This wiki is read only and for archival purposes only. >>>>>>>>>> Please use the new OpenWrt wiki at https://openwrt.org/ <<<<<<<<<<

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

--- doc:howto:openvpn-streamlined-server-setup [2016/10/22 06:28]
JW0914 [Network] Corrected mislabeled interwiki link
+++ doc:howto:openvpn-streamlined-server-setup [2018/02/03 14:28] (current)
ssdnvv alte Version wiederhergestellt (2018/01/18 05:21)
@@ Line 9: / Line 9: @@
 ===== Introduction =====
-<WRAP indent>
+<WRAP box 78em lo>
+<tabbox Purpose>
+<color #508CAA>**VPN Server Purpose**</color>
-==== VPN Requirements ====
+  * Provides an encrypted remote connection over WAN to router and downstream devices
-<WRAP 75em lo>
+  * If Gateway Redirect is utilized, it provides an encrypted connection for local traffic
-Five things are required for a SSL VPN:
-  - [[:doc:howto:openvpn-streamlined-server-setup#encryption|Encryption (Certificates)]]
-  - [[:doc:howto:openvpn-streamlined-server-setup#network|Network (VPN Interface Creation)]]
-  - [[:doc:howto:openvpn-streamlined-server-setup#firewall|Firewall Rules [VPN Traffic]]]
-  - [[:doc:howto:openvpn-streamlined-server-setup#vpn_server|VPN Server [Config]]]
-  - [[:doc:howto:openvpn-streamlined-server-setup#clients|VPN Clients [Config]]]
-</WRAP>
+<tabbox Requirements>
+<color #508CAA>**SSL VPN Requirements**</color>
+  - [[:doc:howto:openvpn-streamlined-server-setup#encryption|Encryption]] [Certificates]
+  - [[:doc:howto:openvpn-streamlined-server-setup#network|Network]] [VPN Interface]
+  - [[:doc:howto:openvpn-streamlined-server-setup#firewall|Firewall]] [Traffic Rules]
+  - [[:doc:howto:openvpn-streamlined-server-setup#vpn_server|Server]] [Config]
+  - [[:doc:howto:openvpn-streamlined-server-setup#clients|Clients]] [Config]\\ \\
+<tabbox Editing>
+<wrap right button>[[https://github.com/JW0914/Wikis/blob/master/Scripts%2BConfigs/Vim/.vimrc|VimRC]]  [[http://vim.wikia.com/wiki/Tutorial|Vim Tutorial]]</wrap>
+<color #508CAA>**Editing Configs**</color>
+  * Vim is the default command line text editor\\ \\
+  * If you've never utilized Vim before, please see the Vim Tutorial
+    * Save the VimRC to ''<color #C86400>~/.vimrc</color>''
+</tabbox>
 </WRAP>
@@ Line 29: / Line 42: @@
 <WRAP centeralign 78.25em lo>
-<wrap danger>Easy-RSA //does not// create secure enough certs & has too many limitations, therefore OpenSSL should be utilized directly via an openssl.cnf</wrap>
+<wrap warning><color #FFFFFF>Easy-RSA //does not// create secure enough certs & has too many limitations, therefore OpenSSL should be utilized directly via an openssl.cnf</color></wrap>
 </WRAP>
 <WRAP indent>
 ==== Prerequisites ====
 <WRAP box lo>
-<wrap right button>[[https://github.com/JW0914/Wikis/blob/master/Scripts%2BConfigs/OpenSSL/OpenSSL.cnf|openssl.cnf]]</wrap>
+<wrap right button>[[https://github.com/JW0914/Wikis/blob/master/Scripts%2BConfigs/OpenSSL/openssl.cnf|openssl.cnf]]</wrap>
 <tabbox Prerequisites>
@@ Line 44: / Line 57: @@
 <color #508CAA>**OpenVPN Prerequisites**</color>
-  - <color #4B4B4B>**Install Packages:**</color>
+  - **Install Packages:**
-    - //''<color #647D00>opkg update ; opkg install openvpn-openssl luci-app-openvpn</color>''//\\ \\
+    - //''<color #647D00>opkg update ; opkg install openvpn-openssl luci-app-openvpn openssl-util</color>''//\\ \\
-  - <color #4B4B4B>**Download openssl.cnf:**</color>
+  - **Download openssl.cnf:**
-    - <color #646464>Save as ''<color #C86400>/etc/ssl/openssl.cnf</color>''</color>\\ \\
+    - Save as ''<color #C86400>/etc/ssl/openssl.cnf</color>''\\ \\
-  - <color #4B4B4B>**Navaigate to SSL directory & create required directories**</color>
+  - **Navaigate to SSL directory & create required directories**
     - //''<color #647D00>cd /etc/ssl ; mkdir -p ca/csr crl openvpn/clients</color>''//\\ \\
-  - <color #4B4B4B>**Create Serial file**</color>
+  - **Create Serial file**
     - //''<color #647D00>echo 00 > serial</color>''//
-      * <color #646464>Maintains the serial for the most recent cert in order to know what serial to next assign</color>
+      * Maintains the serial for the most recent cert in order to know what serial to next assign
-        * <color #646464>Serial is in hex, not dec[//imal//] format</color>\\ \\
+        * Serial is in hex, not dec[//imal//] format\\ \\
-  - <color #4B4B4B>**Create CRLnumber file**</color>
+  - **Create CRLnumber file**
-    - //''<color #647D00>echo 00 > crlnumber</color>''//
+    - //''<color #647D00>echo 00 > crl/crlnumber</color>''//
-            * <color #646464>CRL should be generated, but will only be utilized once a cert is revoked</color>\\ \\
+            * CRL should be generated, but will only be utilized once a cert is revoked\\ \\
-  - <color #4B4B4B>**Create Index file**</color>
+  - **Create Index file**
     - //''<color #647D00>touch index</color>''//
-      * <color #646464>Maintains an index of all certs issued <sup>[lines 744 - 759]</sup></color>
+      * Maintains an index of all certs issued <sup><color #646464>[lines 644 - 689]</color></sup>
-        * <color #646464>Keeps track of certs issued; extremely important if one has revoked a cert</color>\\ \\
+        * Keeps track of certs issued; extremely important if one has revoked a cert\\ \\
-  - <color #4B4B4B>**Create Rand file**</color>
+  - **Create Rand file**
     - //''<color #647D00>touch rand</color>''//
-      * <color #646464>Utilized for random characters & is queried by OpenSSL during key creation</color>
+      * Utilized for random characters & is queried by OpenSSL during key creation
@@ Line 69: / Line 82: @@
 <color #508CAA>**File & Folder Locations**</color>
-  - <color #4B4B4B>**Config Locations:**</color>
+  - **Config Locations:**
-    * <color #646464>Firewall: ''<color #C86400>/etc/config/firewall</color>''</color>
+    * Firewall: ''<color #C86400>/etc/config/firewall</color>''
-    * <color #646464>Network: ''<color #C86400>/etc/config/network</color>''</color>
+    * Network: ''<color #C86400>/etc/config/network</color>''
-    * <color #646464>OpenVPN: ''<color #C86400>/etc/config/openvpn</color>''</color>\\ \\
+    * OpenSSL: ''<color #C86400>/etc/ssl/openssl.cnf</color>''
-  - <color #4B4B4B>**Folder Locations:**</color>
+    * OpenVPN: ''<color #C86400>/etc/config/openvpn</color>''\\ \\
-    * <color #646464>SSL: ''<color #C86400>etc/ssl/</color>''</color>
+  - **Folder Locations:**
-      * <color #646464>OpenVPN</color>
+    * OpenVPN
-        * <color #646464>CA & ICA Certs: ''<color #C86400>/etc/ssl/ca/</color>''</color>
+      * CA & ICA Certs: ''<color #C86400>/etc/ssl/ca/</color>''
-          * <color #646464>CSR: ''<color #C86400>/etc/ssl/ca/csr/</color>''</color>
+        * CSR: ''<color #C86400>/etc/ssl/ca/csr/</color>''
-          * <color #646464>CRL: ''<color #C86400>/etc/ssl/crl/</color>''</color>
+        * CRL: ''<color #C86400>/etc/ssl/crl/</color>''
