- | |||
==== Prerequisites ==== | ==== Prerequisites ==== | ||
<WRAP box lo> | <WRAP box lo> | ||
- | <wrap right button>[[https://github.com/JW0914/Wikis/blob/master/Scripts%2BConfigs/OpenSSL/OpenSSL.cnf|openssl.cnf]]</wrap> | + | <wrap right button>[[https://github.com/JW0914/Wikis/blob/master/Scripts%2BConfigs/OpenSSL/openssl.cnf|openssl.cnf]]</wrap> |
<tabbox Prerequisites> | <tabbox Prerequisites> | ||
Line 44: | Line 57: | ||
<color #508CAA>**OpenVPN Prerequisites**</color> | <color #508CAA>**OpenVPN Prerequisites**</color> | ||
- | - <color #4B4B4B>**Install Packages:**</color> | + | - **Install Packages:** |
- | - //''<color #647D00>opkg update ; opkg install openvpn-openssl luci-app-openvpn</color>''//\\ \\ | + | - //''<color #647D00>opkg update ; opkg install openvpn-openssl luci-app-openvpn openssl-util</color>''//\\ \\ |
- | - <color #4B4B4B>**Download openssl.cnf:**</color> | + | - **Download openssl.cnf:** |
- | - <color #646464>Save as ''<color #C86400>/etc/ssl/openssl.cnf</color>''</color>\\ \\ | + | - Save as ''<color #C86400>/etc/ssl/openssl.cnf</color>''\\ \\ |
- | - <color #4B4B4B>**Navaigate to SSL directory & create required directories**</color> | + | - **Navaigate to SSL directory & create required directories** |
- //''<color #647D00>cd /etc/ssl ; mkdir -p ca/csr crl openvpn/clients</color>''//\\ \\ | - //''<color #647D00>cd /etc/ssl ; mkdir -p ca/csr crl openvpn/clients</color>''//\\ \\ | ||
- | - <color #4B4B4B>**Create Serial file**</color> | + | - **Create Serial file** |
- //''<color #647D00>echo 00 > serial</color>''// | - //''<color #647D00>echo 00 > serial</color>''// | ||
- | * <color #646464>Maintains the serial for the most recent cert in order to know what serial to next assign</color> | + | * Maintains the serial for the most recent cert in order to know what serial to next assign |
- | * <color #646464>Serial is in hex, not dec[//imal//] format</color>\\ \\ | + | * Serial is in hex, not dec[//imal//] format\\ \\ |
- | - <color #4B4B4B>**Create CRLnumber file**</color> | + | - **Create CRLnumber file** |
- | - //''<color #647D00>echo 00 > crlnumber</color>''// | + | - //''<color #647D00>echo 00 > crl/crlnumber</color>''// |
- | * <color #646464>CRL should be generated, but will only be utilized once a cert is revoked</color>\\ \\ | + | * CRL should be generated, but will only be utilized once a cert is revoked\\ \\ |
- | - <color #4B4B4B>**Create Index file**</color> | + | - **Create Index file** |
- //''<color #647D00>touch index</color>''// | - //''<color #647D00>touch index</color>''// | ||
- | * <color #646464>Maintains an index of all certs issued <sup>[lines 744 - 759]</sup></color> | + | * Maintains an index of all certs issued <sup><color #646464>[lines 644 - 689]</color></sup> |
- | * <color #646464>Keeps track of certs issued; extremely important if one has revoked a cert</color>\\ \\ | + | * Keeps track of certs issued; extremely important if one has revoked a cert\\ \\ |
- | - <color #4B4B4B>**Create Rand file**</color> | + | - **Create Rand file** |
- //''<color #647D00>touch rand</color>''// | - //''<color #647D00>touch rand</color>''// | ||
- | * <color #646464>Utilized for random characters & is queried by OpenSSL during key creation</color> | + | * Utilized for random characters & is queried by OpenSSL during key creation |
Line 69: | Line 82: | ||
<color #508CAA>**File & Folder Locations**</color> | <color #508CAA>**File & Folder Locations**</color> | ||
- | - <color #4B4B4B>**Config Locations:**</color> | + | - **Config Locations:** |
- | * <color #646464>Firewall: ''<color #C86400>/etc/config/firewall</color>''</color> | + | * Firewall: ''<color #C86400>/etc/config/firewall</color>'' |
- | * <color #646464>Network: ''<color #C86400>/etc/config/network</color>''</color> | + | * Network: ''<color #C86400>/etc/config/network</color>'' |
- | * <color #646464>OpenVPN: ''<color #C86400>/etc/config/openvpn</color>''</color>\\ \\ | + | * OpenSSL: ''<color #C86400>/etc/ssl/openssl.cnf</color>'' |
- | - <color #4B4B4B>**Folder Locations:**</color> | + | * OpenVPN: ''<color #C86400>/etc/config/openvpn</color>''\\ \\ |
- | * <color #646464>SSL: ''<color #C86400>etc/ssl/</color>''</color> | + | - **Folder Locations:** |
- | * <color #646464>OpenVPN</color> | + | * OpenVPN |
- | * <color #646464>CA & ICA Certs: ''<color #C86400>/etc/ssl/ca/</color>''</color> | + | * CA & ICA Certs: ''<color #C86400>/etc/ssl/ca/</color>'' |
- | * <color #646464>CSR: ''<color #C86400>/etc/ssl/ca/csr/</color>''</color> | + | * CSR: ''<color #C86400>/etc/ssl/ca/csr/</color>'' |
- | * <color #646464>CRL: ''<color #C86400>/etc/ssl/crl/</color>''</color> | + | * CRL: ''<color #C86400>/etc/ssl/crl/</color>'' |
- | * <color #646464>Client Certs: ''<color #C86400>/etc/ssl/openvpn/clients/</color>''</color> | + | * Client Certs: ''<color #C86400>/etc/ssl/openvpn/clients/</color>'' |
- | * <color #646464>Server Certs: ''<color #C86400>/etc/ssl/openvpn/</color>''</color> | + | * Server Certs: ''<color #C86400>/etc/ssl/openvpn/</color>'' |
<tabbox Extensions> | <tabbox Extensions> | ||
<color #508CAA>**Certificate Extensions**</color> | <color #508CAA>**Certificate Extensions**</color> | ||
- | - <color #4B4B4B>**.csr:**</color> | + | - **.csr:** |
- | * <color #646464>//certificate request//</color>\\ \\ | + | * //certificate request//\\ \\ |
- | - <color #4B4B4B>**.key:**</color> | + | - **.key:** |
- | * <color #646464>//private key//</color> | + | * //private key// |
- | * <color #64646>4All key files, except for a server's, should be encrypted with a passphrase</color>\\ \\ | + | * 4All key files, except for a server's, should be encrypted with a passphrase\\ \\ |
- | - <color #4B4B4B>**.crt:**</color> | + | - **.crt:** |
- | * <color #646464>//signed certificate//</color>\\ \\ | + | * //signed certificate//\\ \\ |
- | - <color #4B4B4B>**.p12:**</color> | + | - **.p12:** |
- | * <color #646464>//PKCS12 certificate//</color> | + | * //PKCS12 certificate// |
- | * <color #646464>Contains the //CA.crt// or concatenated //ICA-CA.crt//, //Certificate.crt//, and //CertificateKey.key//</color> | + | * Contains the //CA.crt// or concatenated //ICA-CA.crt//, //Certificate.crt//, and //CertificateKey.key// |
</tabbox> | </tabbox> | ||
</WRAP> | </WRAP> | ||
Line 105: | Line 117: | ||
<tabbox Synopsis> | <tabbox Synopsis> | ||
+ | <wrap right button>[[https://www.feistyduck.com/books/openssl-cookbook/|Cookbook]] [[https://wiki.openssl.org/index.php/Main_Page|Wiki]]</wrap> | ||
<color #508CAA>**Section Synopsis**</color> | <color #508CAA>**Section Synopsis**</color> | ||
- | * <color #4B4B4B>**These tabs contain critical information one will likely find helpful while going through the steps in this wiki**</color> | + | * **These tabs contain critical information one will likely find helpful while going through the steps in this wiki** |
- | * <color #646464>Tabs 1 - 2 contain informational & reference links to the main man pages</color> | + | * Tabs 2 - 3 contain informational & reference links to the main man pages |
- | * <color #646464>Tabs 3 - 6 cover the definitions of KUs, EKUs, KEAs, & EC KEAs</color> | + | * Tabs 4 - 7 cover the definitions of KUs, EKUs, KEAs, & EC KEAs |
<tabbox Info> | <tabbox Info> | ||
- | <wrap right button>[[https://www.feistyduck.com/books/openssl-cookbook/|Cookbook]] [[https://wiki.openssl.org/index.php/Main_Page|Wiki]]</wrap> | + | <wrap right button>[[https://www.openssl.org/news/changelog.html|Changelog]]</wrap> |
<color #508CAA>**OpenSSL Information**</color> | <color #508CAA>**OpenSSL Information**</color> | ||
<WRAP centeralign box> | <WRAP centeralign box> | ||
<WRAP third column> | <WRAP third column> | ||
- | <wrap button>[[https://www.openssl.org/news/changelog.html|Changelog]]</wrap> | + | |
- | <wrap button>[[https://www.openssl.org/news/vulnerabilities.html|Vulnerabilities]]</wrap>\\ \\ | + | <wrap button>[[https://wiki.openssl.org/index.php/Certificate_Lifecycle|Certificates Explained]]</wrap>\\ \\ |
<wrap button>[[https://www.openssl.org/blog/|Blog]]</wrap> | <wrap button>[[https://www.openssl.org/blog/|Blog]]</wrap> | ||
- | <wrap button>[[https://wiki.openssl.org/index.php/Certificate_Lifecycle|Certificates Explained]]</wrap> | + | <wrap button>[[https://www.openssl.org/news/vulnerabilities.html|Vulnerabilities]]</wrap> |
<wrap button>[[https://www.openssl.org/news/newslog.html|News]]</wrap> | <wrap button>[[https://www.openssl.org/news/newslog.html|News]]</wrap> | ||
</WRAP> | </WRAP> | ||
Line 177: | Line 190: | ||
<color #508CAA>**keyUsage**</color> | <color #508CAA>**keyUsage**</color> | ||
- | - <color #4B4B4B>**digitalSignature**</color> | + | - **digitalSignature** |
- | - <color #646464>Certificate may be used to apply a digital signature</color> | + | - Certificate may be used to apply a digital signature |
- | - <color #646464>Digital signatures are often used for entity authentication & data origin authentication with integrity</color>\\ \\ | + | - Digital signatures are often used for entity authentication & data origin authentication with integrity\\ \\ |
- | - <color #4B4B4B>**nonRepudiation**</color> | + | - **nonRepudiation** |
- | - <color #646464>Certificate may be used to sign data as above but the certificate public key may be used to provide non-repudiation services</color> | + | - Certificate may be used to sign data as above but the certificate public key may be used to provide non-repudiation services |
- | - <color #646464>This prevents the signing entity from falsely denying some action</color>\\ \\ | + | - This prevents the signing entity from falsely denying some action\\ \\ |
- | - <color #4B4B4B>**keyEncipherment**</color> | + | - **keyEncipherment** |
- | - <color #646464>Certificate may be used to encrypt a symmetric key which is then transferred to the target</color> | + | - Certificate may be used to encrypt a symmetric key which is then transferred to the target |
- | - <color #646464>Target decrypts key, subsequently using it to encrypt & decrypt data between the entities</color>\\ \\ | + | - Target decrypts key, subsequently using it to encrypt & decrypt data between the entities\\ \\ |
- | - <color #4B4B4B>**dataEncipherment**</color> | + | - **dataEncipherment** |
- | - <color #646464>Certificate may be used to encrypt & decrypt actual application data</color>\\ \\ | + | - Certificate may be used to encrypt & decrypt actual application data\\ \\ |
- | - <color #4B4B4B>**keyAgreement**</color> | + | - **keyAgreement** |
- | - <color #646464>Certificate enables use of a key agreement protocol to establish a symmetric key with a target</color> | + | - Certificate enables use of a key agreement protocol to establish a symmetric key with a target |
- | - <color #646464>Symmetric key may then be used to encrypt & decrypt data sent between the entities</color>\\ \\ | + | - Symmetric key may then be used to encrypt & decrypt data sent between the entities\\ \\ |
- | - <color #4B4B4B>**keyCertSign**</color> | + | - **keyCertSign** |
- <wrap danger>CA ONLY</wrap> | - <wrap danger>CA ONLY</wrap> | ||
- | - <color #646464>Subject public key is used to verify signatures on certificates</color> | + | - Subject public key is used to verify signatures on certificates |
- <color #AF0000>//This extension must only be used for CA certificates//</color>\\ \\ | - <color #AF0000>//This extension must only be used for CA certificates//</color>\\ \\ | ||
- | - <color #4B4B4B>**cRLSign**</color> | + | - **cRLSign** |
- <wrap danger>CA ONLY</wrap> | - <wrap danger>CA ONLY</wrap> | ||
- | - <color #646464>Subject public key is to verify signatures on revocation information, such as a CRL</color> | + | - Subject public key is to verify signatures on revocation information, such as a CRL |
- <color #AF0000>//This extension must only be used for CA certificates//</color>\\ \\ | - <color #AF0000>//This extension must only be used for CA certificates//</color>\\ \\ | ||
- | - <color #4B4B4B>**encipherOnly**</color> | + | - **encipherOnly** |
- | - <color #646464>KU ''<color #009B9B>keyAgreement</color>'' is required</color> | + | - KU ''<color #009B9B>keyAgreement</color>'' is required |
- | - <color #646464>Public key used only for enciphering data while performing key agreement</color>\\ \\ | + | - Public key used only for enciphering data while performing key agreement\\ \\ |
- | - <color #4B4B4B>**decipherOnly**</color> | + | - **decipherOnly** |
- | - <color #646464>KU ''<color #009B9B>keyAgreement</color>'' is required</color> | + | - KU ''<color #009B9B>keyAgreement</color>'' is required |
- | - <color #646464>Public key used only for deciphering data while performing key agreement</color> | + | - Public key used only for deciphering data while performing key agreement |
Line 211: | Line 224: | ||
<color #508CAA>**extendedKeyUsage**</color> | <color #508CAA>**extendedKeyUsage**</color> | ||
- | - <color #4B4B4B>**serverAuth**</color> | + | - **serverAuth** |
- | - <color #646464>All VPN servers should be signed with this EKU present</color> | + | - All VPN servers should be signed with this EKU present |
- | - <color #646464>SSL/TLS Web/VPN Server authentication EKU, distinguishing a server which clients can authenticate against</color> | + | - SSL/TLS Web/VPN Server authentication EKU, distinguishing a server which clients can authenticate against |
- | - <color #646464>This supersedes ''<color #009B9B>nscertype</color>'' options (''<color #009B9B>ns</color>'' in ''<color #009B9B>nscertype</color>'' stands for NetScape [browser])</color>\\ \\ | + | - This supersedes ''<color #009B9B>nscertype</color>'' options (''<color #009B9B>ns</color>'' in ''<color #009B9B>nscertype</color>'' stands for NetScape [browser])\\ \\ |
- | - <color #4B4B4B>**clientAuth**</color> | + | - **clientAuth** |
- | - <color #646464>All VPN clients //must// be signed with this EKU present</color> | + | - All VPN clients //must// be signed with this EKU present |
- | - <color #646464>SSL/TLS Web/VPN Client authentication EKU distinguishing a client as a client only</color>\\ \\ | + | - SSL/TLS Web/VPN Client authentication EKU distinguishing a client as a client only\\ \\ |
- | - <color #4B4B4B>**codeSigning**</color> | + | - **codeSigning** |
- | - <color #646464>Code Signing</color>\\ \\ | + | - Code Signing\\ \\ |
- | - <color #4B4B4B>**emailProtection**</color> | + | - **emailProtection** |
- | - <color #646464>Email Protection via S/MIME, allows you to send and receive encrypted emails</color>\\ \\ | + | - Email Protection via S/MIME, allows you to send and receive encrypted emails\\ \\ |
- | - <color #4B4B4B>**timeStamping**</color> | + | - **timeStamping** |
- | - <color #646464>Trusted Timestamping</color>\\ \\ | + | - Trusted Timestamping\\ \\ |
- | - <color #4B4B4B>**OCSPSigning**</color> | + | - **OCSPSigning** |
- | - <color #646464>OCSP Signing</color>\\ \\ | + | - OCSP Signing\\ \\ |
- | - <color #4B4B4B>**ipsecIKE**</color> | + | - **ipsecIKE** |
- | - <color #646464>IPSec Internet Key Exchange, of which I believe is in the same boat as the three below [#8]</color> | + | - IPSec Internet Key Exchange, of which I believe is in the same boat as the three below [#8] |
- | - <color #646464>Research needs to be performed to determine if this EKU should also no longer be utilized</color> | + | - Research needs to be performed to determine if this EKU should also no longer be utilized |
- | - <color #646464>''<color #009B9B>clientAuth</color>'' can be utilized in a IPSec VPN client cert</color>\\ \\ | + | - ''<color #009B9B>clientAuth</color>'' can be utilized in a IPSec VPN client cert\\ \\ |
- | - <color #4B4B4B>**ipsecEndSystem, ipsecTunnel, & ipsecUser**</color> | + | - **ipsecEndSystem, ipsecTunnel, & ipsecUser** |
- <wrap danger>SHOULD NOT BE UTILIZED</wrap> | - <wrap danger>SHOULD NOT BE UTILIZED</wrap> | ||
- | - <color #646464>Assigned in 1999, the semantics of these values were never clearly defined</color> | + | - Assigned in 1999, the semantics of these values were never clearly defined |
- | - <color #646464>The use of these three EKU values in IKE/IPsec is obsolete and explicitly deprecated by this specification</color>\\ \\ | + | - **RFC 4945:** The use of these three EKU values is obsolete and explicitly deprecated by this specification <sup><color #646464>[5.1.3.12]</color></sup>\\ \\ |
- | - <color #4B4B4B>**msCodeInd**</color> | + | - **msCodeInd** |
- | - <color #646464>Microsoft Individual Code Signing (authenticode)</color>\\ \\ | + | - Microsoft Individual Code Signing (authenticode)\\ \\ |
- | - <color #4B4B4B>**msCodeCom**</color> | + | - **msCodeCom** |
- | - <color #646464>Microsoft Commerical Code Signing (authenticode)</color>\\ \\ | + | - Microsoft Commerical Code Signing (authenticode)\\ \\ |
- | - <color #4B4B4B>**mcCTLSign**</color> | + | - **mcCTLSign** |
- | - <color #646464>Microsoft Trust List Signing</color>\\ \\ | + | - Microsoft Trust List Signing\\ \\ |
- | - <color #4B4B4B>**msEFS**</color> | + | - **msEFS** |
- | - <color #646464>Microsoft Encrypted File System Signing</color>\\ \\ | + | - Microsoft Encrypted File System Signing\\ \\ |
Line 247: | Line 260: | ||
<color #508CAA>**Key Exchange**</color> | <color #508CAA>**Key Exchange**</color> | ||
- | - <color #4B4B4B>**RSA**</color> | + | - **RSA** |
- | - <color #646464>Key exchange occurs via encryption of a random value</color> | + | - Key exchange occurs via encryption of a random value |
- | - <color #646464>Client chooses a random value via the server public key</color> | + | - Client chooses a random value via the server public key |
- | - <color #646464>Server public key must be an RSA key</color> | + | - Server public key must be an RSA key |
- | - <color #646464>Server certificate must utilize KU ''<color #009B9B>keyAgreement</color>''</color>\\ \\ | + | - Server certificate must utilize KU ''<color #009B9B>keyAgreement</color>''\\ \\ |
- | - <color #4B4B4B>**DH_RSA**</color> | + | - **DH_RSA** |
- | - <color #646464>Key exchange occurs via a static Diffie-Hellman key</color> | + | - Key exchange occurs via a static Diffie-Hellman key |
- | - <color #646464>Server public key must be a Diffie-Hellman key</color> | + | - Server public key must be a Diffie-Hellman key |
- | - <color #646464>Diffie-Hellman key must have been issued by a CA</color> | + | - Diffie-Hellman key must have been issued by a CA |
- | - <color #646464>CA must be using an RSA key signing key</color>\\ \\ | + | - CA must be using an RSA key signing key\\ \\ |
- | - <color #4B4B4B>**DH_DSA**</color> | + | - **DH_DSA** |
- | - <color #646464>Like ''<color #009B9B>DH_RSA</color>'', except CA used a DSA key in lieu of RSA</color>\\ \\ | + | - Like ''<color #009B9B>DH_RSA</color>'', except CA used a DSA key in lieu of RSA\\ \\ |
- | - <color #4B4B4B>**DHE_RSA**</color> | + | - **DHE_RSA** |
- | - <color #646464>Key exchange occurs via an ephemeral Diffie-Hellman</color> | + | - Key exchange occurs via an ephemeral Diffie-Hellman |
- | - <color #646464>Server dynamically generates & signs a DH public key, sending it to the client</color> | + | - Server dynamically generates & signs a DH public key, sending it to the client |
- | - <color #646464>Server Public Key must be an RSA key</color> | + | - Server Public Key must be an RSA key |
- | - <color #646464>Server certificate must utilize KU ''<color #009B9B>digitalSignature</color>''</color>\\ \\ | + | - Server certificate must utilize KU ''<color #009B9B>digitalSignature</color>''\\ \\ |
- | - <color #4B4B4B>**DHE_DSA**</color> | + | - **DHE_DSA** |
- | - <color #646464>Like ''<color #009B9B>DHE_RSA</color>'', except CA used a DSA key in lieu of RSA</color> | + | - Like ''<color #009B9B>DHE_RSA</color>'', except CA used a DSA key in lieu of RSA |
Line 271: | Line 284: | ||
<color #508CAA>**Elliptic-Curve Key Exchange**</color> | <color #508CAA>**Elliptic-Curve Key Exchange**</color> | ||
- | - <color #4B4B4B>**ECDH_ECDSA**</color> | + | - **ECDH_ECDSA** |
- | - <color #646464>Like DH_DSA, but with elliptic curves</color> | + | - Like ''<color #009B9B>DH_DSA</color>'', but with elliptic curves |
- | - <color #646464>Server public key must be an ECDH key</color> | + | - Server public key must be an ECDH key |
- | - <color #646464>Server certificate must be issued by a CA utilizing an ECDSA public key</color>\\ \\ | + | - Server certificate must be issued by a CA utilizing an ECDSA public key\\ \\ |
- | - <color #4B4B4B>**ECDH_RSA**</color> | + | - **ECDH_RSA** |
- | - <color #646464>Like ''<color #009B9B>ECDH_ECDSA</color>'', except CA used an RSA key</color>\\ \\ | + | - Like ''<color #009B9B>ECDH_ECDSA</color>'', except CA used an RSA key\\ \\ |
- | - <color #4B4B4B>**ECDHE_ECDSA**</color> | + | - **ECDHE_ECDSA** |
- | - <color #646464>Server sends dynamically generated EC Diffie-Hellman key, signing it via it's ECDSA key</color> | + | - Server sends dynamically generated EC Diffie-Hellman key, signing it via it's ECDSA key |
- | - <color #646464>Equivalent to DHE_DSS, but with elliptic curves for both the Diffie-Hellman & signature</color>\\ \\ | + | - Equivalent to ''<color #009B9B>DHE_DSS</color>'', but with elliptic curves for both the Diffie-Hellman & signature\\ \\ |
- | - <color #4B4B4B>**ECDHE_RSA**</color> | + | - **ECDHE_RSA** |
- | - <color #646464>Like ''<color #009B9B>ECDHE_ECDSA</color>'', except Server public key is an RSA key</color> | + | - Like ''<color #009B9B>ECDHE_ECDSA</color>'', except Server public key is an RSA key |
- | - <color #646464>Server public key signs the ephemeral EC Diffie-Hellman key</color> | + | - Server public key signs the ephemeral EC Diffie-Hellman key |
</tabbox> | </tabbox> | ||
</WRAP> | </WRAP> | ||
Line 291: | Line 304: | ||
=== CA Creation === | === CA Creation === | ||
- | <WRAP 75em lo> | + | <WRAP indent 75em lo> |
<tabbox Prerequisites> | <tabbox Prerequisites> | ||
<wrap right>''<color #C86400>/etc/ssl/openssl.cnf</color>''</wrap> | <wrap right>''<color #C86400>/etc/ssl/openssl.cnf</color>''</wrap> | ||
Line 297: | Line 310: | ||
<WRAP indent> | <WRAP indent> | ||
- | <color #4B4B4B>**Modify the following SubjectAltNames & V3 Profiles**</color> | + | **Modify the following SubjectAltNames & V3 Profiles** |
- | - <color #646464>**Certificate Authorities** <sup>[Line 228]</sup></color> | + | - **Certificate Authorities** <sup>[Line 177]</sup> |
- | - <color #4B4B4B4>//Main//</color> | + | - //Main// |
- | - <color #646464>**Line 234:**</color> ''<color #647D00>DNS.1 = Router.1</color>'' | + | - **Line 183:** ''<color #647D00>DNS.1 = //Router.1//</color>'' |
- | * <color #646464>//Change//</color> ''<color #506400>//Router.1//</color>'' <color #646464>//to what you'd like the name of your Certificate Authority to be//</color>\\ \\ | + | * //Change// ''<color #007DC8>Router.1</color>'' //to what you'd like the name of your Certificate Authority to be//\\ \\ |
- | - <color #646464>**Certificate Authority Clients** <sup>[Line 253]</sup></color> | + | - **Certificate Authority Clients** <sup><color #646464>[Line 205]</color></sup> |
- | - <color #4B4B4B4>//Servers//</color> | + | - //Servers// |
- | * <color #646464>**Lines:** 259 - 281</color> | + | * **Lines:** 198 - 220 |
- | - <color #4B4B4B4>//Clients//</color> | + | - //Clients// |
- | * <color #646464>**Lines:** 283 - 287</color>\\ \\ | + | * **Lines:** 222 - 226\\ \\ |
- | - <color #646464>**Change SAN & V3 profile names from** ''<color #647D00>alt_ca_main</color>'' **to** ''<color #647D00>alt_ca_openwrt</color>''</color> <sup><color #646464>[lines 233, 353, & 357]</color></sup> | + | |
- | - <color #646464>**Line 233:** ''<color #647D00>[ alt_ca_openwrt ]</color>''</color> | + | |
- | - <color #646464>**Line 353:** ''<color #647D00>[ v3_ca_openwrt ]</color>''</color> | + | |
- | - <color #646464>**Line 357:** ''<color #647D00>subjectAltName = @alt_ca_openwrt</color>''</color> | + | |
</WRAP> | </WRAP> | ||
Line 330: | Line 339: | ||
=== ICA Creation === | === ICA Creation === | ||
- | <WRAP 75em lo> | + | <WRAP indent 75em lo> |
<tabbox Prerequisites> | <tabbox Prerequisites> | ||
<wrap right>''<color #C86400>/etc/ssl/openssl.cnf</color>''</wrap> | <wrap right>''<color #C86400>/etc/ssl/openssl.cnf</color>''</wrap> | ||
Line 337: | Line 345: | ||
<WRAP indent> | <WRAP indent> | ||
- | <color #4B4B4B>**Modify the following SubjectAltNames & V3 Profiles**</color> | + | **Modify the following SubjectAltNames & V3 Profiles** |
- | - <color #646464>**Certificate Authorities** <sup>[Line 228]</sup></color> | + | - **Certificate Authorities** <sup><color #646464>[Line 177]</color></sup> |
- | - <color #4B4B4B>//Router 2//</color> | + | - //Router 2// |
- | - <color #646464>**Line 239:**</color> ''<color #647D00>DNS.1 = Router.2</color>'' | + | - **Line 188:** ''<color #647D00>DNS.1 = //Router.2//</color>'' |
- | * <color #646464>//Change ''<color #647D00>Router.2</color>'' to what you'd like the name of your Intermediate CA to be//</color>\\ \\ | + | * //Change// ''<color #007DC8>Router.2</color>'' //to what you'd like the name of your Intermediate CA to be//\\ \\ |
- | - <color #646464>**Intermediate Certificate Authority Clients** <sup>[Line 290]</sup></color> | + | - **Intermediate Certificate Authority Clients** <sup><color #646464>[Line 229]</color></sup> |
- | - <color #4B4B4B4>//Servers//</color> | + | -//Servers// |
- | * <color #646464>**Lines:** 296 - 312</color> | + | * **Lines:** 235 - 251 |
- | - <color #4B4B4B4>//Clients//</color> | + | - //Clients// |
- | * <color #646464>**Lines:** 314 - 322:</color>\\ \\ | + | * **Lines:** 253 - 261:\\ \\ |
- | - <color #646464>**Change SAN & V3 profile names from** ''<color #647D00>alt_ica_router2</color>'' **to** ''<color #647D00>alt_ica_openvpn</color>''</color> <sup>[lines 238, 360, & 364]</sup> | + | |