-        * <color #646464>Client Certs: ''<color #C86400>/etc/ssl/openvpn/clients/</color>''</color>
+      * Client Certs: ''<color #C86400>/etc/ssl/openvpn/clients/</color>''
-        * <color #646464>Server Certs: ''<color #C86400>/etc/ssl/openvpn/</color>''</color>
+      * Server Certs: ''<color #C86400>/etc/ssl/openvpn/</color>''
 <tabbox Extensions>
 <color #508CAA>**Certificate Extensions**</color>
-  - <color #4B4B4B>**.csr:**</color>
+  - **.csr:**
-    * <color #646464>//certificate request//</color>\\ \\
+    * //certificate request//\\ \\
-  - <color #4B4B4B>**.key:**</color>
+  - **.key:**
-    * <color #646464>//private key//</color>
+    * //private key//
-      * <color #64646>4All key files, except for a server's, should be encrypted with a passphrase</color>\\ \\
+      * 4All key files, except for a server's, should be encrypted with a passphrase\\ \\
-  - <color #4B4B4B>**.crt:**</color>
+  - **.crt:**
-    * <color #646464>//signed certificate//</color>\\ \\
+    * //signed certificate//\\ \\
-  - <color #4B4B4B>**.p12:**</color>
+  - **.p12:**
-    * <color #646464>//PKCS12 certificate//</color>
+    * //PKCS12 certificate//
-      * <color #646464>Contains the //CA.crt// or concatenated //ICA-CA.crt//, //Certificate.crt//, and //CertificateKey.key//</color>
+      * Contains the //CA.crt// or concatenated //ICA-CA.crt//, //Certificate.crt//, and //CertificateKey.key//
 </tabbox>
 </WRAP>
@@ Line 105: / Line 117: @@
 <tabbox Synopsis>
+<wrap right button>[[https://www.feistyduck.com/books/openssl-cookbook/|Cookbook]]  [[https://wiki.openssl.org/index.php/Main_Page|Wiki]]</wrap>
 <color #508CAA>**Section Synopsis**</color>
-  * <color #4B4B4B>**These tabs contain critical information one will likely find helpful while going through the steps in this wiki**</color>
+  * **These tabs contain critical information one will likely find helpful while going through the steps in this wiki**
-    * <color #646464>Tabs 1 - 2 contain informational & reference links to the main man pages</color>
+    * Tabs 2 - 3 contain informational & reference links to the main man pages
-    * <color #646464>Tabs 3 - 6 cover the definitions of KUs, EKUs, KEAs, & EC KEAs</color>
+    * Tabs 4 - 7 cover the definitions of KUs, EKUs, KEAs, & EC KEAs
 <tabbox Info>
-<wrap right button>[[https://www.feistyduck.com/books/openssl-cookbook/|Cookbook]]  [[https://wiki.openssl.org/index.php/Main_Page|Wiki]]</wrap>
+<wrap right button>[[https://www.openssl.org/news/changelog.html|Changelog]]</wrap>
 <color #508CAA>**OpenSSL Information**</color>
 <WRAP centeralign box>
 <WRAP third column>
-<wrap button>[[https://www.openssl.org/news/changelog.html|Changelog]]</wrap>
-<wrap button>[[https://www.openssl.org/news/vulnerabilities.html|Vulnerabilities]]</wrap>\\ \\
+<wrap button>[[https://wiki.openssl.org/index.php/Certificate_Lifecycle|Certificates Explained]]</wrap>\\ \\
 <wrap button>[[https://www.openssl.org/blog/|Blog]]</wrap>
-<wrap button>[[https://wiki.openssl.org/index.php/Certificate_Lifecycle|Certificates Explained]]</wrap>
+<wrap button>[[https://www.openssl.org/news/vulnerabilities.html|Vulnerabilities]]</wrap>
 <wrap button>[[https://www.openssl.org/news/newslog.html|News]]</wrap>
 </WRAP>
@@ Line 177: / Line 190: @@
 <color #508CAA>**keyUsage**</color>
-  - <color #4B4B4B>**digitalSignature**</color>
+  - **digitalSignature**
-    - <color #646464>Certificate may be used to apply a digital signature</color>
+    - Certificate may be used to apply a digital signature
-      - <color #646464>Digital signatures are often used for entity authentication & data origin authentication with integrity</color>\\ \\
+      - Digital signatures are often used for entity authentication & data origin authentication with integrity\\ \\
-  - <color #4B4B4B>**nonRepudiation**</color>
+  - **nonRepudiation**
-    - <color #646464>Certificate may be used to sign data as above but the certificate public key may be used to provide non-repudiation services</color>
+    - Certificate may be used to sign data as above but the certificate public key may be used to provide non-repudiation services
-      - <color #646464>This prevents the signing entity from falsely denying some action</color>\\ \\
+      - This prevents the signing entity from falsely denying some action\\ \\
-  - <color #4B4B4B>**keyEncipherment**</color>
+  - **keyEncipherment**
-    - <color #646464>Certificate may be used to encrypt a symmetric key which is then transferred to the target</color>
+    - Certificate may be used to encrypt a symmetric key which is then transferred to the target
-      - <color #646464>Target decrypts key, subsequently using it to encrypt & decrypt data between the entities</color>\\ \\
+      - Target decrypts key, subsequently using it to encrypt & decrypt data between the entities\\ \\
-  - <color #4B4B4B>**dataEncipherment**</color>
+  - **dataEncipherment**
-    - <color #646464>Certificate may be used to encrypt & decrypt actual application data</color>\\ \\
+    - Certificate may be used to encrypt & decrypt actual application data\\ \\
-  - <color #4B4B4B>**keyAgreement**</color>
+  - **keyAgreement**
-    - <color #646464>Certificate enables use of a key agreement protocol to establish a symmetric key with a target</color>
+    - Certificate enables use of a key agreement protocol to establish a symmetric key with a target
-    - <color #646464>Symmetric key may then be used to encrypt & decrypt data sent between the entities</color>\\ \\
+    - Symmetric key may then be used to encrypt & decrypt data sent between the entities\\ \\
-  - <color #4B4B4B>**keyCertSign**</color>
+  - **keyCertSign**
     - <wrap danger>CA ONLY</wrap>
-      - <color #646464>Subject public key is used to verify signatures on certificates</color>
+      - Subject public key is used to verify signatures on certificates
       - <color #AF0000>//This extension must only be used for CA certificates//</color>\\ \\
-  - <color #4B4B4B>**cRLSign**</color>
+  - **cRLSign**
     - <wrap danger>CA ONLY</wrap>
-      - <color #646464>Subject public key is to verify signatures on revocation information, such as a CRL</color>
+      - Subject public key is to verify signatures on revocation information, such as a CRL
       - <color #AF0000>//This extension must only be used for CA certificates//</color>\\ \\
-  - <color #4B4B4B>**encipherOnly**</color>
+  - **encipherOnly**
-    - <color #646464>KU ''<color #009B9B>keyAgreement</color>'' is required</color>
+    - KU ''<color #009B9B>keyAgreement</color>'' is required
-    - <color #646464>Public key used only for enciphering data while performing key agreement</color>\\ \\
+    - Public key used only for enciphering data while performing key agreement\\ \\
-  - <color #4B4B4B>**decipherOnly**</color>
+  - **decipherOnly**
-    - <color #646464>KU ''<color #009B9B>keyAgreement</color>'' is required</color>
+    - KU ''<color #009B9B>keyAgreement</color>'' is required