- | - <color #646464>**Line 238:** ''<color #647D00>[ alt_ica_openvpn ]</color>''</color> | + | |
- | - <color #646464>**Line 360:** ''<color #647D00>[ v3_ica_openvpn ]</color>''</color> | + | |
- | - <color #646464>**Line 364:** ''<color #647D00>subjectAltName = @alt_ica_openvpn</color>''</color> | + | |
</WRAP> | </WRAP> | ||
Line 359: | Line 363: | ||
<color #508CAA>**ICA OpenSSL Commands**</color> | <color #508CAA>**ICA OpenSSL Commands**</color> | ||
- | - <color #4B4B4B4>**Generate Intermediate CA CSR**</color>\\ <code bash>openssl req -out ca/csr/OpenVPN-ICA.csr -new -days 3650 -sha512 -newkey rsa:4096 -keyout ca/OpenVPN-ICA.key -config ./openssl.cnf -extensions v3_ica_openvpn</code> | + | - <color #4B4B4B4>**Generate Intermediate CA CSR**</color>\\ <code bash>openssl req -out ca/csr/OpenVPN-ICA.csr -new -days 3650 -sha512 -newkey rsa:4096 -keyout ca/OpenVPN-ICA.key -config ./openssl.cnf -extensions v3_ica_router2</code> |
* <color #AF0000>Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</color>\\ \\ | * <color #AF0000>Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</color>\\ \\ | ||
- | - <color #4B4B4B4>**Create & Sign ICA with CA**</color>\\ <code bash>openssl x509 -req -sha512 -days 3650 -in ca/csr/OpenVPN-ICA.csr -CA ca/OpenWrt-CA.crt.pem -CAkey ca/OpenWrt-CA.key.pem -CAserial ./serial -out ca/OpenVPN-ICA.crt.pem -extfile ./openssl.cnf -extensions v3_ica_openvpn</code> | + | - <color #4B4B4B4>**Create & Sign ICA with CA**</color>\\ <code bash>openssl x509 -req -sha512 -days 3650 -in ca/csr/OpenVPN-ICA.csr -CA ca/OpenWrt-CA.crt.pem -CAkey ca/OpenWrt-CA.key.pem -CAserial ./serial -out ca/OpenVPN-ICA.crt.pem -extfile ./openssl.cnf -extensions v3_ica_router2</code> |
- <color #4B4B4B4>**Generate ICA CRL**</color>\\ <code bash>openssl ca -gencrl -keyfile ca/OpenVPN-ICA.key -cert ca/OpenVPN-ICA.crt.pem -out crl/OpenVPN-ICA.crl.pem -config ./openssl.cnf</code> | - <color #4B4B4B4>**Generate ICA CRL**</color>\\ <code bash>openssl ca -gencrl -keyfile ca/OpenVPN-ICA.key -cert ca/OpenVPN-ICA.crt.pem -out crl/OpenVPN-ICA.crl.pem -config ./openssl.cnf</code> | ||
- <color #4B4B4B4>**Convert ICA CRL -> DER CRL**</color>\\ <code bash>openssl crl -inform PEM -in crl/OpenVPN-ICA.crl.pem -outform DER -out crl/OpenVPN-ICA.crl</code> | - <color #4B4B4B4>**Convert ICA CRL -> DER CRL**</color>\\ <code bash>openssl crl -inform PEM -in crl/OpenVPN-ICA.crl.pem -outform DER -out crl/OpenVPN-ICA.crl</code> | ||
Line 371: | Line 375: | ||
=== Index File === | === Index File === | ||
- | <WRAP 75em lo> | + | <WRAP indent 75em lo> |
<tabbox Info> | <tabbox Info> | ||
+ | <wrap right>''<color #C86400>/etc/ssl/index</color>''</wrap> | ||
<color #508CAA>**Index Info**</color> | <color #508CAA>**Index Info**</color> | ||
- | * <color #4B4B4B>**If wishing to maintain the index file automatically,** ''openssl ca'' **must be used to sign certs**</color> | + | * **If wishing to maintain the index file automatically,** ''<color #647D00>openssl ca</color>'' **must be used to sign certs** |
- | * <color #646464>''openssl ca'' is not used in this wiki as it requires additional steps & adds unneeded complexity</color>\\ \\ | + | * ''openssl ca'' is not used in this wiki as it requires additional steps & adds unneeded complexity\\ \\ |
Line 385: | Line 390: | ||
<WRAP indent> | <WRAP indent> | ||
- | <color #4B4B4B>**Manually maintaining the index file consists of inputting 1 cert entry per line in the following format**</color> | + | **Manually maintaining the index file consists of inputting 1 cert entry per line in the following format** |
+ | * Entering certificate information into the index file takes ~30s per cert | ||
+ | * Copy & paste DN from the output of: '' //<color #647D00>openssl x509 -in certificate.crt -text -noout</color>//'' | ||
<code cpp> | <code cpp> | ||
- | V 261231235959Z 0a unknown /C=US/ST=State/L=Locality/O=Sophos UTM/OU=LAN/CN=Cert Common Name/emailaddress=whatever@whichever.com | + | V 261231235959Z 0a unknown /C=US/ST=State/L=Locality/O=Sophos UTM/OU=LAN/CN=Cert Common Name/emailaddress=whatever@whichever.com |
- | 1 2-----------> 4-> 5-----> 6---------------------------------------------------------------------------------------------------></code> | + | 1 2-----------> 3-> 4-> 5-----> 6---------------------------------------------------------------------------------------------------></code> |
</WRAP> | </WRAP> | ||
- | - <color #4B4B4B>**Status of Certificate**</color> | + | - **Status of Certificate** |
- | - <color #646464>**''V''** [Valid]</color> | + | - **''V''** [Valid] |
- | - <color #646464>**''R''** [Revoked]</color> | + | - **''R''** [Revoked] |
- | - <color #646464>**''E''** [Expired]</color>\\ \\ | + | - **''E''** [Expired]\\ \\ |
- | - <color #4B4B4B>**Expiration Date**</color> | + | - **Expiration Date** |
- | - <color #646464>Format: **''YYMMDDHHMMSS''** followed by **''Z''**</color> | + | - Format: **''YYMMDDHHMMSS''** followed by **''Z''** |
- | * <color #646464>//2026.12.31 @ 23:59:59//</color>\\ \\ | + | * //2026.12.31 @ 23:59:59//\\ \\ |
- | - <color #4B4B4B>**Revocation Date**</color> | + | - **Revocation Date** |
- | - <color #646464>Format: **''YYMMDDHHMMSSZ,reason''**</color> | + | - Format: **''YYMMDDHHMMSSZ,reason''** |
- | - <color #4B4B4B>Valid reasons are:</color> | + | - Valid reasons are: |
- ''<color #009B9B>keyCompromise</color>'' | - ''<color #009B9B>keyCompromise</color>'' | ||
- ''<color #009B9B>CACompromise</color>'' | - ''<color #009B9B>CACompromise</color>'' | ||
Line 408: | Line 415: | ||
- ''<color #009B9B>privilegeWithdrawn</color>'' | - ''<color #009B9B>privilegeWithdrawn</color>'' | ||
- ''<color #009B9B>AACompromise</color>'' | - ''<color #009B9B>AACompromise</color>'' | ||
- | - <color #646464>Empty if not revoked</color>\\ \\ | + | - Empty if not revoked |
- | - <color #4B4B4B>**Serial number** <sup>(//hex// format)</sup></color> | + | * Certain distros were erroring out without a whitespace for 3 in the index file, which is why it's there\\ \\ |
- | - <color #646464>**''0a''** is hex for 10</color> | + | - **Serial number** <sup><color #646464>(//hex// format)</color></sup> |
- | - <color #646464>**Windows:**</color> | + | - **''0a''** is hex for 10 |
- | * <color #646464>Calculator has programmer feature which can convert dec <-> hex</color> | + | - **Windows:** |
- | - <color #646464>**Linux/BSD**</color> | + | * Calculator has programmer feature which can convert dec <-> hex |
- | * <color #646464>cli hex -> dec: '' //<color #647D00>printf '%d\n' 0x0a</color>// '' returns ''<color #647D00>10</color>''</color> | + | - **Linux/BSD** |
- | * <color #646464>cli dec -> hex: '' //<color #647D00>printf '%x\n' 10</color>// '' returns ''<color #647D00>0a</color>''</color> \\ \\ | + | * cli hex -> dec: '' //<color #647D00>printf '%d\n' 0x0a</color>// '' returns ''<color #647D00>10</color>'' |
- | - <color #4B4B4B>**Certificate Filename or Literal String**</color> | + | * cli dec -> hex: '' //<color #647D00>printf '%x\n' 10</color>// '' returns ''<color #647D00>0a</color>'' \\ \\ |
- | - <color #646464>Certificate Filename or Literal String **''unknown''**</color>\\ \\ | + | - **Certificate Filename or Literal String** |
- | - <color #4B4B4B>**Distinguished Name**</color> | + | - Certificate Filename or Literal String **''unknown''**\\ \\ |
- | + | - **Distinguished Name** | |
- | * <color #646464>**Entering the cert information into the index file takes ~30s per cert**</color> | + | |
- | * <color #646464>Copy & paste DN from the output of: '' //<color #647D00>openssl x509 -in certificate.crt -text -noout</color>//''</color> | + | |
</tabbox> | </tabbox> | ||
</WRAP> | </WRAP> | ||
Line 427: | Line 432: | ||
=== Server Cert === | === Server Cert === | ||
- | <WRAP 75em lo> | + | <WRAP indent 75em lo> |
<tabbox Prerequisites> | <tabbox Prerequisites> | ||
<wrap right>''<color #C86400>/etc/ssl/openssl.cnf</color>''</wrap> | <wrap right>''<color #C86400>/etc/ssl/openssl.cnf</color>''</wrap> | ||
Line 434: | Line 438: | ||
<WRAP indent> | <WRAP indent> | ||
- | <color #4B4B4B>**Modify the following SubjectAltNames & V3 Profiles**</color> | + | **Modify the following SubjectAltNames & V3 Profiles** |
<WRAP indent> | <WRAP indent> | ||
**__SubjectAltNames Profile__** | **__SubjectAltNames Profile__** | ||
- | - <color #4B4B4B>**Intermediate Certificate Authority Clients**</color> <sup><color #646464>(Line 290)</color></sup> | + | - **Intermediate Certificate Authority Clients** <sup>(Line 229)</sup> |
- | - <color #4B4B4B>//Change the SAN alt name ''<color #647D00>alt_vpn_server2</color>'' to ''<color #647D00>alt_openvpn_server</color>''//</color> | + | - //Change the server's SAN IP from// ''<color #647D00>10.0.1.1</color>'' //to match your VPN Server IP// |
- | - <color #646464>**Line 310:** ''<color #647D00>[ alt_openvpn_server ]</color>''</color>\\ \\ | + | - **Line 250:** ''<color #647D00>IP.1 = //10.0.1.1//</color>''\\ \\ |
- | - <color #4B4B4B>//Change the SAN IP from ''<color #647D00>10.0.1.1</color>'' to match your VPN Server IP//</color> | + | - //Change the SAN DNS from// ''<color #647D00>your.ddns.com</color>'' //to match your own DDNS and/or FQDN// |
- | - <color #646464>**Line 311:** ''<color #647D00>IP.1 = 10.0.1.1</color>''</color>\\ \\ | + | - **Line 251:** ''<color #647D00>DNS.1 = //your.ddns.com//</color>'' |
- | - <color #4B4B4B>//Change the SAN DNS from ''<color #647D00>your.ddns.com</color>'' to match your own DDNS and/or FQDN//</color> | + | * //For each additional DNS or FQDN, add a new line in sequential order// (i.e. DNS.2, DNS.3, etc.) |
- | - <color #646464>**Line 312:** ''<color #647D00>DNS.1 = your.ddns.com</color>''</color> | + | |
- | * <color #646464>//For each additional DNS or FQDN, add a new line in sequential order// (i.e. DNS.2, DNS.3, etc.)</color> | + | |
- | + | ||
- | **__V3 Profile__** | + | |
- | + | ||
- | - <color #4B4B4B>**Intermediate Certificate Authority Clients**</color> <sup><color #646464>(Line 473)</color></sup> | + | |
- | - <color #4B4B4B>//Change the V3 profile name from ''<color #647D00>[ v3_vpn_server2 ]</color>'' to match alt name set above//</color> | + | |
- | - <color #646464>**Line 496:** ''<color #647D00>[ v3_openvpn_server ]</color>''</color>\\ \\ | + | |
- | - <color #4B4B4B>//Change the SAN alt name from ''<color #647D00>@alt_vpn_server2</color>'' to match alt name set above//</color> | + | |
- | - <color #646464>**Line 502:** ''<color #647D00>subjectAltName = @alt_openvpn_server</color>''</color> | + | |
</WRAP> | </WRAP> | ||
</WRAP> | </WRAP> | ||
Line 462: | Line 456: | ||
<color #508CAA>**Server Cert OpenSSL Commands**</color> | <color #508CAA>**Server Cert OpenSSL Commands**</color> | ||
- | - <color #4B4B4B>**Generate VPN Server CSR**</color>\\ <code bash>openssl req -out ca/csr/vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/vpn-server.key.pem -config ./openssl.cnf -extensions v3_vpn_server -nodes</code> | + | - **Generate VPN Server CSR**\\ <code bash>openssl req -out ca/csr/vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/vpn-server.key.pem -config ./openssl.cnf -extensions v3_vpn_server -nodes</code> |
- | * <color #4B4B4B>**''-nodes''**</color> <color #4B4B4B>creates a signing key without encryption</color> | + | * **''-nodes''** creates a signing key without encryption |
- | * <color #646464>For server certs **//only//**, as a passphrase prevents the server from starting/restarting without manual intervention</color>\\ \\ | + | * For server certs **//only//**, as a passphrase prevents the server from starting/restarting without manual intervention\\ \\ |
- | - <color #4B4B4B>**Create & Sign Cert with CA**</color>\\ <code bash>openssl x509 -req -sha512 -days 3650 -in ca/csr/vpn-server.csr -CA ca/OpenVPN-ICA.crt.pem -CAkey ca/OpenVPN-ICA.key -CAserial ./serial -out certs/vpn-server.crt.pem -extfile ./openssl.cnf -extensions v3_vpn_server</code> | + | - **Create & Sign Cert with CA**\\ <code bash>openssl x509 -req -sha512 -days 3650 -in ca/csr/vpn-server.csr -CA ca/OpenVPN-ICA.crt.pem -CAkey ca/OpenVPN-ICA.key -CAserial ./serial -out certs/vpn-server.crt.pem -extfile ./openssl.cnf -extensions v3_vpn_server</code> |
- | - <color #4B4B4B>**Export to PKCS12**</color>\\ <code bash>openssl pkcs12 -export -out openvpn/vpn-server.p12 -inkey openvpn/vpn-server.key.pem -in certs/vpn-server.crt.pem -certfile ca/OpenWrt-OpenVPN_CA-Chain.crt.pem</code> | + | - **Export to PKCS12**\\ <code bash>openssl pkcs12 -export -out openvpn/vpn-server.p12 -inkey openvpn/vpn-server.key.pem -in certs/vpn-server.crt.pem -certfile ca/OpenWrt-OpenVPN_CA-Chain.crt.pem</code> |
* <color #AF0000>**//Do not encrypt this PKCS12//**</color>\\ \\ | * <color #AF0000>**//Do not encrypt this PKCS12//**</color>\\ \\ | ||
- | * <color #4B4B4B4>ICA is still used to sign the certs it issues</color> | + | * ICA is still used to sign the certs it issues |
- | * <color #646464>ICA - CA chain cert must be exported with the client cert & key to maintain the certificate chain of trust</color> | + | * ICA - CA chain cert must be exported with the client cert & key to maintain the certificate chain of trust |
- | * <color #646464>//Chain of Trust hierarchy: CA -> Intermediate CA -> Client//</color> | + | * //Chain of Trust hierarchy: CA -> Intermediate CA -> Client// |
</tabbox> | </tabbox> | ||
</WRAP> | </WRAP> | ||
Line 477: | Line 471: | ||
=== Client Certs === | === Client Certs === | ||
- | <WRAP 75em lo> | + | <WRAP indent 75em lo> |
- | <wrap danger>Do not use the same Common Name (CN) on more than one certificate</wrap> | + | <WRAP centeralign><wrap danger>Do not use the same Common Name (CN) on more than one certificate</wrap></WRAP> |
<tabbox Prerequisites> | <tabbox Prerequisites> | ||
Line 485: | Line 479: | ||
<WRAP indent> | <WRAP indent> | ||
- | <color #4B4B4B>**Modify the following SubjectAltNames & V3 Profiles**</color> | + | **Modify the following SubjectAltNames & V3 Profiles** |
<WRAP indent> | <WRAP indent> | ||
**__SubjectAltNames Profile__** | **__SubjectAltNames Profile__** | ||
- | - <color #4B4B4B>**Intermediate Certificate Authority Clients**</color> <sup><color #646464>(Line 290)</color></sup> | + | - **Intermediate Certificate Authority Clients** <sup><color #646464>(Line 229)</color></sup> |
- | - <color #4B4B4B>//Change the SAN alt name ''<color #647D00>alt_vpn2_user1'' to ''alt_openvpn_//<username>//</color>''//</color> | + | - //Change the SAN DNS from// ''<color #647D00>VPNserver-Client1-Device-Hostname</color>'' //to match client username// |
- | - <color #646464>**Line 315:** ''<color #647D00>[ alt_openvpn_//<username>// ]</color>''</color>\\ \\ | + | - **Line 255:** ''<color #647D00>DNS.1 = //VPN-<username>-Hostname//</color>'' |
- | - <color #4B4B4B>//Change the SAN DNS from ''<color #647D00>VPNserver-Client1-Device-Hostname</color>'' to match client username//</color> | + | * //This makes configuring CCD more convenient//\\ \\ |
- | - <color #646464>**Line 316:** ''<color #647D00>DNS.1 = VPN-//<username>//-Hostname</color>''</color> | + | - //Change the SAN email from// ''<color #647D00>user1@email.com</color>'' //to user's email// |
- | * <color #646464>//This makes configuring CCD more convenient//</color>\\ \\ | + | - **Line 256** ''<color #647D00>email.1 = //user1@email.com//</color>'' |
- | - <color #4B4B4B>//Change the SAN email from ''<color #647D00>user1@email.com</color>'' to user's email//</color> | + | |
- | - <color #646464>**Line 317:** ''<color #647D00>email.1 = user1@email.com</color>''</color> | + | |
- | + | ||
- | **__V3 Profile__** | + | |
- | + | ||
- | - <color #4B4B4B>**Intermediate Certificate Authority Clients**</color> <sup><color #646464>(Line 473)</color></sup> | + | |
- | - <color #4B4B4B>//Change the V3 profile name from ''<color #647D00>[ v3_vpn2_user1 ]</color>'' to match alt name set above//</color> | + | |
- | - <color #646464>**Line 505:** ''<color #647D00>[ v3_openvpn_//<username>// ]</color>''</color>\\ \\ | + | |
- | - <color #4B4B4B>//Change the SAN alt name from ''<color #647D00>@alt_vpn2_user1</color>'' to match alt name set above//</color> | + | |
- | - <color #646464>**Line 511:** ''<color #647D00>subjectAltName = @alt_openvpn_//<username>//</color>''</color> | + | |
</WRAP> | </WRAP> | ||
</WRAP> | </WRAP> | ||
Line 514: | Line 498: | ||
<color #508CAA>**Client Cert OpenSSL Commands**</color> | <color #508CAA>**Client Cert OpenSSL Commands**</color> | ||
- | - <color #4B4B4B>**Generate VPN Client Certs**</color>\\ <code bash>openssl req -out ca/csr/vpn-client1.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/clients/vpn-client1-<username>-<hostname>.key.pem -config ./openssl.cnf -extensions v3_openvpn_<username></code> | + | - **Generate VPN Client Certs**\\ <code bash>openssl req -out ca/csr/vpn-client1.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/clients/vpn-client1-<username>-<hostname>.key.pem -config ./openssl.cnf -extensions v3_vpn2_user1</code> |
* <color #AF0000>Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</color>\\ \\ | * <color #AF0000>Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</color>\\ \\ | ||
- | - <color #4B4B4B>**Sign Cert with CA**</color>\\ <code bash>openssl x509 req -sha512 -days 3650 -in ca/csr/vpn-client1.csr -CA ca/OpenWrt-CA.crt.pem -CAkey ca/OpenWrt-CA.key -CAserial ./serial -out openvpn/clients/vpn-client1-<username>-<hostname>.crt.pem -extfile ./openssl.cnf -extensions v3_openvpn_<username></code> | + | - **Sign Cert with CA**\\ <code bash>openssl x509 -req -sha512 -days 3650 -in ca/csr/vpn-client1.csr -CA ca/OpenWrt-CA.crt.pem -CAkey ca/OpenWrt-CA.key -CAserial ./serial -out openvpn/clients/vpn-client1-<username>-<hostname>.crt.pem -extfile ./openssl.cnf -extensions v3_vpn2_user1</code> |
- | - <color #4B4B4B>**Export to PKCS12**</color>\\ <code bash>openssl pkcs12 -export -out openvpn/clients/vpn-client1.p12 -inkey openvpn/clients/vpn-client1.key.pem -in openvpn/clients/vpn-client1.crt.pem -certfile ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem</code> | + | - **Export to PKCS12**\\ <code bash>openssl pkcs12 -export -out openvpn/clients/vpn-client1.p12 -inkey openvpn/clients/vpn-client1.key.pem -in openvpn/clients/vpn-client1.crt.pem -certfile ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem</code> |
</tabbox> | </tabbox> | ||
</WRAP> | </WRAP> | ||
Line 524: | Line 508: | ||
=== Diffie-Hellman Key === | === Diffie-Hellman Key === | ||
- | <WRAP 75em lo> | + | <WRAP indent 75em lo> |
- | <wrap right button>[[https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography|EC Cryptography]] [[https://wiki.openssl.org/index.php/Diffie_Hellman|Diifie-Hellman]]</wrap> | + | <wrap right button>[[https://wiki.openssl.org/index.php/Diffie_Hellman|DH Wiki]] [[https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography|EC Wiki]]</wrap> |
</WRAP> | </WRAP> | ||
- | <WRAP 53.5em lo> | ||
- | - <color #4B4B4B>**Generate DH Key**</color> <sup><color #646464>(executed from</color> ''<color #C86400>/etc/ssl/</color>''<color #646464>)</color></sup>\\ <code bash>openssl dhparam -out openvpn/dh2048.pem 2048</code> | + | <WRAP 51.5em lo> |
- | * <color #4B4B4B>**Generating DH keys takes substantial amounts of time**</color>\\ \\ | + | |
- | * <color #4B4B4B>**You may wish to generate 3072bit and 4096bit DH keys as well**</color> | + | - **Generate DH Key** <sup><color #646464>(executed from ''<color #C86400>/etc/ssl/</color>'')</color></sup>\\ <code bash>openssl dhparam -out openvpn/dh2048.pem 2048</code> |
- | * <color #646464>Generating multiple DH keys at once takes substantially less time due to the rand file</color>\\ \\ | + | * **Generating DH keys takes substantial amounts of time**\\ \\ |
- | * <color #4B4B4B>**OpenVPN will add support for EC [//Elliptic Curve//] ciphers in v2.4**</color> | + | * **You may wish to generate 3072bit and 4096bit DH keys as well** |
- | * <color #646464>For EC, the Diffie-Hellman key must be generated with a value **//greater than//** the encryption key</color> | + | * Generating multiple DH keys at once takes substantially less time due to the rand file\\ \\ |
- | * <color #646464>For example, if you generate 2048bit cert keys, your dh.pem must exceed that value</color> | + | * **OpenVPN will add support for EC [//Elliptic Curve//] ciphers in v2.4** |
+ | * For EC, the Diffie-Hellman key must be generated with a value **//greater than//** the encryption key | ||
+ | * For example, if you generate 2048bit cert keys, your dh.pem must exceed that value | ||
</WRAP> | </WRAP> | ||
Line 541: | Line 526: | ||
=== TLS-Auth Key === | === TLS-Auth Key === | ||
- | <WRAP 53.5em lo> | + | <WRAP 51.5em lo> |
- | - <color #4B4B4B>**Generate TLS-Auth key**</color> <sup><color #646464>(executed from</color> ''<color #C86400>/etc/ssl/</color>''<color #646464>)</color></sup>\\ <code bash>openvpn --genkey --secret openvpn/ta.key</code> | + | - **Generate TLS-Auth key** <sup>(<color #646464>executed from</color> ''<color #C86400>/etc/ssl/</color>'')</sup>\\ <code bash>openvpn --genkey --secret openvpn/tls-auth.key</code> |
- | * <color #4B4B4B>**This ensures PFS**</color> <color #646464>[Perfect Forward Secrecy]</color> <color #4B4B4B>**is maintained when utilizing a SSL cipher**</color>\\ \\ | + | * This ensures **P**erfect **F**orward **S**ecrecy is maintained when utilizing a SSL cipher\\ \\ |
- | * <color #4B4B4B>''tls-auth'' **requires a static pre-shared key**</color> <color #646464>[PSK]</color><color #4B4B4B>**, generated in advance, and shared among all clients**</color> | + | * ''tls-auth'' requires a static **P**re-**S**hared **K**ey, generated in advance, and shared among all clients |
- | * <color #646464>This requires incoming packets to have a valid signature generated using the PSK key</color> | + | * This requires incoming packets to have a valid signature generated using the PSK key |
- | * <color #646464>If key is changed, it must be changed on all clients at the same time (no support for rollover)</color>\\ \\ | + | * If key is changed, it must be changed on all clients at the same time (no support for rollover)\\ \\ |
</WRAP> | </WRAP> | ||
Line 556: | Line 541: | ||
<WRAP 76.5em lo> | <WRAP 76.5em lo> | ||
- | <wrap safety>GnuPG is a great tool to manage CAs and client certificates</wrap> <wrap right button>[[https://www.gnupg.org/|GnuPG]]</wrap> | + | <WRAP centeralign><wrap safety>GnuPG is a great tool to manage CAs and client certificates</wrap> <wrap right button>[[https://www.gnupg.org/|GnuPG]]</wrap></WRAP> |
<tabbox Backup> | <tabbox Backup> | ||
+ | <wrap right>''<color #C86400>/etc/sysupgrade.conf</color>''</wrap> | ||
<color #508CAA>**Backup**</color> | <color #508CAA>**Backup**</color> | ||
<WRAP indent> | <WRAP indent> | ||
- | <color #4B4B4B>**Create a backup:**</color> | + | **Create a backup:** |
- | - <color #4B4B4B>Apply correct permissions:</color>\\ <code bash> | + | - **Apply correct permissions:**\\ <code bash> |
chmod 600 /etc/ssl/ca/* /etc/ssl/ca/csr/* /etc/ssl/crl/* /etc/ssl/openvpn/* /etc/ssl/openvpn/clients/* ; chmod 644 /etc/ssl/ca/*.crt* /etc/ssl/openvpn/*.crt* /etc/ssl/openvpn/clients/*.crt* /etc/ssl/crl/*.crl</code> | chmod 600 /etc/ssl/ca/* /etc/ssl/ca/csr/* /etc/ssl/crl/* /etc/ssl/openvpn/* /etc/ssl/openvpn/clients/* ; chmod 644 /etc/ssl/ca/*.crt* /etc/ssl/openvpn/*.crt* /etc/ssl/openvpn/clients/*.crt* /etc/ssl/crl/*.crl</code> | ||
- | - <color #4B4B4B>It's recommend to utilize GnuPG to encrypt a copy of the CAs & ICAs and their keys</color> | + | - **Utilize GnuPG to encrypt a copy of** ''<color #C86400>/etc/ssl/</color>'' |
- | - <color #646464>After creating an encrypted backup, and copying keys/P12s to their respective clients, securely erase them, overwriting the freespace</color>\\ \\ | + | - **Create separate encryption tars for:** |
- | - <color #4B4B4B>To ensure the //OpenVPN// & //SSL// directories are included in //sysupgrade// backups</color> | + | * ''<color #C86400>/etc/ssl/ca/</color>'' |
+ | * ''<color #C86400>/etc/ssl/openvpn/</color>'' | ||
+ | * ''<color #C86400>/etc/ssl/openvpn/clients/</color>''\\ \\ | ||
+ | - **After creating encrypted backups:** | ||
+ | - Copy p12s to their respective clients | ||
+ | - Securely erase unencrypted client, CA, & ICA keys and PKCS12s, overwriting freespace at least 5x\\ \\ | ||
+ | - **Add directories & files to** ''<color #C86400>/etc/sysupgrade.conf</color>'' | ||
- //''<color #647D00>vi /etc/sysupgrade.conf</color>''// | - //''<color #647D00>vi /etc/sysupgrade.conf</color>''// | ||
- <color #789600>**//Add://**</color> | - <color #789600>**//Add://**</color> | ||
Line 596: | Line 588: | ||
<WRAP indent> | <WRAP indent> | ||
- | <color #4B4B4B>**If utilizing Linux/BSD:**</color> | + | **If utilizing Linux/BSD:** |
- | * <color #4B4B4B>Due to the sheer number of distros, and differing means of handling certificate authorities, please google:</color> | + | * Due to the sheer number of distros, and differing means of handling certificate authorities, please google: |
- | - <color #646464>//<your distro name>// install certificate authority</color> | + | - //<your distro name>// install certificate authority |
- | - <color #646464>//<your distro name>// install intermediate certificate authority</color> | + | - //<your distro name>// install intermediate certificate authority |
</WRAP> | </WRAP> | ||
Line 608: | Line 600: | ||
<WRAP indent> | <WRAP indent> | ||
- | <color #4B4B4B>**If utilizing Windows:**</color> | + | **If utilizing Windows:** |
- | - <color #4B4B4B>**Download**</color> <color #C86400>PEM Association.reg</color><color #4B4B4B>**, then import into registry**</color> <sup><color #646464>(//Right Click// -> //Merge//)</color></sup> | + | - **Download** <color #C86400>PEM Association.reg</color>**, then import into registry** <sup><color #646464>(//Right Click// -> //Merge//)</color></sup> |