-    - <color #646464>Public key used only for deciphering data while performing key agreement</color>
+    - Public key used only for deciphering data while performing key agreement
@@ Line 211: / Line 224: @@
 <color #508CAA>**extendedKeyUsage**</color>
-  - <color #4B4B4B>**serverAuth**</color>
+  - **serverAuth**
-    - <color #646464>All VPN servers should be signed with this EKU present</color>
+    - All VPN servers should be signed with this EKU present
-      - <color #646464>SSL/TLS Web/VPN Server authentication EKU, distinguishing a server which clients can authenticate against</color>
+      - SSL/TLS Web/VPN Server authentication EKU, distinguishing a server which clients can authenticate against
-      - <color #646464>This supersedes ''<color #009B9B>nscertype</color>'' options (''<color #009B9B>ns</color>'' in ''<color #009B9B>nscertype</color>'' stands for NetScape [browser])</color>\\ \\
+      - This supersedes ''<color #009B9B>nscertype</color>'' options (''<color #009B9B>ns</color>'' in ''<color #009B9B>nscertype</color>'' stands for NetScape [browser])\\ \\
-  - <color #4B4B4B>**clientAuth**</color>
+  - **clientAuth**
-    - <color #646464>All VPN clients //must// be signed with this EKU present</color>
+    - All VPN clients //must// be signed with this EKU present
-      - <color #646464>SSL/TLS Web/VPN Client authentication EKU distinguishing a client as a client only</color>\\ \\
+      - SSL/TLS Web/VPN Client authentication EKU distinguishing a client as a client only\\ \\
-  - <color #4B4B4B>**codeSigning**</color>
+  - **codeSigning**
-    - <color #646464>Code Signing</color>\\ \\
+    - Code Signing\\ \\
-  - <color #4B4B4B>**emailProtection**</color>
+  - **emailProtection**
-    - <color #646464>Email Protection via S/MIME, allows you to send and receive encrypted emails</color>\\ \\
+    - Email Protection via S/MIME, allows you to send and receive encrypted emails\\ \\
-  - <color #4B4B4B>**timeStamping**</color>
+  - **timeStamping**
-    - <color #646464>Trusted Timestamping</color>\\ \\
+    - Trusted Timestamping\\ \\
-  - <color #4B4B4B>**OCSPSigning**</color>
+  - **OCSPSigning**
-    - <color #646464>OCSP Signing</color>\\ \\
+    - OCSP Signing\\ \\
-  - <color #4B4B4B>**ipsecIKE**</color>
+  - **ipsecIKE**
-    - <color #646464>IPSec Internet Key Exchange, of which I believe is in the same boat as the three below [#8]</color>
+    - IPSec Internet Key Exchange, of which I believe is in the same boat as the three below [#8]
-      - <color #646464>Research needs to be performed to determine if this EKU should also no longer be utilized</color>
+      - Research needs to be performed to determine if this EKU should also no longer be utilized
-      - <color #646464>''<color #009B9B>clientAuth</color>'' can be utilized in a IPSec VPN client cert</color>\\ \\
+      - ''<color #009B9B>clientAuth</color>'' can be utilized in a IPSec VPN client cert\\ \\
-  - <color #4B4B4B>**ipsecEndSystem, ipsecTunnel, & ipsecUser**</color>
+  - **ipsecEndSystem, ipsecTunnel, & ipsecUser**
     - <wrap danger>SHOULD NOT BE UTILIZED</wrap>
-      - <color #646464>Assigned in 1999, the semantics of these values were never clearly defined</color>
+      - Assigned in 1999, the semantics of these values were never clearly defined
-      - <color #646464>The use of these three EKU values in IKE/IPsec is obsolete and explicitly deprecated by this specification</color>\\ \\
+      - **RFC 4945:** The use of these three EKU values is obsolete and explicitly deprecated by this specification <sup><color #646464>[5.1.3.12]</color></sup>\\ \\
-  - <color #4B4B4B>**msCodeInd**</color>
+  - **msCodeInd**
-    - <color #646464>Microsoft Individual Code Signing (authenticode)</color>\\ \\
+    - Microsoft Individual Code Signing (authenticode)\\ \\
-  - <color #4B4B4B>**msCodeCom**</color>
+  - **msCodeCom**
-    - <color #646464>Microsoft Commerical Code Signing (authenticode)</color>\\ \\
+    - Microsoft Commerical Code Signing (authenticode)\\ \\
-  - <color #4B4B4B>**mcCTLSign**</color>
+  - **mcCTLSign**
-    - <color #646464>Microsoft Trust List Signing</color>\\ \\
+    - Microsoft Trust List Signing\\ \\
-  - <color #4B4B4B>**msEFS**</color>
+  - **msEFS**
-    - <color #646464>Microsoft Encrypted File System Signing</color>\\ \\
+    - Microsoft Encrypted File System Signing\\ \\
@@ Line 247: / Line 260: @@
 <color #508CAA>**Key Exchange**</color>
-  - <color #4B4B4B>**RSA**</color>
+  - **RSA**
-    - <color #646464>Key exchange occurs via encryption of a random value</color>
+    - Key exchange occurs via encryption of a random value
-      - <color #646464>Client chooses a random value via the server public key</color>
+      - Client chooses a random value via the server public key
-      - <color #646464>Server public key must be an RSA key</color>
+      - Server public key must be an RSA key
-      - <color #646464>Server certificate must utilize KU ''<color #009B9B>keyAgreement</color>''</color>\\ \\
+      - Server certificate must utilize KU ''<color #009B9B>keyAgreement</color>''\\ \\
-  - <color #4B4B4B>**DH_RSA**</color>
+  - **DH_RSA**
-    - <color #646464>Key exchange occurs via a static Diffie-Hellman key</color>
+    - Key exchange occurs via a static Diffie-Hellman key
-      - <color #646464>Server public key must be a Diffie-Hellman key</color>
+      - Server public key must be a Diffie-Hellman key
-      - <color #646464>Diffie-Hellman key must have been issued by a CA</color>
+      - Diffie-Hellman key must have been issued by a CA
-      - <color #646464>CA must be using an RSA key signing key</color>\\ \\
+      - CA must be using an RSA key signing key\\ \\
-  - <color #4B4B4B>**DH_DSA**</color>
+  - **DH_DSA**
-    - <color #646464>Like ''<color #009B9B>DH_RSA</color>'', except CA used a DSA key in lieu of RSA</color>\\ \\
+    - Like ''<color #009B9B>DH_RSA</color>'', except CA used a DSA key in lieu of RSA\\ \\
-  - <color #4B4B4B>**DHE_RSA**</color>
+  - **DHE_RSA**
-    - <color #646464>Key exchange occurs via an ephemeral Diffie-Hellman</color>
+    - Key exchange occurs via an ephemeral Diffie-Hellman
-      - <color #646464>Server dynamically generates & signs a DH public key, sending it to the client</color>
+      - Server dynamically generates & signs a DH public key, sending it to the client
-      - <color #646464>Server Public Key must be an RSA key</color>
+      - Server Public Key must be an RSA key
-      - <color #646464>Server certificate must utilize KU ''<color #009B9B>digitalSignature</color>''</color>\\ \\
+      - Server certificate must utilize KU ''<color #009B9B>digitalSignature</color>''\\ \\
-  - <color #4B4B4B>**DHE_DSA**</color>
+  - **DHE_DSA**
-    - <color #646464>Like ''<color #009B9B>DHE_RSA</color>'', except CA used a DSA key in lieu of RSA</color>
+    - Like ''<color #009B9B>DHE_RSA</color>'', except CA used a DSA key in lieu of RSA
@@ Line 271: / Line 284: @@
 <color #508CAA>**Elliptic-Curve Key Exchange**</color>
-  - <color #4B4B4B>**ECDH_ECDSA**</color>
+  - **ECDH_ECDSA**
-    - <color #646464>Like DH_DSA, but with elliptic curves</color>
+    - Like ''<color #009B9B>DH_DSA</color>'', but with elliptic curves
-      - <color #646464>Server public key must be an ECDH key</color>
+      - Server public key must be an ECDH key
-      - <color #646464>Server certificate must be issued by a CA utilizing an ECDSA public key</color>\\ \\
+      - Server certificate must be issued by a CA utilizing an ECDSA public key\\ \\
-  - <color #4B4B4B>**ECDH_RSA**</color>
+  - **ECDH_RSA**
-    - <color #646464>Like ''<color #009B9B>ECDH_ECDSA</color>'', except CA used an RSA key</color>\\ \\
+    - Like ''<color #009B9B>ECDH_ECDSA</color>'', except CA used an RSA key\\ \\
-  - <color #4B4B4B>**ECDHE_ECDSA**</color>
+  - **ECDHE_ECDSA**
-    - <color #646464>Server sends dynamically generated EC Diffie-Hellman key, signing it via it's ECDSA key</color>
+    - Server sends dynamically generated EC Diffie-Hellman key, signing it via it's ECDSA key
-      - <color #646464>Equivalent to DHE_DSS, but with elliptic curves for both the Diffie-Hellman & signature</color>\\ \\
+      - Equivalent to ''<color #009B9B>DHE_DSS</color>'', but with elliptic curves for both the Diffie-Hellman & signature\\ \\
-  - <color #4B4B4B>**ECDHE_RSA**</color>
+  - **ECDHE_RSA**
-    - <color #646464>Like ''<color #009B9B>ECDHE_ECDSA</color>'', except Server public key is an RSA key</color>
+    - Like ''<color #009B9B>ECDHE_ECDSA</color>'', except Server public key is an RSA key
-      - <color #646464>Server public key signs the ephemeral EC Diffie-Hellman key</color>
+      - Server public key signs the ephemeral EC Diffie-Hellman key
 </tabbox>
 </WRAP>
@@ Line 291: / Line 304: @@
 === CA Creation ===
-<WRAP 75em lo>
+<WRAP indent 75em lo>
 <tabbox Prerequisites>
 <wrap right>''<color #C86400>/etc/ssl/openssl.cnf</color>''</wrap>
@@ Line 297: / Line 310: @@
 <WRAP indent>
-<color #4B4B4B>**Modify the following SubjectAltNames & V3 Profiles**</color>
+**Modify the following SubjectAltNames & V3 Profiles**
-  - <color #646464>**Certificate Authorities** <sup>[Line 228]</sup></color>
+  - **Certificate Authorities** <sup>[Line 177]</sup>
-    - <color #4B4B4B4>//Main//</color>
+    - //Main//
-      - <color #646464>**Line 234:**</color> ''<color #647D00>DNS.1 = Router.1</color>''
+      - **Line 183:** ''<color #647D00>DNS.1 = //Router.1//</color>''
-        * <color #646464>//Change//</color> ''<color #506400>//Router.1//</color>'' <color #646464>//to what you'd like the name of your Certificate Authority to be//</color>\\ \\
+        * //Change// ''<color #007DC8>Router.1</color>'' //to what you'd like the name of your Certificate Authority to be//\\ \\
-  - <color #646464>**Certificate Authority Clients** <sup>[Line 253]</sup></color>
+  - **Certificate Authority Clients** <sup><color #646464>[Line 205]</color></sup>
-    - <color #4B4B4B4>//Servers//</color>
+    - //Servers//
-      * <color #646464>**Lines:** 259 - 281</color>
+      * **Lines:** 198 - 220
-    - <color #4B4B4B4>//Clients//</color>
+    - //Clients//
-      * <color #646464>**Lines:** 283 - 287</color>\\ \\
+      * **Lines:** 222 - 226\\ \\
-  - <color #646464>**Change SAN & V3 profile names from** ''<color #647D00>alt_ca_main</color>'' **to** ''<color #647D00>alt_ca_openwrt</color>''</color> <sup><color #646464>[lines 233, 353, & 357]</color></sup>
-    - <color #646464>**Line 233:** ''<color #647D00>[ alt_ca_openwrt ]</color>''</color>
-    - <color #646464>**Line 353:** ''<color #647D00>[ v3_ca_openwrt ]</color>''</color>
-    - <color #646464>**Line 357:** ''<color #647D00>subjectAltName = @alt_ca_openwrt</color>''</color>
 </WRAP>
@@ Line 330: / Line 339: @@
 === ICA Creation ===
-<WRAP 75em lo>
+<WRAP indent 75em lo>
 <tabbox Prerequisites>
 <wrap right>''<color #C86400>/etc/ssl/openssl.cnf</color>''</wrap>
@@ Line 337: / Line 345: @@
 <WRAP indent>
-<color #4B4B4B>**Modify the following SubjectAltNames & V3 Profiles**</color>
+**Modify the following SubjectAltNames & V3 Profiles**
-  - <color #646464>**Certificate Authorities** <sup>[Line 228]</sup></color>
+  - **Certificate Authorities** <sup><color #646464>[Line 177]</color></sup>
-    - <color #4B4B4B>//Router 2//</color>
+    - //Router 2//
-      - <color #646464>**Line 239:**</color> ''<color #647D00>DNS.1 = Router.2</color>''
+      - **Line 188:** ''<color #647D00>DNS.1 = //Router.2//</color>''
-        * <color #646464>//Change ''<color #647D00>Router.2</color>'' to what you'd like the name of your Intermediate CA to be//</color>\\ \\
+        * //Change// ''<color #007DC8>Router.2</color>'' //to what you'd like the name of your Intermediate CA to be//\\ \\
-  - <color #646464>**Intermediate Certificate Authority Clients** <sup>[Line 290]</sup></color>
+  - **Intermediate Certificate Authority Clients** <sup><color #646464>[Line 229]</color></sup>
-    - <color #4B4B4B4>//Servers//</color>
+    -//Servers//
-      * <color #646464>**Lines:** 296 - 312</color>
+      * **Lines:** 235 - 251
-    - <color #4B4B4B4>//Clients//</color>
+    - //Clients//
-      * <color #646464>**Lines:** 314 - 322:</color>\\ \\
+      * **Lines:** 253 - 261:\\ \\
-  - <color #646464>**Change SAN & V3 profile names from** ''<color #647D00>alt_ica_router2</color>'' **to** ''<color #647D00>alt_ica_openvpn</color>''</color> <sup>[lines 238, 360, & 364]</sup>
-    - <color #646464>**Line 238:** ''<color #647D00>[ alt_ica_openvpn ]</color>''</color>
-    - <color #646464>**Line 360:** ''<color #647D00>[ v3_ica_openvpn ]</color>''</color>
-    - <color #646464>**Line 364:** ''<color #647D00>subjectAltName = @alt_ica_openvpn</color>''</color>
 </WRAP>
@@ Line 359: / Line 363: @@
 <color #508CAA>**ICA OpenSSL Commands**</color>
-  - <color #4B4B4B4>**Generate Intermediate CA CSR**</color>\\ <code bash>openssl req -out ca/csr/OpenVPN-ICA.csr -new -days 3650 -sha512 -newkey rsa:4096 -keyout ca/OpenVPN-ICA.key -config ./openssl.cnf -extensions v3_ica_openvpn</code>
+  - <color #4B4B4B4>**Generate Intermediate CA CSR**</color>\\ <code bash>openssl req -out ca/csr/OpenVPN-ICA.csr -new -days 3650 -sha512 -newkey rsa:4096 -keyout ca/OpenVPN-ICA.key -config ./openssl.cnf -extensions v3_ica_router2</code>
     * <color #AF0000>Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</color>\\ \\
-  - <color #4B4B4B4>**Create & Sign ICA with CA**</color>\\ <code bash>openssl x509 -req -sha512 -days 3650 -in ca/csr/OpenVPN-ICA.csr -CA ca/OpenWrt-CA.crt.pem -CAkey ca/OpenWrt-CA.key.pem -CAserial ./serial -out ca/OpenVPN-ICA.crt.pem -extfile ./openssl.cnf -extensions v3_ica_openvpn</code>
+  - <color #4B4B4B4>**Create & Sign ICA with CA**</color>\\ <code bash>openssl x509 -req -sha512 -days 3650 -in ca/csr/OpenVPN-ICA.csr -CA ca/OpenWrt-CA.crt.pem -CAkey ca/OpenWrt-CA.key.pem -CAserial ./serial -out ca/OpenVPN-ICA.crt.pem -extfile ./openssl.cnf -extensions v3_ica_router2</code>