- | * <color #646464>//This causes Windows to associate the .pem extension as a valid certificate extension//</color>\\ \\ | + | * //This causes Windows to associate the .pem extension as a valid certificate extension//\\ \\ |
- | - <color #4B4B4B>**Add your CA cert to the //Trusted Root Certification Authorities//**</color> <sup><color #646464>(user must have //Administrator// privileges)</color></sup> | + | - **Add your CA cert to the //Trusted Root Certification Authorities//** <sup><color #646464>(user must have //Administrator// privileges)</color></sup> |
- | - <color #646464>//Right click on//</color> <color #C86400>OpenWrt-CA.crt.pem</color>: | + | - //Right click on// <color #C86400>OpenWrt-CA.crt.pem</color>: |
- <color #7D7D7D>**//Install Certificate//** -> **//Local Machine//** -> **//Place all certificates in the following store//** -> **//Browse//** -> **//Trusted Root Certification Authorities//**</color>\\ \\ | - <color #7D7D7D>**//Install Certificate//** -> **//Local Machine//** -> **//Place all certificates in the following store//** -> **//Browse//** -> **//Trusted Root Certification Authorities//**</color>\\ \\ | ||
- | - <color #4B4B4B>**Add your ICA cert to the //Intermediate Certification Authorities//**</color> <sup><color #646464>(user must have //Administrator// privileges)</color></sup> | + | - **Add your ICA cert to the //Intermediate Certification Authorities//** <sup><color #646464>(user must have //Administrator// privileges)</color></sup> |
- | - <color #646464>//Right click on//</color> <color #C86400>OpenVPN-ICA.crt.pem</color>: | + | - //Right click on// <color #C86400>OpenVPN-ICA.crt.pem</color>: |
- <color #7D7D7D>**//Install Certificate//** -> **//Local Machine//** -> **//Place all certificates in the following store//** -> **//Browse//** -> **//Intermediate Certification Authorities//**</color> | - <color #7D7D7D>**//Install Certificate//** -> **//Local Machine//** -> **//Place all certificates in the following store//** -> **//Browse//** -> **//Intermediate Certification Authorities//**</color> | ||
</WRAP> | </WRAP> | ||
Line 628: | Line 620: | ||
<WRAP indent> | <WRAP indent> | ||
+ | |||
+ | <WRAP 76.5em lo> | ||
+ | <wrap right button>[[doc:uci:network|Network Wiki]]</wrap> | ||
+ | </WRAP> | ||
Line 634: | Line 630: | ||
<WRAP 60em lo> | <WRAP 60em lo> | ||
- | - <color #4B4B4B>**Create VPN interface**</color>\\ <code bash>uci set network.vpn0=interface ; uci set network.vpn0.ifname=tun0 ; uci set network.vpn0.proto=none</code> | + | - **Create VPN interface**\\ <code bash>uci set network.vpn0=interface ; uci set network.vpn0.ifname=tun0 ; uci set network.vpn0.proto=none</code> |
- | - <color #4B4B4B>You can replace</color> ''<color #647800>//network.//</color><color #007DC8>vpn0</color>'' <color #4B4B4B>with</color> ''<color #647800>//network.//</color><color #007DC8><name></color>'' | + | - You can replace ''<color #647800>//network.//</color><color #007DC8>vpn0</color>'' with ''<color #647800>//network.//</color><color #007DC8><name></color>'' |
- | - <color #646464>If you choose to do so, ''<color #647800>//network=//</color><color #007DC8>vpn0</color>'' will need to be updated accordingly in [[:doc:howto:openvpn-streamlined-server-setup#zone_creation|Zone Creation]]</color>\\ \\ | + | - If you choose to do so, ''<color #007DC8>vpn</color>'' will need to be updated accordingly in [[:doc:howto:openvpn-streamlined-server-setup#https://wiki.openwrt.org/doc/howto/openvpn-streamlined-server-setup#create_rules|Firewall Rules]]\\ \\ |
- | - <color #646464>You can replace ''<color #647800>//ifname=//</color><color #007DC8>tun0</color>'' with ''<color #647800>//ifname=//</color><color #007DC8><name></color>''</color> | + | - You can replace ''<color #647800>//ifname=//</color><color #007DC8>tun0</color>'' with ''<color #647800>//ifname=//</color><color #007DC8><name></color>'' |
- | - <color #646464>If you choose to do so, ''<color #647800>//option dev//</color> <color #007DC8>tun0</color>'' will need to be updated accordingly in [[:doc:howto:openvpn-streamlined-server-setup#config|VPN Server Config]]</color>\\ \\ | + | - If you choose to do so, ''<color #647800>//option dev//</color> <color #007DC8>tun0</color>'' will need to be updated accordingly in [[:doc:howto:openvpn-streamlined-server-setup#config|VPN Server Config]]\\ \\ |
- | - <color #4B4B4B>**Commit changes**</color>\\ <code cpp>uci commit network ; /etc/init.d/network reload</code> | + | - **Commit changes**\\ <code cpp>uci commit network ; /etc/init.d/network reload</code> |
</WRAP> | </WRAP> | ||
Line 646: | Line 642: | ||
==== Configure DDNS ==== | ==== Configure DDNS ==== | ||
- | <WRAP 75em lo> | + | <WRAP 76.5em lo> |
+ | <wrap right button>[[doc:howto:ddns.client|DDNS Wiki]]</wrap> | ||
- | - <color #4B4B4B>**A DDNS provider or FQDN is required for users who are not assigned static IPs by ISPs**</color> | + | <wrap indent>**//Applies to connections from WAN//**</wrap> |
- | - <color #646464>DDNS:</color> | + | - **A DDNS provider or FQDN is required for users who are not assigned static IPs by ISPs** |
- | * <color #646464>**D**ynamic **D**omain **N**ame **S**ystem providers provide the user with a dynamically updated DNS name for their public IP</color> | + | - DDNS: |
- | - <color #646464>FQDN</color> | + | * **D**ynamic **D**omain **N**ame **S**ervice providers provide the user with a dynamically updated DNS name for their public IP |
- | * <color #646464>**F**ully **Q**ualified **D**omain **N**ame is a URL <sup>(google.com is a FQDN)</sup></color> | + | * Purchasing occurs as a service subscription fee from DDNS providers |
- | * <color #646464>Purchasing a FQDN is for a set period of time, regulated by the non-profit IANA <sup>(//Internet Assigned Numbers Authority//)</sup></color>\\ \\ | + | - FQDN |
- | - <color #4B4B4B>**Most users will likely configure DDNS**</color> | + | * **F**ully **Q**ualified **D**omain **N**ame is a URL <sup><color #646464>(google.com is a FQDN)</color></sup> |
- | * <color #646464>See the [[doc:howto:ddns.client|DDNS Clients]] wiki on how to configure</color> | + | * Purchasing a FQDN is for a set period of time, regulated by the non-profit IANA <sup><color #646464>(//Internet Assigned Numbers Authority//)</color></sup>\\ \\ |
+ | - **Most users will likely configure DDNS** | ||
+ | * See the [[doc:howto:ddns.client|DDNS Clients]] wiki | ||
</WRAP> | </WRAP> | ||
Line 665: | Line 664: | ||
<WRAP indent> | <WRAP indent> | ||
- | |||
- | |||
- | ==== Zone Creation ==== | ||
<WRAP 76.5em lo> | <WRAP 76.5em lo> | ||
- | + | <wrap right button>[[doc:uci:firewall|Firewall Wiki]]</wrap> | |
- | - <color #4B4B4B>**Configure default firewall rules**</color>\\ <code bash> | + | |
- | uci add firewall zone ; uci set firewall.@zone[-1].name=vpn ; uci set firewall.@zone[-1].input=ACCEPT ; uci set firewall.@zone[-1].forward=ACCEPT ; uci set firewall.@zone[-1].output=ACCEPT ; uci set firewall.@zone[-1].network=vpn0</code> | + | |
- | - <color #646464>You can replace ''<color #647800>//name=//</color><color #007DC8>vpn</color>'' with ''<color #647800>//name=//</color><color #007DC8><name></color>''</color> | + | |
- | - <color #646464>If you choose to do so, ''<color #647800>//src=//</color><color #007DC8>vpn</color>'' will need to be updated accordingly</color>\\ \\ | + | |
- | - <color #4B4B4B>**Configure default firewall forwarding**</color>\\ <code>uci add firewall forwarding ; uci set firewall.@forwarding[-1].src='vpn' ; uci set firewall.@forwarding[-1].dest='lan' ; uci add firewall forwarding ; uci set firewall.@forwarding[-1].src='lan' ; uci set firewall.@forwarding[-1].dest='vpn'</code> | + | |
</WRAP> | </WRAP> | ||
Line 683: | Line 673: | ||
<WRAP 76.5em lo> | <WRAP 76.5em lo> | ||
- | <wrap danger>A non-standard port (**//not//** //1194//) should be utilized for the VPN</wrap> | + | <WRAP centeralign><wrap danger>A non-standard port (**//not//** //1194//) should be utilized for the VPN</wrap></WRAP> |
<tabbox Information> | <tabbox Information> | ||
+ | <wrap right>''<color #C86400>/etc/config/firewall</color>''</wrap> | ||
<color #508CAA>**Firewall Info**</color> | <color #508CAA>**Firewall Info**</color> | ||
- | - <color #4B4B4B>**VPN traffic rules should be placed in the following order, below** '' <color #647800>option path /etc/firewall.user</color> '' **and any redirect rules**</color> | + | - **Traffic rules should be placed in the following order** |
- | - <color #646464>InterZone Forwarding Rules</color> | + | - Firewall.User Script |
- | - <color #646464>VPN Traffic Rules </color>\\ \\ | + | - Redirect Rules |
- | - <color #4B4B4B>**Rule protocol for VPNs should always be both TCP & UDP for troubleshooting purposes**</color> | + | - Router Network Default |
- | - <color #646464>Allowing both prevents having to edit the firewall every time troubleshooting is needed</color>\\ \\ | + | - VPN Network Default |
- | - <color #4B4B4B>**SSL VPNs should always use UDP**</color> | + | - VPN InterZone Forwarding |
- | - <color #646464>//Except under the following two scenarios//</color> | + | - VPN Traffic Rules\\ \\ |
- | - <color #646464>When troubleshooting\\ **OR**</color> | + | - **Rule protocol for VPNs should always be both TCP & UDP for troubleshooting purposes** |
- | - <color #646464>When packet loss is high</color>\\ \\ | + | - Allowing both prevents having to edit the firewall every time troubleshooting is needed\\ \\ |
- | - <color #4B4B4B>**A port >1025 but <10000 should be utilized for the VPN**</color> | + | - **SSL VPNs should always use UDP** |
- | - <color #646464>If using a custom port, update [[:doc:howto:openvpn-streamlined-server-setup#vpn_server|VPN Server]] & [[:doc:howto:openvpn-streamlined-server-setup#clients|VPN Client]] configs accordingly</color> | + | - //Except under the following two scenarios// |
+ | - When troubleshooting\\ **OR** | ||
+ | - When packet loss is high\\ \\ | ||
+ | - **A port >1025 but <10000 should be utilized for the VPN** | ||
+ | - If using a custom port, update [[:doc:howto:openvpn-streamlined-server-setup#vpn_server|VPN Server]] & [[:doc:howto:openvpn-streamlined-server-setup#clients|VPN Client]] configs accordingly | ||
+ | - If needing to bypass a strict firewall in front of the router, utilize port 443 <sup>[HTTPS]</sup> | ||
Line 706: | Line 702: | ||
<WRAP indent> | <WRAP indent> | ||
- | <color #4B4B4B>**The following rules are required:**</color> | + | **The following rules are required:** |
- //''<color #647D00>vi /etc/config/firewall</color>''//\\ \\ <code cpp> | - //''<color #647D00>vi /etc/config/firewall</color>''//\\ \\ <code cpp> | ||
#::: Traffic Rules :::# | #::: Traffic Rules :::# | ||
Line 721: | Line 717: | ||
option path '/etc/firewall.user' | option path '/etc/firewall.user' | ||
- | # Default OpenWRT Rule # | + | # Default OpenWrt Rule # |
config defaults | config defaults | ||
option input 'ACCEPT' | option input 'ACCEPT' | ||
Line 733: | Line 729: | ||
#------------------------------------------------ | #------------------------------------------------ | ||
# LuCI: From any host in any zone To any router | # LuCI: From any host in any zone To any router | ||
- | # IP at port 1194 on this device (Accept Input) | + | # IP at port 5000 on this device (Accept Input) |
config rule | config rule | ||
option target 'ACCEPT' | option target 'ACCEPT' | ||
Line 739: | Line 735: | ||
option proto 'tcp udp' | option proto 'tcp udp' | ||
option src '*' | option src '*' | ||
- | option dest_port 1194 | + | option dest_port 5000 |
option name 'Allow Forwarded VPN Request -> <device>' | option name 'Allow Forwarded VPN Request -> <device>' | ||
# Once Assigned VPN IP, Allow Inbound -> LAN # | # Once Assigned VPN IP, Allow Inbound -> LAN # | ||
#------------------------------------------------ | #------------------------------------------------ | ||
- | # LuCI: From IP range 10.1.1.0/24 in any zone To IP | + | # LuCI: From IP range 10.1.0.0/28 in any zone To IP |
- | # range 192.168.1.0/24 on this device (Accept Input) | + | # range 192.168.1.0/28 on this device (Accept Input) |
config rule | config rule | ||
option target 'ACCEPT' | option target 'ACCEPT' | ||
Line 751: | Line 747: | ||
option proto 'tcp udp' | option proto 'tcp udp' | ||
option src '*' | option src '*' | ||
- | option src_ip '10.1.1.0/24' | + | option src_ip '10.1.0.0/28' |
option dest_ip '192.168.1.0/26' | option dest_ip '192.168.1.0/26' | ||
option name 'Allow VPN0 -> LAN' | option name 'Allow VPN0 -> LAN' | ||
Line 757: | Line 753: | ||
# Once Assigned VPN IP, Allow Forwarded -> LAN # | # Once Assigned VPN IP, Allow Forwarded -> LAN # | ||
#------------------------------------------------ | #------------------------------------------------ | ||
- | # LuCI: From IP range 10.1.1.0/24 in any zone To IP | + | # LuCI: From IP range 10.1.0.0/28 in any zone To IP |
- | # range 192.168.1.0/24 on this device (Accept Forward) | + | # range 192.168.1.0/28 on this device (Accept Forward) |
config rule | config rule | ||
option target 'ACCEPT' | option target 'ACCEPT' | ||
Line 764: | Line 760: | ||
option family 'ipv4' | option family 'ipv4' | ||
option src '*' | option src '*' | ||
- | option src_ip '10.1.1.0/24' | + | option src_ip '10.1.0.0/28' |
option dest '*' | option dest '*' | ||
option dest_ip '192.168.1.0/26' | option dest_ip '192.168.1.0/26' | ||
Line 771: | Line 767: | ||
# Allow Outbound ICMP Traffic from VPN # | # Allow Outbound ICMP Traffic from VPN # | ||
#------------------------------------------------ | #------------------------------------------------ | ||
- | # LuCI: ICMP From IP range 10.1.1.0/24 in any | + | # LuCI: ICMP From IP range 10.1.0.0/28 in any |
# zone To any host in lan (Accept Forward) | # zone To any host in lan (Accept Forward) | ||
config rule | config rule | ||
Line 777: | Line 773: | ||
option proto 'icmp' | option proto 'icmp' | ||
option src '*' | option src '*' | ||
- | option src_ip '10.1.1.0/24' | + | option src_ip '10.1.0.0/28' |
option dest 'lan' | option dest 'lan' | ||
option name 'Allow VPN0 (ICMP) -> LAN' | option name 'Allow VPN0 (ICMP) -> LAN' | ||
Line 784: | Line 780: | ||
#------------------------------------------------ | #------------------------------------------------ | ||
# LuCI: ICMP with type echo-request From IP range | # LuCI: ICMP with type echo-request From IP range | ||
- | # 10.1.1.0/24 in any zone To any host in wan (Accept Forward) | + | # 10.1.0.0/28 in any zone To any host in wan (Accept Forward) |
config rule | config rule | ||
option target 'ACCEPT' | option target 'ACCEPT' | ||
Line 790: | Line 786: | ||
list icmp_type 'echo-request' | list icmp_type 'echo-request' | ||
option src '*' | option src '*' | ||
- | option src_ip '10.1.1.0/24' | + | option src_ip '10.1.0.0/28' |
option dest 'wan' | option dest 'wan' | ||
option name 'Allow VPN0 (ICMP 8) -> <device> ' | option name 'Allow VPN0 (ICMP 8) -> <device> ' | ||
Line 847: | Line 843: | ||
</code>\\ | </code>\\ | ||
- | - <color #4B4B4B>**Commit changes**</color>\\ <code cpp>uci commit firewall ; /etc/init.d/firewall restart</code> | + | - **Commit changes**\\ <code cpp>/etc/init.d/firewall restart</code> |
</WRAP> | </WRAP> | ||
<tabbox Logging> | <tabbox Logging> | ||
- | <wrap right>''<color #C86400>/etc/firewall.user</color>''</wrap> | ||
<color #508CAA>**firewall.user Script**</color> | <color #508CAA>**firewall.user Script**</color> | ||
+ | <wrap right button>[[doc:howto:log.messages#netfilter|Netfilter Log]]</wrap>\\ \\ | ||
+ | <wrap right>''<color #C86400>/etc/firewall.user</color>''</wrap> | ||
+ | |||
<WRAP indent> | <WRAP indent> | ||
- | <color #4B4B4B>**The following rules are required:**</color> | + | **The following rules are required:** |
- //''<color #647D00>vi /etc/firewall.user</color>''//\\ \\ <code cpp> | - //''<color #647D00>vi /etc/firewall.user</color>''//\\ \\ <code cpp> | ||
#::: Traffic Rules :::# | #::: Traffic Rules :::# | ||
Line 862: | Line 860: | ||
# These rules make the assumption the default port of 1194 is not used for the VPN | # These rules make the assumption the default port of 1194 is not used for the VPN | ||
- | + | # Port 5000 is being used arbitrarily for the VPN port | |
- | # Port 5000 is being used arbitrarily for the VPN port | + | |
| | ||
# Establish Custom Zones # | # Establish Custom Zones # | ||
#--------------------------------------------------- | #--------------------------------------------------- | ||
- | iptables -N DROP-Brute | + | iptables -N LOG-VPN |
- | iptables -N LOG-VPN | + | iptables -N Rate_Limit |
- | iptables -N Rate_Limit | + | |
- | + | ||
- | # Log All Dropped # | + | |
- | #--------------------------------------------------- | + | |
- | iptables -A DROP-Brute -j LOG --log-prefix "<[[--- BRUTE DROPPED ---]]> : " --log-level 4 | + | |
- | iptables -A DROP-Brute -j DROP | + | |
# Establish Rate Limit # | # Establish Rate Limit # | ||
#--------------------------------------------------- | #--------------------------------------------------- | ||
- | iptables -A Rate_Limit -p tcp --dport 1194 -m limit --limit 1/min --limit-burst 1 -j DROP-Brute | + | iptables -A Rate_Limit -p tcp --dport 5000 -j LOG-VPN |
- | iptables -A Rate_Limit -p udp --dport 1194 -m limit --limit 1/min --limit-burst 1 -j DROP-Brute | + | iptables -A Rate_Limit -p udp --dport 5000 -j LOG-VPN |
- | iptables -A Rate_Limit -p tcp --dport 5000 -j LOG-VPN | + | iptables -A Rate_Limit -p tcp -j REJECT --reject-with tcp-reset |
- | iptables -A Rate_Limit -p udp --dport 5000 -j LOG-VPN | + | iptables -A Rate_Limit -p udp -j REJECT --reject-with icmp-port-unreachable |
- | iptables -A Rate_Limit -p tcp -j REJECT --reject-with tcp-reset | + | iptables -A Rate_Limit ! -p ICMP -j LOG --log-prefix "<[[--- Connection DROPPED ---]]>: " |
- | iptables -A Rate_Limit -p udp -j REJECT --reject-with icmp-port-unreachable | + | iptables -A Rate_Limit -j DROP |
- | iptables -A Rate_Limit ! -p ICMP -j LOG --log-prefix "<[[--- Connection DROPPED ---]]>: " | + | |
- | iptables -A Rate_Limit -j DROP | + | |
# Apply Rate Limit # | # Apply Rate Limit # | ||
#--------------------------------------------------- | #--------------------------------------------------- | ||
- | iptables -w -I INPUT -p tcp --dport 1194 -m state --state NEW -m recent --set | + | iptables -I INPUT -p tcp --dport 5000 -m state --state NEW -j Rate_Limit |
- | iptables -w -I INPUT -p tcp --dport 1194 -m state --state NEW --update --seconds 60 --hitcount 1 -j Rate_Limit | + | iptables -I INPUT -p udp --dport 5000 -m state --state NEW -j Rate_Limit |
- | iptables -w -I INPUT -p udp --dport 1194 -m state --state NEW -m recent --set | + | |
- | iptables -w -I INPUT -p udp --dport 1194 -m state --state NEW --update --seconds 60 --hitcount 1 -j Rate_Limit | + | |
- | iptables -I INPUT -p tcp --dport 5000 -m state --state NEW -j Rate_Limit | + | |
- | iptables -I INPUT -p udp --dport 5000 -m state --state NEW -j Rate_Limit | + | |
- | + | ||
- | # Check for bans in Rate_Limit # | + | |
- | #--------------------------------------------------- | + | |
- | iptables -w -A INPUT -p tcp --dport 1194 -j Rate_Limit | + | |
# Log VPN Traffic # | # Log VPN Traffic # | ||
#--------------------------------------------------- | #--------------------------------------------------- | ||
- | iptables -A LOG-VPN -j LOG --log-prefix "<[[--- VPN Traffic ---]]> : " --log-level 4 | + | iptables -A LOG-VPN -j LOG --log-prefix "<[[--- VPN Traffic ---]]> : " --log-level 4 |
- | iptables -A LOG-VPN -j ACCEPT | + | iptables -A LOG-VPN -j ACCEPT |
</code>\\ | </code>\\ | ||
- | - <color #4B4B4B>**Commit changes**</color>\\ <code cpp>/etc/init.d/firewall restart</code> | + | - **Commit changes**\\ <code cpp>/etc/init.d/firewall restart</code> |
- | - <color #646464>**Please also see:**</color> | + | - **Please also see:** |
* [[doc:howto:log.essentials|Log Essentials]] | * [[doc:howto:log.essentials|Log Essentials]] | ||
* [[doc:howto:log.overview|Logging Servers]] | * [[doc:howto:log.overview|Logging Servers]] | ||
Line 924: | Line 905: | ||
<WRAP indent> | <WRAP indent> | ||
+ | <WRAP 76.5em lo> | ||
+ | <wrap right button>[[doc:howto:vpn.overview|VPN Overview]]</wrap> | ||
+ | </WRAP> | ||
Line 929: | Line 913: | ||
<WRAP 76.5em lo> | <WRAP 76.5em lo> | ||
- | <wrap warning><color #FFFFFF>It's //strongly encouraged// to read through the OpenVPN HowTo & Man Page</color></wrap> | + | <WRAP centeralign><wrap warning><color #FFFFFF>It's //strongly encouraged// to read through the OpenVPN HowTo & Man Page</color></wrap></WRAP> |
<tabbox Information> | <tabbox Information> | ||
+ | <wrap right>''<color #C86400>/etc/config/openvpn</color>''</wrap> | ||
<color #508CAA>**OpenVPN Information**</color> | <color #508CAA>**OpenVPN Information**</color> | ||
- | * <color #4B4B4B>**This specific configuration has been designed to give the best performance possible, via** [[:doc:howto:openvpn-streamlined-server-setup#openvpn|MTU & Buffer]] **Tuning recommendations**</color> | + | * **This specific configuration has been designed to give the best performance possible, via** [[:doc:howto:openvpn-streamlined-server-setup#openvpn|MTU & Buffer]] **Tuning recommendations** |
- | * <color #646464>DNS primary & secondary are [[https://developers.google.com/speed/public-dns/docs/using|Google's]]</color> | + | * DNS primary & secondary are [[https://www.opendns.com/setupguide/?url=familyshield|OpenDNS']] |
- | * <color #646464>NTP is garnished from [[http://tf.nist.gov/tf-cgi/servers.cgi|NIST]] (time-c) and can be updated to your NTP server of choice</color> | + | * NTP is garnished from [[http://tf.nist.gov/tf-cgi/servers.cgi|NIST]] (time-c) and can be updated to your NTP server of choice |
- | * <color #646464>NTP should be specified, but doesn't need to be NIST, as encryption handshakes, both server & client, must be accurate to within milliseconds</color>\\ \\ | + | * NTP should be specified, but doesn't need to be NIST, as encryption handshakes, both server & client, must be accurate to within milliseconds\\ \\ |
- | * <color #4B4B4B>**//CCD directives// (under //Client Config//) are commented out, as one will need to read the** [[:doc:howto:openvpn-streamlined-server-setup#openvpn|OpenVPN HowTo]] **to understand how it's used**</color> | + | * **//CCD directives// (under //Client Config//) are commented out, as one will need to read the** [[:doc:howto:openvpn-streamlined-server-setup#openvpn|OpenVPN HowTo]] **to understand how it's used** |
- | * <color #646464>CCD adds an extra layer of protection, allowing only those CNs specified to connect to the VPN, even if a valid client cert is used</color>\\ \\ | + | * CCD adds an extra layer of protection, allowing only those CNs specified to connect to the VPN, even if a valid client cert is used\\ \\ |
- | * <color #4B4B4B>**Two or more servers can be run from this config file**</color> | + | * **Two or more servers can be run from this config file** |
- | * <color #646464>To add additional servers, copy & paste first config directly below itself, with a blank line separating the two</color>\\ \\ | + | * To add additional servers, copy & paste first config directly below itself, with a blank line separating the two\\ \\ |
- | * <color #4B4B4B>**The OpenVPN** [[:doc:howto:openvpn-streamlined-server-setup#vpn_wikis|HowTo & Man Page]] **provide every possible option for the Server & Client Configs**</color> | + | * **The OpenVPN** [[:doc:howto:openvpn-streamlined-server-setup#openvpn|HowTo & Man Page]] **provide every possible option for the Server & Client Configs** \\ \\ |
+ | * **OpenVPN 2.4 added TLS Elliptic-Curve** ''[EC]'' **support** | ||
+ | * EC ciphers are faster & more efficient to process than SSL ciphers, resulting in higher throughput & less load | ||
+ | * OpenVPN on OpenWrt only supports a //maximum of 256 characters// for '' <color #647D00>option tls_cipher</color>'' | ||
+ | * Ciphers are listed in a hierarchical, chronological order of most secure & efficient to least efficient | ||
+ | * Disabled ciphers are specified at the end with an **''<color #960000>!</color>''** in front of the cipher\\ \\ | ||
+ | * **Ciphers must match the capabilities of the server & clients** | ||
+ | * Available TLS ciphers: '' <color #647D00>openssl --show-tls</color> '' or '' <color #647D00>openssl ciphers -V | grep TLS</color>'' | ||
+ | * Available SSL ciphers: '' <color #647D00>openssl ciphers -V | grep SSL</color>'' | ||
+ | * For Windows client: '' <color #647D00>openssl ciphers -V | findstr /R SSL</color>'' | ||
Line 949: | Line 943: | ||
<color #508CAA>**OpenVPN Server Config**</color> | <color #508CAA>**OpenVPN Server Config**</color> | ||
- | - <color #4B4B4B>**Create config:**</color>\\ <code cpp>echo > /etc/config/openvpn ; vi /etc/config/openvpn</code> | + | - **Create config:**\\ <code cpp>echo > /etc/config/openvpn ; vi /etc/config/openvpn</code> |
- | - <color #646464>**Paste the following & edit accordingly**</color>\\ \\ <code cpp> | + | - **Paste the following & edit accordingly**\\ \\ <code cpp> |
config openvpn 'VPNserver' | config openvpn 'VPNserver' | ||
- | |||
option enabled 1 | option enabled 1 | ||
Line 962: | Line 954: | ||
option topology 'subnet' | option topology 'subnet' | ||
option proto 'udp' | option proto 'udp' | ||
- | option port 1194 | + | option port 5000 |
# Routes # | # Routes # | ||
Line 980: | Line 972: | ||
list push 'dhcp-option DNS 192.168.1.1' | list push 'dhcp-option DNS 192.168.1.1' | ||
list push 'dhcp-option WINS 192.168.1.1' | list push 'dhcp-option WINS 192.168.1.1' | ||
- | list push 'dhcp-option DNS 8.8.8.8' | + | list push 'dhcp-option DNS 208.67.222.123' |
- | list push 'dhcp-option DNS 8.8.4.4' | + | list push 'dhcp-option DNS 208.67.220.123' |
list push 'dhcp-option NTP 129.6.15.30' | list push 'dhcp-option NTP 129.6.15.30' | ||
Line 995: | Line 987: | ||