   - <color #4B4B4B4>**Generate ICA CRL**</color>\\ <code bash>openssl ca -gencrl -keyfile ca/OpenVPN-ICA.key -cert ca/OpenVPN-ICA.crt.pem -out crl/OpenVPN-ICA.crl.pem -config ./openssl.cnf</code>
   - <color #4B4B4B4>**Convert ICA CRL -> DER CRL**</color>\\ <code bash>openssl crl -inform PEM -in crl/OpenVPN-ICA.crl.pem -outform DER -out crl/OpenVPN-ICA.crl</code>
@@ Line 371: / Line 375: @@
 === Index File ===
-<WRAP 75em lo>
+<WRAP indent 75em lo>
 <tabbox Info>
+<wrap right>''<color #C86400>/etc/ssl/index</color>''</wrap>
 <color #508CAA>**Index Info**</color>
-  * <color #4B4B4B>**If wishing to maintain the index file automatically,** ''openssl ca'' **must be used to sign certs**</color>
+  * **If wishing to maintain the index file automatically,** ''<color #647D00>openssl ca</color>'' **must be used to sign certs**
-    * <color #646464>''openssl ca'' is not used in this wiki as it requires additional steps & adds unneeded complexity</color>\\ \\
+    * ''openssl ca'' is not used in this wiki as it requires additional steps & adds unneeded complexity\\ \\
@@ Line 385: / Line 390: @@
 <WRAP indent>
-<color #4B4B4B>**Manually maintaining the index file consists of inputting 1 cert entry per line in the following format**</color>
+**Manually maintaining the index file consists of inputting 1 cert entry per line in the following format**
+  * Entering certificate information into the index file takes ~30s per cert
+  * Copy & paste DN from the output of: '' //<color #647D00>openssl x509 -in certificate.crt -text -noout</color>//''
 <code cpp>
-V    261231235959Z    0a    unknown    /C=US/ST=State/L=Locality/O=Sophos UTM/OU=LAN/CN=Cert Common Name/emailaddress=whatever@whichever.com
+V    261231235959Z            0a    unknown    /C=US/ST=State/L=Locality/O=Sophos UTM/OU=LAN/CN=Cert Common Name/emailaddress=whatever@whichever.com
-    2----------->    4->   5----->    6---------------------------------------------------------------------------------------------------></code>
+    2----------->    3->     4->   5----->    6---------------------------------------------------------------------------------------------------></code>
 </WRAP>
-  - <color #4B4B4B>**Status of Certificate**</color>
+  - **Status of Certificate**
-    - <color #646464>**''V''** [Valid]</color>
+    - **''V''** [Valid]
-    - <color #646464>**''R''** [Revoked]</color>
+    - **''R''** [Revoked]
-    - <color #646464>**''E''** [Expired]</color>\\ \\
+    - **''E''** [Expired]\\ \\
-  - <color #4B4B4B>**Expiration Date**</color>
+  - **Expiration Date**
-    - <color #646464>Format: **''YYMMDDHHMMSS''** followed by **''Z''**</color>
+    - Format: **''YYMMDDHHMMSS''** followed by **''Z''**
-      * <color #646464>//2026.12.31 @ 23:59:59//</color>\\ \\
+      * //2026.12.31 @ 23:59:59//\\ \\
-  - <color #4B4B4B>**Revocation Date**</color>
+  - **Revocation Date**
-    - <color #646464>Format: **''YYMMDDHHMMSSZ,reason''**</color>
+    - Format: **''YYMMDDHHMMSSZ,reason''**
-      - <color #4B4B4B>Valid reasons are:</color>
+      - Valid reasons are:
         - ''<color #009B9B>keyCompromise</color>''
         - ''<color #009B9B>CACompromise</color>''
@@ Line 408: / Line 415: @@
         - ''<color #009B9B>privilegeWithdrawn</color>''
         - ''<color #009B9B>AACompromise</color>''
-      - <color #646464>Empty if not revoked</color>\\ \\
+    - Empty if not revoked
-  - <color #4B4B4B>**Serial number** <sup>(//hex// format)</sup></color>
+      * Certain distros were erroring out without a whitespace for 3 in the index file, which is why it's there\\ \\
-    - <color #646464>**''0a''** is hex for 10</color>
+  - **Serial number** <sup><color #646464>(//hex// format)</color></sup>
-      - <color #646464>**Windows:**</color>
+    - **''0a''** is hex for 10
-        * <color #646464>Calculator has programmer feature which can convert dec <-> hex</color>
+      - **Windows:**
-      - <color #646464>**Linux/BSD**</color>
+        * Calculator has programmer feature which can convert dec <-> hex
-        * <color #646464>cli hex -> dec: '' //<color #647D00>printf '%d\n' 0x0a</color>// '' returns ''<color #647D00>10</color>''</color>
+      - **Linux/BSD**
-        * <color #646464>cli dec -> hex: '' //<color #647D00>printf '%x\n' 10</color>// '' returns ''<color #647D00>0a</color>''</color> \\ \\
+        * cli hex -> dec: '' //<color #647D00>printf '%d\n' 0x0a</color>// '' returns ''<color #647D00>10</color>''
-  - <color #4B4B4B>**Certificate Filename or Literal String**</color>
+        * cli dec -> hex: '' //<color #647D00>printf '%x\n' 10</color>// '' returns ''<color #647D00>0a</color>'' \\ \\
-    - <color #646464>Certificate Filename or Literal String **''unknown''**</color>\\ \\
+  - **Certificate Filename or Literal String**
-  - <color #4B4B4B>**Distinguished Name**</color>
+    - Certificate Filename or Literal String **''unknown''**\\ \\
+  - **Distinguished Name**
-  * <color #646464>**Entering the cert information into the index file takes ~30s per cert**</color>
-    * <color #646464>Copy & paste DN from the output of: '' //<color #647D00>openssl x509 -in certificate.crt -text -noout</color>//''</color>
 </tabbox>
 </WRAP>
@@ Line 427: / Line 432: @@
 === Server Cert ===
-<WRAP 75em lo>
+<WRAP indent 75em lo>
 <tabbox Prerequisites>
 <wrap right>''<color #C86400>/etc/ssl/openssl.cnf</color>''</wrap>
@@ Line 434: / Line 438: @@
 <WRAP indent>
-<color #4B4B4B>**Modify the following SubjectAltNames & V3 Profiles**</color>
+**Modify the following SubjectAltNames & V3 Profiles**
 <WRAP indent>
 **__SubjectAltNames Profile__**
-  - <color #4B4B4B>**Intermediate Certificate Authority Clients**</color> <sup><color #646464>(Line 290)</color></sup>
+  - **Intermediate Certificate Authority Clients** <sup>(Line 229)</sup>
-    - <color #4B4B4B>//Change the SAN alt name ''<color #647D00>alt_vpn_server2</color>'' to ''<color #647D00>alt_openvpn_server</color>''//</color>
+    - //Change the server's SAN IP from// ''<color #647D00>10.0.1.1</color>'' //to match your VPN Server IP//
-      - <color #646464>**Line 310:** ''<color #647D00>[ alt_openvpn_server ]</color>''</color>\\ \\
+      - **Line 250:** ''<color #647D00>IP.1 = //10.0.1.1//</color>''\\ \\
-    - <color #4B4B4B>//Change the SAN IP from ''<color #647D00>10.0.1.1</color>'' to match your VPN Server IP//</color>
+    - //Change the SAN DNS from// ''<color #647D00>your.ddns.com</color>'' //to match your own DDNS and/or FQDN//
-      - <color #646464>**Line 311:** ''<color #647D00>IP.1 = 10.0.1.1</color>''</color>\\ \\
+      - **Line 251:** ''<color #647D00>DNS.1 = //your.ddns.com//</color>''
-    - <color #4B4B4B>//Change the SAN DNS from ''<color #647D00>your.ddns.com</color>'' to match your own DDNS and/or FQDN//</color>
+        * //For each additional DNS or FQDN, add a new line in sequential order// (i.e. DNS.2, DNS.3, etc.)
-      - <color #646464>**Line 312:** ''<color #647D00>DNS.1 = your.ddns.com</color>''</color>
-        * <color #646464>//For each additional DNS or FQDN, add a new line in sequential order// (i.e. DNS.2, DNS.3, etc.)</color>
-**__V3 Profile__**
-  - <color #4B4B4B>**Intermediate Certificate Authority Clients**</color> <sup><color #646464>(Line 473)</color></sup>
-    - <color #4B4B4B>//Change the V3 profile name from ''<color #647D00>[ v3_vpn_server2 ]</color>'' to match alt name set above//</color>
-      - <color #646464>**Line 496:** ''<color #647D00>[ v3_openvpn_server ]</color>''</color>\\ \\
-    - <color #4B4B4B>//Change the SAN alt name from ''<color #647D00>@alt_vpn_server2</color>'' to match alt name set above//</color>
-      - <color #646464>**Line 502:** ''<color #647D00>subjectAltName = @alt_openvpn_server</color>''</color>
 </WRAP>
 </WRAP>
@@ Line 462: / Line 456: @@
 <color #508CAA>**Server Cert OpenSSL Commands**</color>
-  - <color #4B4B4B>**Generate VPN Server CSR**</color>\\ <code bash>openssl req -out ca/csr/vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/vpn-server.key.pem -config ./openssl.cnf -extensions v3_vpn_server -nodes</code>
+  - **Generate VPN Server CSR**\\ <code bash>openssl req -out ca/csr/vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/vpn-server.key.pem -config ./openssl.cnf -extensions v3_vpn_server -nodes</code>
-    * <color #4B4B4B>**''-nodes''**</color> <color #4B4B4B>creates a signing key without encryption</color>
+    * **''-nodes''** creates a signing key without encryption
-      * <color #646464>For server certs **//only//**, as a passphrase prevents the server from starting/restarting without manual intervention</color>\\ \\
+      * For server certs **//only//**, as a passphrase prevents the server from starting/restarting without manual intervention\\ \\
-  - <color #4B4B4B>**Create & Sign Cert with CA**</color>\\ <code bash>openssl x509 -req -sha512 -days 3650 -in ca/csr/vpn-server.csr -CA ca/OpenVPN-ICA.crt.pem -CAkey ca/OpenVPN-ICA.key -CAserial ./serial -out certs/vpn-server.crt.pem -extfile ./openssl.cnf -extensions v3_vpn_server</code>
+  - **Create & Sign Cert with CA**\\ <code bash>openssl x509 -req -sha512 -days 3650 -in ca/csr/vpn-server.csr -CA ca/OpenVPN-ICA.crt.pem -CAkey ca/OpenVPN-ICA.key -CAserial ./serial -out certs/vpn-server.crt.pem -extfile ./openssl.cnf -extensions v3_vpn_server</code>
-  - <color #4B4B4B>**Export to PKCS12**</color>\\ <code bash>openssl pkcs12 -export -out openvpn/vpn-server.p12 -inkey openvpn/vpn-server.key.pem -in certs/vpn-server.crt.pem -certfile ca/OpenWrt-OpenVPN_CA-Chain.crt.pem</code>
+  - **Export to PKCS12**\\ <code bash>openssl pkcs12 -export -out openvpn/vpn-server.p12 -inkey openvpn/vpn-server.key.pem -in certs/vpn-server.crt.pem -certfile ca/OpenWrt-OpenVPN_CA-Chain.crt.pem</code>
     * <color #AF0000>**//Do not encrypt this PKCS12//**</color>\\ \\
-    * <color #4B4B4B4>ICA is still used to sign the certs it issues</color>
+    * ICA is still used to sign the certs it issues
-      * <color #646464>ICA - CA chain cert must be exported with the client cert & key to maintain the certificate chain of trust</color>
+      * ICA - CA chain cert must be exported with the client cert & key to maintain the certificate chain of trust
-        * <color #646464>//Chain of Trust hierarchy: CA -> Intermediate CA -> Client//</color>
+        * //Chain of Trust hierarchy: CA -> Intermediate CA -> Client//
 </tabbox>
 </WRAP>
@@ Line 477: / Line 471: @@
 === Client Certs ===
-<WRAP 75em lo>
+<WRAP indent 75em lo>
-<wrap danger>Do not use the same Common Name (CN) on more than one certificate</wrap>
+<WRAP centeralign><wrap danger>Do not use the same Common Name (CN) on more than one certificate</wrap></WRAP>
 <tabbox Prerequisites>
@@ Line 485: / Line 479: @@
 <WRAP indent>
-<color #4B4B4B>**Modify the following SubjectAltNames & V3 Profiles**</color>
+**Modify the following SubjectAltNames & V3 Profiles**
 <WRAP indent>
 **__SubjectAltNames Profile__**
-  - <color #4B4B4B>**Intermediate Certificate Authority Clients**</color> <sup><color #646464>(Line 290)</color></sup>
+  - **Intermediate Certificate Authority Clients** <sup><color #646464>(Line 229)</color></sup>
-    - <color #4B4B4B>//Change the SAN alt name ''<color #647D00>alt_vpn2_user1'' to ''alt_openvpn_//<username>//</color>''//</color>
+    - //Change the SAN DNS from// ''<color #647D00>VPNserver-Client1-Device-Hostname</color>'' //to match client username//
-      - <color #646464>**Line 315:** ''<color #647D00>[ alt_openvpn_//<username>// ]</color>''</color>\\ \\
+      - **Line 255:** ''<color #647D00>DNS.1 = //VPN-<username>-Hostname//</color>''
-    - <color #4B4B4B>//Change the SAN DNS from ''<color #647D00>VPNserver-Client1-Device-Hostname</color>'' to match client username//</color>
+        * //This makes configuring CCD more convenient//\\ \\
-      - <color #646464>**Line 316:** ''<color #647D00>DNS.1 = VPN-//<username>//-Hostname</color>''</color>
+    - //Change the SAN email from// ''<color #647D00>user1@email.com</color>'' //to user's email//
-        * <color #646464>//This makes configuring CCD more convenient//</color>\\ \\
+      - **Line 256** ''<color #647D00>email.1 = //user1@email.com//</color>''
-    - <color #4B4B4B>//Change the SAN email from ''<color #647D00>user1@email.com</color>'' to user's email//</color>
-      - <color #646464>**Line 317:** ''<color #647D00>email.1 = user1@email.com</color>''</color>
-**__V3 Profile__**
-  - <color #4B4B4B>**Intermediate Certificate Authority Clients**</color> <sup><color #646464>(Line 473)</color></sup>
-    - <color #4B4B4B>//Change the V3 profile name from ''<color #647D00>[ v3_vpn2_user1 ]</color>'' to match alt name set above//</color>
-      - <color #646464>**Line 505:** ''<color #647D00>[ v3_openvpn_//<username>// ]</color>''</color>\\ \\
-    - <color #4B4B4B>//Change the SAN alt name from ''<color #647D00>@alt_vpn2_user1</color>'' to match alt name set above//</color>
-      - <color #646464>**Line 511:** ''<color #647D00>subjectAltName = @alt_openvpn_//<username>//</color>''</color>
 </WRAP>
 </WRAP>
@@ Line 514: / Line 498: @@
 <color #508CAA>**Client Cert OpenSSL Commands**</color>
-  - <color #4B4B4B>**Generate VPN Client Certs**</color>\\ <code bash>openssl req -out ca/csr/vpn-client1.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/clients/vpn-client1-<username>-<hostname>.key.pem -config ./openssl.cnf -extensions v3_openvpn_<username></code>