option cipher AES-256-CBC | option cipher AES-256-CBC | ||
option auth 'SHA512' | option auth 'SHA512' | ||
- | option tls_auth '/etc/ssl/openvpn/ta.key 0' | + | option tls_auth '/etc/ssl/openvpn/tls-auth.key 0' |
| | ||
# TLS: | # TLS: | ||
option tls_server 1 | option tls_server 1 | ||
option tls_version_min 1.2 | option tls_version_min 1.2 | ||
- | option tls_cipher 'TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384:TLS-RSA-WITH-AES-256-CBC-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4' | + | option tls_cipher 'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA' |
- | option remote-cert-eku 'TLS Web Client Authentication' | + | |
# Logging # | # Logging # | ||
Line 1007: | Line 998: | ||
option log_append '/tmp/openvpn.log' | option log_append '/tmp/openvpn.log' | ||
option status '/tmp/openvpn-status.log' | option status '/tmp/openvpn-status.log' | ||
- | option verb 7 | + | option verb 4 |
# Connection Options # | # Connection Options # | ||
Line 1045: | Line 1036: | ||
# chroot would be ~11MB in size. | # chroot would be ~11MB in size. | ||
- | # Modify if chroot is configured # | + | # Modify if chroot is configured # |
#-------------------------------------------- | #-------------------------------------------- | ||
# option ccd_exclusive 1 | # option ccd_exclusive 1 | ||
Line 1054: | Line 1045: | ||
# option dh /var/chroot-openvpn/etc/ssl/openvpn/dh2048.pem | # option dh /var/chroot-openvpn/etc/ssl/openvpn/dh2048.pem | ||
# option pkcs12 /var/chroot-openvpn/etc/ssl/openvpn/vpn-server.p12 | # option pkcs12 /var/chroot-openvpn/etc/ssl/openvpn/vpn-server.p12 | ||
- | # option tls_auth '/var/chroot-openvpn/etc/ssl/openvpn/ta.key 0' | + | # option tls_auth '/var/chroot-openvpn/etc/ssl/openvpn/tls-auth.key 0' |
</code> | </code> | ||
- | - <color #4B4B4B>**Commit changes**</color>\\ | + | - **Commit changes**\\ <code bash>/etc/init.d/openvpn enable ; /etc/init.d/openvpn start ; sleep 2 ; cat /tmp/openvpn.log</code> |
- | <code bash>/etc/init.d/openvpn enable ; /etc/init.d/openvpn start ; sleep 2 ; cat /tmp/openvpn.log</code> | + | |
+ | |||
+ | <tabbox CCD> | ||
+ | <wrap right>''<color #C86400>/etc/openvpn/clients</color>''</wrap> | ||
+ | <color #508CAA>**OpenVPN Server CCD Config**</color> | ||
+ | |||
+ | - **Enable CCD within Server config:** | ||
+ | - //''<color #647D00>vi /etc/config/openvpn</color>''// \\ <code cpp> | ||
+ | option ccd_exclusive 1 | ||
+ | option ifconfig_pool_persist '/etc/openvpn/clients/ipp.txt' | ||
+ | option client_config_dir '/etc/openvpn/clients/' | ||
+ | </code> | ||
+ | * ''<color #647D00>ccd_exclusive</color>'': enables CCD | ||
+ | * ''<color #647D00>client_config_dir</color>'': Directory housing CCD client files | ||
+ | * ''<color #647D00>ifconfig_pool_persist</color>'': File containing common names from client files, followed by static IP for device\\ \\ | ||
+ | - **Configure CCD files** | ||
+ | - For each VPN client, a file must be created which exactly mirrors the common name of each client cert | ||
+ | - File should contain an ''ifconfig'' command pushing a static IP to the client | ||
+ | - Client Certificate CN: ''<color #647D00>John Doe (OpenWrt VPNserver Client)</color>'' | ||
+ | - Client File: ''<color #C86400>/etc/openvpn/clients/John Doe (OpenWrt VPNserver Client)</color>'' | ||
+ | - File Output: ''//<color #647D00>ifconfig-push 10.1.0.6 255.255.255.240</color>//''\\ \\ | ||
+ | - **Configure IPP file** | ||
+ | - One per line, each VPN client's CN needs to be specified, followed by their static IP | ||
+ | - IPP File: ''<color #C86400>/etc/openvpn/clients/ipp.txt</color>'' | ||
+ | - File Output: ''<color #647D00>John Doe (OpenWrt VPNserver Client),10.1.0.6</color>''\\ \\ | ||
+ | - **Start/Restart OpenVPN** | ||
+ | - Connect with each client to test\\ <code bash>/etc/init.d/openvpn stop ; /etc/init.d/openvpn start ; tail -f /tmp/openvpn.log</code> | ||
</tabbox> | </tabbox> | ||
</WRAP> | </WRAP> | ||
Line 1075: | Line 1093: | ||
Thu Oct 20 13:35:00 2016 us=668891 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09 | Thu Oct 20 13:35:00 2016 us=668891 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09 | ||
Thu Oct 20 13:35:00 2016 us=669836 Diffie-Hellman initialized with 2048 bit key | Thu Oct 20 13:35:00 2016 us=669836 Diffie-Hellman initialized with 2048 bit key | ||
- | Thu Oct 20 13:35:00 2016 us=705181 Control Channel Authentication: using '/etc/ssl/openvpn/ta.key' as a OpenVPN static key file | + | Thu Oct 20 13:35:00 2016 us=705181 Control Channel Authentication: using '/etc/ssl/openvpn/tls-auth.key' as a OpenVPN static key file |
Thu Oct 20 13:35:00 2016 us=705286 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication | Thu Oct 20 13:35:00 2016 us=705286 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication | ||
Thu Oct 20 13:35:00 2016 us=705351 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication | Thu Oct 20 13:35:00 2016 us=705351 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication | ||
Line 1109: | Line 1127: | ||
Thu Oct 20 13:35:30 2016 us=653403 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09 | Thu Oct 20 13:35:30 2016 us=653403 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09 | ||
Thu Oct 20 13:35:30 2016 us=654598 Diffie-Hellman initialized with 2048 bit key | Thu Oct 20 13:35:30 2016 us=654598 Diffie-Hellman initialized with 2048 bit key | ||
- | Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication: using '/etc/ssl/openvpn/ta.key' as a OpenVPN static key file | + | Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication: using '/etc/ssl/openvpn/tls-auth.key' as a OpenVPN static key file |
Thu Oct 20 13:35:30 2016 us=706592 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication | Thu Oct 20 13:35:30 2016 us=706592 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication | ||
Thu Oct 20 13:35:30 2016 us=706679 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication | Thu Oct 20 13:35:30 2016 us=706679 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication | ||
Line 1131: | Line 1149: | ||
Thu Oct 20 13:35:30 2016 us=715095 ifconfig_pool_read(), in='vpn-client1-foobar1-device1,10.1.0.5', TODO: IPv6 | Thu Oct 20 13:35:30 2016 us=715095 ifconfig_pool_read(), in='vpn-client1-foobar1-device1,10.1.0.5', TODO: IPv6 | ||
Thu Oct 20 13:35:30 2016 us=715138 succeeded -> ifconfig_pool_set() | Thu Oct 20 13:35:30 2016 us=715138 succeeded -> ifconfig_pool_set() | ||
- | Thu Oct 20 13:35:30 2016 us=715176 ifconfig_pool_read(), in='vpn-client2-foobar2-device1,10.1.0.6', TODO: IPv6 | + | Thu Oct 20 13:35:30 2016 us=715176 ifconfig_pool_read(), in='John Doe (OpenWrt VPNserver Client),10.1.0.6', TODO: IPv6 |
Thu Oct 20 13:35:30 2016 us=715213 succeeded -> ifconfig_pool_set() | Thu Oct 20 13:35:30 2016 us=715213 succeeded -> ifconfig_pool_set() | ||
Thu Oct 20 13:35:30 2016 us=715249 IFCONFIG POOL LIST | Thu Oct 20 13:35:30 2016 us=715249 IFCONFIG POOL LIST | ||
Thu Oct 20 13:35:30 2016 us=715287 vpn-client1-foobar1-device1,10.1.0.5 | Thu Oct 20 13:35:30 2016 us=715287 vpn-client1-foobar1-device1,10.1.0.5 | ||
- | Thu Oct 20 13:35:30 2016 us=715331 vpn-client2-foobar2-device1,10.1.0.6 | + | Thu Oct 20 13:35:30 2016 us=715331 John Doe (OpenWrt VPNserver Client),10.1.0.6 |
Thu Oct 20 13:35:30 2016 us=715428 MULTI: TCP INIT maxclients=1024 maxevents=1028 | Thu Oct 20 13:35:30 2016 us=715428 MULTI: TCP INIT maxclients=1024 maxevents=1028 | ||
Thu Oct 20 13:35:30 2016 us=715971 Initialization Sequence Completed | Thu Oct 20 13:35:30 2016 us=715971 Initialization Sequence Completed | ||
Line 1149: | Line 1167: | ||
<WRAP 76.5em lo> | <WRAP 76.5em lo> | ||
- | <wrap warning><color #FFFFFF>Server's TLS-Auth key goes within the inline XML space</color></wrap> | + | <WRAP centeralign><wrap warning><color #FFFFFF>Server's TLS-Auth key goes within the inline XML space</color></wrap></WRAP> |
</WRAP> | </WRAP> | ||
Line 1157: | Line 1175: | ||
==== Android ==== | ==== Android ==== | ||
- | <WRAP 76.5em lo> | + | <WRAP indent 76.5em lo> |
<tabbox Information> | <tabbox Information> | ||
- | <wrap right button>[[https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en|OpenVPN for Android]] [[https://github.com/JW0914/Wikis/blob/master/OpenVPN/Documentation/Android%20Certificate%20Toast%20Removal.pdf|Toast Removal]]</wrap> | + | <wrap right button>[[https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en|OpenVPN for Android]]</wrap> |
<color #508CAA>**Android Client Information**</color> | <color #508CAA>**Android Client Information**</color> | ||
- | * <color #4B4B4B>**//OpenVPN for Android// is the best app for VPNs on Android**</color>\\ \\ | + | <WRAP centeralign><color #960000>**For compatibility with exFAT, Android sdcards have a non-customizable 771 permission structure**\\ It's //imperative//, for the security of the VPN, to ensure the certificate key is encrypted as specified under [[doc:howto:openvpn-streamlined-server-setup#client_certs|Client Certs]]</color></WRAP> |
- | * <color #4B4B4B>**PKCS12 certs are installed into the //Android Keychain//**</color> | + | |
- | * <color #646464>As a security feature, a warning toast will always appear in the notification area due to user installed certs</color> | + | * **//OpenVPN for Android// is the best app for VPNs on Android**\\ \\ |
- | * <color #646464>This toast can be removed if you have a rooted device by following Toast Removal tutorial</color> | + | * **PKCS12 certs are installed into the //Android Keychain//** |
- | * <color #646464>Another option is to include all certs & keys via inline XML within the client config file</color>\\ \\ | + | * As a security feature, a warning toast will always appear in the notification area due to user installed certs |
- | * <color #4B4B4B>**If you choose to reference the ''//ta.key//'', instead of utilizing inline XML**</color> | + | * This toast can be removed if you have a rooted device by following Toast Removal tutorial \\ \\ |
+ | * Another option is to include all certs & keys via inline XML within the client config file | ||
+ | * //Regardless if all certs are referenced as inline xml or not, the final generated config inlines all certs//\\ \\ | ||
+ | * **If you choose to reference the ''//tlsauth.key//'', instead of utilizing inline XML** | ||
- <color #960000>**//Remove://**</color>\\ <code cpp> | - <color #960000>**//Remove://**</color>\\ <code cpp> | ||
+ | # Encryption # | ||
+ | #------------------------------------------------ | ||
key-direction 1 | key-direction 1 | ||
+ | |||
<tls-auth> | <tls-auth> | ||
-----BEGIN OpenVPN Static key V1----- | -----BEGIN OpenVPN Static key V1----- | ||
Line 1177: | Line 1201: | ||
</tls-auth></code> | </tls-auth></code> | ||
- <color #789600>**//Add://**</color>\\ <code cpp> | - <color #789600>**//Add://**</color>\\ <code cpp> | ||
- | tls-auth /path/to/ta.key 1 | + | # Encryption # |
- | </code> | + | #------------------------------------------------ |
- | * <color #4B4B4B>**Some Android devices are not able to convert PKCS12 certs to x509 certs**</color> | + | tls-auth '/path/to/tlsauth.key' 1</code> |
- | * <color #646464>If your device is affected, you will need to reference your individual certs in your Server Config</color> | + | * <color #960000>**Some Android devices are not able to convert PKCS12 certs to x509 certs**</color> |
- | - <color #960000>**//Remove://**</color>\\ <code cpp> | + | * If your device is affected, you will need to reference your individual certs in your Server Config |
- | # Encryption # | + | |
- | pkcs12 '/sdcard/openvpn/vpn-client1.p12'</code> | + | |
- <color #789600>**//Add://**</color>\\ <code cpp> | - <color #789600>**//Add://**</color>\\ <code cpp> | ||
- | # Encryption # | + | # Encryption # |
- | ca '/sdcard/openvpn/OpenWRT-OpenVPN_CA-Chain.crt.pem' | + | #------------------------------------------------ |
- | cert '/sdcard/openvpn/keys/vpn-client1.crt.pem' | + | ca '/sdcard/openvpn/OpenWrt-OpenVPN_ICA-Chain.crt.pem' |
- | key '/sdcard/openvpn/keys/vpn-client1.key.pem'</code> | + | cert '/sdcard/openvpn/vpn-client1.crt.pem' |
- | * <wrap danger>For compatibility with exFAT, Android sdcards have a non-customizable 664 permission structure</wrap> | + | key '/sdcard/openvpn/vpn-client1.key.pem'</code> |
- | * <color #AF0000>It is //crucial// to the security of the VPN to ensure the certificate key is encrypted as specified under [[doc:howto:openvpn-streamlined-server-setup#client_certs|Client Certs]]</color> | + | |
<tabbox Config> | <tabbox Config> | ||
Line 1198: | Line 1218: | ||
<code cpp> | <code cpp> | ||
- | # Config Type # | + | # Config Type # |
#------------------------------------------------ | #------------------------------------------------ | ||
client | client | ||
- | # Connection # | + | # Connection # |
#------------------------------------------------ | #------------------------------------------------ | ||
dev tun | dev tun | ||
proto udp | proto udp | ||
- | remote your.ddns.com 1194 | + | remote your.ddns.com 5000 |
- | # Speed # | + | # Speed # |
#------------------------------------------------ | #------------------------------------------------ | ||
+ | mssfix 0 | ||
fragment 0 | fragment 0 | ||
- | mssfix 0 | ||
tun-mtu 48000 | tun-mtu 48000 | ||
- | # Reliability # | + | # Reliability # |
#------------------------------------------------ | #------------------------------------------------ | ||
- | comp-lzo | ||
float | float | ||
nobind | nobind | ||
+ | comp-lzo | ||
+ | |||
persist-key | persist-key | ||
persist-tun | persist-tun | ||
resolv-retry infinite | resolv-retry infinite | ||
- | # Encryption # | + | # Encryption # |
#------------------------------------------------ | #------------------------------------------------ | ||
+ | auth SHA512 | ||
auth-nocache | auth-nocache | ||
+ | |||
+ | # --- SSL --- # | ||
cipher AES-256-CBC | cipher AES-256-CBC | ||
- | remote-cert-eku "TLS Web Server Authentication" | + | |
+ | # --- TLS --- # | ||
+ | key-direction 1 | ||
+ | tls-version-min 1.2 | ||
+ | |||
+ | remote-cert-eku 'TLS Web Server Authentication' | ||
<tls-auth> | <tls-auth> | ||
Line 1235: | Line 1264: | ||
</tls-auth> | </tls-auth> | ||
- | key-direction 1 | + | # Logging # |
- | + | ||
- | # Logging # | + | |
#------------------------------------------------ | #------------------------------------------------ | ||
verb 5 | verb 5 | ||
</code> | </code> | ||
+ | |||
+ | <tabbox Inline XML> | ||
+ | <color #508CAA>**Referencing certs via Inline XML**</color> | ||
+ | |||
+ | - <color #960000>**//Remove://**</color>\\ <code cpp> | ||
+ | # Encryption # | ||
+ | #------------------------------------------------ | ||
+ | ca '/sdcard/openvpn/OpenWrt-OpenVPN_ICA-Chain.crt.pem' | ||
+ | cert '/sdcard/openvpn/vpn-client1.crt.pem' | ||
+ | key '/sdcard/openvpn/vpn-client1.key.pem' | ||
+ | tls-auth '/path/to/tlsauth.key' 1</code> | ||
+ | - <color #789600>**//Add://**</color>\\ <code cpp> | ||
+ | # Encryption # | ||
+ | #------------------------------------------------ | ||
+ | |||
+ | # --- TLS --- # | ||
+ | key-direction 1 | ||
+ | |||
+ | <ca> | ||
+ | #PASTE-CA-CERT-INLINE-HERE# | ||
+ | </ca> | ||
+ | |||
+ | <cert> | ||
+ | #PASTE-VPN-SERVER-CERT-INLINE-HERE# | ||
+ | </cert> | ||
+ | |||
+ | <key> | ||
+ | #PASTE-VPN-SERVER-KEY-INLINE-HERE# | ||
+ | </key> | ||
+ | |||
+ | <tls-auth> | ||
+ | -----BEGIN OpenVPN Static key V1----- | ||
+ | #PASTE-KEY-INLINE-HERE# | ||
+ | -----END OpenVPN Static key V1----- | ||
+ | </tls-auth></code> | ||
+ | |||
+ | <tabbox Toast Removal> | ||
+ | <wrap right button>[[http://wiki.cacert.org/FAQ/ImportRootCert#Android_Phones_.26_Tablets|CAcert Wiki]] [[https://github.com/JW0914/Wikis/blob/master/OpenVPN/Documentation/Android%20Certificate%20Toast%20Removal.pdf|PDF]]</wrap> | ||
+ | <color #508CAA>**Certificate Warning Toast Removal**</color> | ||
+ | |||
+ | <wrap indent>If ''<color #C86400>/system/etc/security/cacerts.bks</color>'' exists on your device, refer to CAcert wiki, then continue</wrap> | ||
+ | - <color #789600>**Method 1:**</color> | ||
+ | - **Add certificate to Android Keychain** | ||
+ | - **//Settings// –> //Security// –> //Install from Storage//**\\ \\ | ||
+ | - **Move certificate from userland to system trusted** | ||
+ | - **Android < 5.0:** | ||
+ | - Move new file | ||
+ | - <color #960000>**From:**</color> '' <color #C86400>/data/misc/keychain/cacertsadded/</color>'' | ||
+ | - <color #789600>**To:**</color> '' <color #C86400>/system/etc/security/cacerts/</color>''\\ \\ | ||
+ | - **Android > 5.0:** | ||
+ | - Move new file | ||
+ | - <color #960000>**From:**</color> '' <color #C86400>/data/misc/user/0/cacerts-added/</color>'' | ||
+ | - <color #789600>**To:**</color> '' <color #C86400>/system/etc/security/cacerts/</color>''\\ \\ | ||
+ | - <color #789600>**Method 2:**</color> | ||
+ | - **Save certificate with** ''.pem'' **extension**\\ \\ | ||
+ | - **Garnish subject of certificate:** | ||
+ | - ''//<color #647D00>openssl x509 -inform PEM -subject_hash -in 0b112a89.0</color>//'' | ||
+ | - Should be similar to: <color #647D00>0b112a89</color>\\ \\ | ||
+ | - **Save certificate as text:** | ||
+ | - ''//<color #647D00>openssl x509 -inform PEM -text -in 0b112a89.0 > 0b112a89.0.txt</color>//''\\ \\ | ||
+ | - **Swap PEM section and text:** | ||
+ | - ''<color #647D00>//-----BEGIN CERTIFICATE-----//</color>'' must be at top of file\\ \\ | ||
+ | - **Rename file:** ''<color #647D00>0b112a89.0</color>'' | ||
+ | - Replace with subject from //step b//\\ \\ | ||
+ | - **Copy file to:** ''<color #C86400>/system/etc/security/cacerts/</color>''\\ \\ | ||
+ | - **Set permissions:** | ||
+ | - ''//<color #647D00>chmod 644 0b112a89.0</color>//''\\ \\ | ||
+ | - **Certificate should be listed under:** | ||
+ | - **//Settings// –> //Security// –> //Trusted Credentials// - //System//** | ||
+ | - If it's still under **//User//**: | ||
+ | - Disable/Re-Enable certificate in Android Settings | ||
+ | - This creates a file in ''<color #C86400>/data/misc/keychain/cacertsadded/</color>'' | ||
+ | - Move that file to ''<color #C86400>/system/etc/security/cacerts/</color>'' | ||
+ | - Delete original file from //step f// | ||
+ | |||
</tabbox> | </tabbox> | ||
</WRAP> | </WRAP> | ||
- | ==== BSD ==== | + | ==== BSD/Linux ==== |
- | <WRAP 76.5em lo> | + | <WRAP indent 76.5em lo> |
- | <wrap right>''<color #C86400>VPNserver-BSD.ovpn</color>''</wrap> | + | |
- | <color #508CAA>**BSD Client Config**</color> | + | |
- | </WRAP> | + | <tabbox Information> |
+ | <wrap button right>[[https://openvpn.net/index.php/open-source/downloads.html|OpenVPN Client]]</wrap> | ||
+ | <color #508CAA>**BSD/Linux Client Information**</color> | ||
+ | * Due to the sheer number of distros & variances from one to the other, only the client config is being provided | ||
- | ==== Linux ==== | + | <tabbox Config> |
+ | <wrap right>''<color #C86400>/etc/openvpn/VPNserver.conf</color>''</wrap> | ||
+ | <color #508CAA>**Linux/BSD Client Config**</color> | ||
- | <WRAP 76.5em lo> | + | <code cpp> |
- | <wrap right>''<color #C86400>VPNserver-Linux.ovpn</color>''</wrap> | + | # Config Type # |
- | <color #508CAA>**Linux Client Config**</color> | + | #------------------------------------------------ |
+ | client | ||
+ | # Connection # | ||
+ | #------------------------------------------------ | ||
+ | dev tun | ||
+ | proto udp | ||
+ | remote your.ddns.com 5000 | ||
+ | |||
+ | # Speed # | ||
+ | #------------------------------------------------ | ||
+ | mssfix 0 | ||
+ | fragment 0 | ||
+ | tun-mtu 48000 | ||
+ | |||
+ | # Reliability # | ||
+ | #------------------------------------------------ | ||
+ | float | ||
+ | nobind | ||
+ | comp-lzo | ||
+ | |||
+ | persist-key | ||
+ | persist-tun | ||
+ | resolv-retry infinite | ||
+ | |||
+ | # Encryption # | ||
+ | #------------------------------------------------ | ||
+ | auth SHA512 | ||
+ | auth-nocache | ||
+ | |||
+ | # --- SSL --- # | ||
+ | cipher AES-256-CBC | ||
+ | |||
+ | # --- TLS --- # | ||
+ | key-direction 1 | ||
+ | tls-version-min 1.2 | ||
+ | |||
+ | pkcs12 '/etc/ssl/openvpn/vpn-client1.p12' | ||
+ | remote-cert-eku 'TLS Web Server Authentication' | ||
+ | |||
+ | <tls-auth> | ||
+ | -----BEGIN OpenVPN Static key V1----- | ||
+ | #PASTE-KEY-INLINE-HERE# | ||
+ | -----END OpenVPN Static key V1----- | ||
+ | </tls-auth> | ||
+ | |||
+ | # Logging # | ||
+ | #------------------------------------------------ | ||
+ | verb 5 | ||
+ | </code> | ||
+ | |||
+ | </tabbox> | ||
</WRAP> | </WRAP> | ||
Line 1265: | Line 1420: | ||
==== Windows ==== | ==== Windows ==== | ||
- | <WRAP 76.5em lo> | + | <WRAP indent 76.5em lo> |
<tabbox Information> | <tabbox Information> | ||
Line 1271: | Line 1426: | ||
<color #508CAA>**Windows Client Information**</color> | <color #508CAA>**Windows Client Information**</color> | ||
- | * <color #4B4B4B>**If PKCS12 cert isn't stored in the same directory as the ovpn config , the path to the PKCS12 cert must be referenced**</color> | + | * **If PKCS12 cert isn't stored in the same directory as the ovpn config , the path to the PKCS12 cert must be referenced** |
- | * <color #646464>You must use double backslashes for the path: ''<color #C86400>C:\\Path\\to\\PKCS12</color>''</color> | + | * You must use double backslashes for the path: ''<color #C86400>C:\\Path\\to\\PKCS.p12</color>'' |
Line 1288: | Line 1443: | ||
dev tun | dev tun | ||
proto udp | proto udp | ||
- | remote your.ddns.com 1194 | + | remote your.ddns.com 5000 |
# Speed # | # Speed # | ||
#------------------------------------------------ | #------------------------------------------------ | ||
- | fragment 0 | ||
mssfix 0 | mssfix 0 | ||
+ | fragment 0 | ||
tun-mtu 48000 | tun-mtu 48000 | ||
# Reliability # | # Reliability # | ||
#------------------------------------------------ | #------------------------------------------------ | ||
- | comp-lzo | ||
float | float | ||
nobind | nobind | ||
+ | comp-lzo | ||
+ | |||
persist-key | persist-key | ||
persist-tun | persist-tun | ||
resolv-retry infinite | resolv-retry infinite | ||
- | # Encryption # | + | # Encryption # |
#------------------------------------------------ | #------------------------------------------------ | ||
+ | auth SHA512 | ||
auth-nocache | auth-nocache | ||
+ | |||
+ | # --- SSL --- # | ||
cipher AES-256-CBC | cipher AES-256-CBC | ||
+ | |||
+ | # --- TLS --- # | ||
+ | key-direction 1 | ||
+ | tls-version-min 1.2 | ||
+ | |||
pkcs12 vpn-client1.p12 | pkcs12 vpn-client1.p12 | ||
remote-cert-eku "TLS Web Server Authentication" | remote-cert-eku "TLS Web Server Authentication" | ||
Line 1317: | Line 1481: | ||
-----END OpenVPN Static key V1----- | -----END OpenVPN Static key V1----- | ||
</tls-auth> | </tls-auth> | ||
- | |||
- | key-direction 1 | ||
# Logging # | # Logging # | ||
Line 1371: | Line 1533: | ||
option dest 'wan' | option dest 'wan' | ||
option src 'vpn'</code> | option src 'vpn'</code> | ||
- | - <color #4B4B4B>**Commit changes**</color>\\ <code bash>/etc/init.d/firewall restart</code> | + | - **Commit changes**\\ <code bash>/etc/init.d/firewall restart</code> |
Line 1379: | Line 1541: | ||
- <color #960000>**//Remove://**</color>\\ <code cpp> | - <color #960000>**//Remove://**</color>\\ <code cpp> | ||
- | list push 'dhcp-option DNS 8.8.8.8' | + | list push 'dhcp-option DNS 208.67.222.123' |
- | list push 'dhcp-option DNS 8.8.4.4'</code> | + | list push 'dhcp-option DNS 208.67.220.123'</code> |
- <color #789600>**//Add://**</color>\\ <code cpp> | - <color #789600>**//Add://**</color>\\ <code cpp> | ||
list push 'redirect-gateway def1 local' | list push 'redirect-gateway def1 local' | ||
list push 'dhcp-option DNS 10.1.0.1'</code> | list push 'dhcp-option DNS 10.1.0.1'</code> | ||
- | - <color #4B4B4B>**Commit changes**</color>\\ <code bash>/etc/init.d/openvpn restart</code> | + | - **Commit changes**\\ <code bash>/etc/init.d/openvpn restart</code> |
</tabbox> | </tabbox> | ||
</WRAP> | </WRAP> | ||
Line 1482: | Line 1644: | ||
<WRAP 76.5em lo> | <WRAP 76.5em lo> | ||
- | * <color #4B4B4B>**//Please take the time to read//**</color> | + | * **//Please take the time to read//** |
- | * <color #646464>//If you refuse to help yourself, don't expect someone else to help you//</color>\\ \\ | + | * //If you refuse to help yourself, don't expect someone else to help you//\\ \\ |
- | * <color #4B4B4B>**//The answer to any question about an OpenVPN Client or Server configuration is contained within the//** //[[:doc:howto:openvpn-streamlined-server-setup#vpn_wikis|VPN Wiki Section]]//</color> | + | * **//The answer to any question about an OpenVPN Client or Server configuration is contained within the//** //[[:doc:howto:openvpn-streamlined-server-setup#vpn_wikis|VPN Wiki]]// **//or//** //[[:doc:howto:openvpn-streamlined-server-setup#openssl|OpenSSL]]// **//sections//** |
- | * <color #646464>//If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the [[:doc:howto:openvpn-streamlined-server-setup#openwrt|OpenWRT]] or [[:doc:howto:openvpn-streamlined-server-setup#openvpn|OpenVPN]] forums//</color>\\ \\ | + | * //If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the [[:doc:howto:openvpn-streamlined-server-setup#openwrt|OpenWrt]] or [[:doc:howto:openvpn-streamlined-server-setup#openvpn|OpenVPN]] forums//\\ \\ |
- | * <color #4B4B4B>**//Please do not publish questions directly to this Wiki, as://**</color> | + | * <color #960000>**//Please do not publish questions directly to this Wiki, as://**</color> |
- | * <color #646464>//Most importantly, it's __not__ monitored for questions//</color> | + | * //Most importantly, it's __not__ monitored for questions// |
- | * <color #646464>//It clutters the Wiki, possibly making it more difficult for others to navigate//</color> | + | * //It clutters the Wiki, possibly making it more difficult for others to navigate// |
</WRAP> | </WRAP> |