+  - **Generate VPN Client Certs**\\ <code bash>openssl req -out ca/csr/vpn-client1.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/clients/vpn-client1-<username>-<hostname>.key.pem -config ./openssl.cnf -extensions v3_vpn2_user1</code>
     * <color #AF0000>Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</color>\\ \\
-  - <color #4B4B4B>**Sign Cert with CA**</color>\\ <code bash>openssl x509 req -sha512 -days 3650 -in ca/csr/vpn-client1.csr -CA ca/OpenWrt-CA.crt.pem -CAkey ca/OpenWrt-CA.key -CAserial ./serial -out openvpn/clients/vpn-client1-<username>-<hostname>.crt.pem -extfile ./openssl.cnf -extensions v3_openvpn_<username></code>
+  - **Sign Cert with CA**\\ <code bash>openssl x509 -req -sha512 -days 3650 -in ca/csr/vpn-client1.csr -CA ca/OpenWrt-CA.crt.pem -CAkey ca/OpenWrt-CA.key -CAserial ./serial -out openvpn/clients/vpn-client1-<username>-<hostname>.crt.pem -extfile ./openssl.cnf -extensions v3_vpn2_user1</code>
-  - <color #4B4B4B>**Export to PKCS12**</color>\\ <code bash>openssl pkcs12 -export -out openvpn/clients/vpn-client1.p12 -inkey openvpn/clients/vpn-client1.key.pem -in openvpn/clients/vpn-client1.crt.pem -certfile ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem</code>
+  - **Export to PKCS12**\\ <code bash>openssl pkcs12 -export -out openvpn/clients/vpn-client1.p12 -inkey openvpn/clients/vpn-client1.key.pem -in openvpn/clients/vpn-client1.crt.pem -certfile ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem</code>
 </tabbox>
 </WRAP>
@@ Line 524: / Line 508: @@
 === Diffie-Hellman Key ===
-<WRAP 75em lo>
+<WRAP indent 75em lo>
-<wrap right button>[[https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography|EC Cryptography]]  [[https://wiki.openssl.org/index.php/Diffie_Hellman|Diifie-Hellman]]</wrap>
+<wrap right button>[[https://wiki.openssl.org/index.php/Diffie_Hellman|DH Wiki]]  [[https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography|EC Wiki]]</wrap>
 </WRAP>
-<WRAP 53.5em lo>
-  - <color #4B4B4B>**Generate DH Key**</color> <sup><color #646464>(executed from</color> ''<color #C86400>/etc/ssl/</color>''<color #646464>)</color></sup>\\ <code bash>openssl dhparam -out openvpn/dh2048.pem 2048</code>
+<WRAP 51.5em lo>
-    * <color #4B4B4B>**Generating DH keys takes substantial amounts of time**</color>\\ \\
-    * <color #4B4B4B>**You may wish to generate 3072bit and 4096bit DH keys as well**</color>
+  - **Generate DH Key** <sup><color #646464>(executed from ''<color #C86400>/etc/ssl/</color>'')</color></sup>\\ <code bash>openssl dhparam -out openvpn/dh2048.pem 2048</code>
-      * <color #646464>Generating multiple DH keys at once takes substantially less time due to the rand file</color>\\ \\
+    * **Generating DH keys takes substantial amounts of time**\\ \\
-    * <color #4B4B4B>**OpenVPN will add support for EC [//Elliptic Curve//] ciphers in v2.4**</color>
+    * **You may wish to generate 3072bit and 4096bit DH keys as well**
-      * <color #646464>For EC, the Diffie-Hellman key must be generated with a value **//greater than//** the encryption key</color>
+      * Generating multiple DH keys at once takes substantially less time due to the rand file\\ \\
-        * <color #646464>For example, if you generate 2048bit cert keys, your dh.pem must exceed that value</color>
+    * **OpenVPN will add support for EC [//Elliptic Curve//] ciphers in v2.4**
+      * For EC, the Diffie-Hellman key must be generated with a value **//greater than//** the encryption key
+        * For example, if you generate 2048bit cert keys, your dh.pem must exceed that value
 </WRAP>
@@ Line 541: / Line 526: @@
 === TLS-Auth Key ===
-<WRAP 53.5em lo>
+<WRAP 51.5em lo>
-  - <color #4B4B4B>**Generate TLS-Auth key**</color> <sup><color #646464>(executed from</color> ''<color #C86400>/etc/ssl/</color>''<color #646464>)</color></sup>\\ <code bash>openvpn --genkey --secret openvpn/ta.key</code>
+  - **Generate TLS-Auth key** <sup>(<color #646464>executed from</color> ''<color #C86400>/etc/ssl/</color>'')</sup>\\ <code bash>openvpn --genkey --secret openvpn/tls-auth.key</code>
-    * <color #4B4B4B>**This ensures PFS**</color> <color #646464>[Perfect Forward Secrecy]</color> <color #4B4B4B>**is maintained when utilizing a SSL cipher**</color>\\ \\
+    * This ensures **P**erfect **F**orward **S**ecrecy is maintained when utilizing a SSL cipher\\ \\
-    * <color #4B4B4B>''tls-auth'' **requires a static pre-shared key**</color> <color #646464>[PSK]</color><color #4B4B4B>**, generated in advance, and shared among all clients**</color>
+    * ''tls-auth'' requires a static **P**re-**S**hared **K**ey, generated in advance, and shared among all clients
-      * <color #646464>This requires incoming packets to have a valid signature generated using the PSK key</color>
+      * This requires incoming packets to have a valid signature generated using the PSK key
-        * <color #646464>If key is changed, it must be changed on all clients at the same time (no support for rollover)</color>\\ \\
+        * If key is changed, it must be changed on all clients at the same time (no support for rollover)\\ \\
 </WRAP>
@@ Line 556: / Line 541: @@
 <WRAP 76.5em lo>
-<wrap safety>GnuPG is a great tool to manage CAs and client certificates</wrap>  <wrap right button>[[https://www.gnupg.org/|GnuPG]]</wrap>
+<WRAP centeralign><wrap safety>GnuPG is a great tool to manage CAs and client certificates</wrap>  <wrap right button>[[https://www.gnupg.org/|GnuPG]]</wrap></WRAP>
 <tabbox Backup>
+<wrap right>''<color #C86400>/etc/sysupgrade.conf</color>''</wrap>
 <color #508CAA>**Backup**</color>
 <WRAP indent>
-<color #4B4B4B>**Create a backup:**</color>
+**Create a backup:**
-  - <color #4B4B4B>Apply correct permissions:</color>\\ <code bash>
+  - **Apply correct permissions:**\\ <code bash>
 chmod 600 /etc/ssl/ca/* /etc/ssl/ca/csr/* /etc/ssl/crl/* /etc/ssl/openvpn/* /etc/ssl/openvpn/clients/* ; chmod 644 /etc/ssl/ca/*.crt* /etc/ssl/openvpn/*.crt* /etc/ssl/openvpn/clients/*.crt* /etc/ssl/crl/*.crl</code>
-  - <color #4B4B4B>It's recommend to utilize GnuPG to encrypt a copy of the CAs & ICAs and their keys</color>
+  - **Utilize GnuPG to encrypt a copy of** ''<color #C86400>/etc/ssl/</color>''
-    - <color #646464>After creating an encrypted backup, and copying keys/P12s to their respective clients, securely erase them, overwriting the freespace</color>\\ \\
+    - **Create separate encryption tars for:**
-  - <color #4B4B4B>To ensure the //OpenVPN// & //SSL// directories are included in //sysupgrade// backups</color>
+      * ''<color #C86400>/etc/ssl/ca/</color>''
+      * ''<color #C86400>/etc/ssl/openvpn/</color>''
+      * ''<color #C86400>/etc/ssl/openvpn/clients/</color>''\\ \\
+    - **After creating encrypted backups:**
+      - Copy p12s to their respective clients
+      - Securely erase unencrypted client, CA, & ICA keys and PKCS12s, overwriting freespace at least 5x\\ \\
+  - **Add directories & files to** ''<color #C86400>/etc/sysupgrade.conf</color>''
     - //''<color #647D00>vi /etc/sysupgrade.conf</color>''//
       - <color #789600>**//Add://**</color>
@@ Line 596: / Line 588: @@
 <WRAP indent>
-<color #4B4B4B>**If utilizing Linux/BSD:**</color>
+**If utilizing Linux/BSD:**
-  * <color #4B4B4B>Due to the sheer number of distros, and differing means of handling certificate authorities, please google:</color>
+  * Due to the sheer number of distros, and differing means of handling certificate authorities, please google:
-    - <color #646464>//<your distro name>// install certificate authority</color>
+    - //<your distro name>// install certificate authority
-    - <color #646464>//<your distro name>// install intermediate certificate authority</color>
+    - //<your distro name>// install intermediate certificate authority
 </WRAP>
@@ Line 608: / Line 600: @@
 <WRAP indent>
-<color #4B4B4B>**If utilizing Windows:**</color>
+**If utilizing Windows:**
-    - <color #4B4B4B>**Download**</color> <color #C86400>PEM Association.reg</color><color #4B4B4B>**, then import into registry**</color> <sup><color #646464>(//Right Click// -> //Merge//)</color></sup>
+    - **Download** <color #C86400>PEM Association.reg</color>**, then import into registry** <sup><color #646464>(//Right Click// -> //Merge//)</color></sup>
-      * <color #646464>//This causes Windows to associate the .pem extension as a valid certificate extension//</color>\\ \\
+      * //This causes Windows to associate the .pem extension as a valid certificate extension//\\ \\
-    - <color #4B4B4B>**Add your CA cert to the //Trusted Root Certification Authorities//**</color> <sup><color #646464>(user must have //Administrator// privileges)</color></sup>
+    - **Add your CA cert to the //Trusted Root Certification Authorities//** <sup><color #646464>(user must have //Administrator// privileges)</color></sup>
-      - <color #646464>//Right click on//</color> <color #C86400>OpenWrt-CA.crt.pem</color>:
+      - //Right click on// <color #C86400>OpenWrt-CA.crt.pem</color>:
         - <color #7D7D7D>**//Install Certificate//** -> **//Local Machine//** -> **//Place all certificates in the following store//** -> **//Browse//** -> **//Trusted Root Certification Authorities//**</color>\\ \\
-    - <color #4B4B4B>**Add your ICA cert to the //Intermediate Certification Authorities//**</color> <sup><color #646464>(user must have //Administrator// privileges)</color></sup>
+    - **Add your ICA cert to the //Intermediate Certification Authorities//** <sup><color #646464>(user must have //Administrator// privileges)</color></sup>
-      - <color #646464>//Right click on//</color> <color #C86400>OpenVPN-ICA.crt.pem</color>:
+      - //Right click on// <color #C86400>OpenVPN-ICA.crt.pem</color>:
         - <color #7D7D7D>**//Install Certificate//** -> **//Local Machine//** -> **//Place all certificates in the following store//** -> **//Browse//** -> **//Intermediate Certification Authorities//**</color>
 </WRAP>
@@ Line 628: / Line 620: @@
 <WRAP indent>
+<WRAP 76.5em lo>
+<wrap right button>[[doc:uci:network|Network Wiki]]</wrap>
+</WRAP>
@@ Line 634: / Line 630: @@
 <WRAP 60em lo>
-  - <color #4B4B4B>**Create VPN interface**</color>\\ <code bash>uci set network.vpn0=interface ; uci set network.vpn0.ifname=tun0 ; uci set network.vpn0.proto=none</code>
+  - **Create VPN interface**\\ <code bash>uci set network.vpn0=interface ; uci set network.vpn0.ifname=tun0 ; uci set network.vpn0.proto=none</code>
-    - <color #4B4B4B>You can replace</color> ''<color #647800>//network.//</color><color #007DC8>vpn0</color>'' <color #4B4B4B>with</color> ''<color #647800>//network.//</color><color #007DC8><name></color>''
+    - You can replace ''<color #647800>//network.//</color><color #007DC8>vpn0</color>'' with ''<color #647800>//network.//</color><color #007DC8><name></color>''
-      - <color #646464>If you choose to do so, ''<color #647800>//network=//</color><color #007DC8>vpn0</color>'' will need to be updated accordingly in [[:doc:howto:openvpn-streamlined-server-setup#zone_creation|Zone Creation]]</color>\\ \\
+      - If you choose to do so, ''<color #007DC8>vpn</color>'' will need to be updated accordingly in [[:doc:howto:openvpn-streamlined-server-setup#https://wiki.openwrt.org/doc/howto/openvpn-streamlined-server-setup#create_rules|Firewall Rules]]\\ \\
-    - <color #646464>You can replace ''<color #647800>//ifname=//</color><color #007DC8>tun0</color>'' with ''<color #647800>//ifname=//</color><color #007DC8><name></color>''</color>
+    - You can replace ''<color #647800>//ifname=//</color><color #007DC8>tun0</color>'' with ''<color #647800>//ifname=//</color><color #007DC8><name></color>''
-      - <color #646464>If you choose to do so, ''<color #647800>//option dev//</color> <color #007DC8>tun0</color>'' will need to be updated accordingly in [[:doc:howto:openvpn-streamlined-server-setup#config|VPN Server Config]]</color>\\ \\
+      - If you choose to do so, ''<color #647800>//option dev//</color> <color #007DC8>tun0</color>'' will need to be updated accordingly in [[:doc:howto:openvpn-streamlined-server-setup#config|VPN Server Config]]\\ \\
-  - <color #4B4B4B>**Commit changes**</color>\\  <code cpp>uci commit network ; /etc/init.d/network reload</code>
+  - **Commit changes**\\  <code cpp>uci commit network ; /etc/init.d/network reload</code>
 </WRAP>
@@ Line 646: / Line 642: @@
 ==== Configure DDNS ====
-<WRAP 75em lo>
+<WRAP 76.5em lo>
+<wrap right button>[[doc:howto:ddns.client|DDNS Wiki]]</wrap>
-  - <color #4B4B4B>**A DDNS provider or FQDN is required for users who are not assigned static IPs by ISPs**</color>
+<wrap indent>**//Applies to connections from WAN//**</wrap>
-    - <color #646464>DDNS:</color>
+  - **A DDNS provider or FQDN is required for users who are not assigned static IPs by ISPs**
-      * <color #646464>**D**ynamic **D**omain **N**ame **S**ystem providers provide the user with a dynamically updated DNS name for their public IP</color>
+    - DDNS:
-    - <color #646464>FQDN</color>
+      * **D**ynamic **D**omain **N**ame **S**ervice providers provide the user with a dynamically updated DNS name for their public IP
-      * <color #646464>**F**ully **Q**ualified **D**omain **N**ame is a URL <sup>(google.com is a FQDN)</sup></color>
+      * Purchasing occurs as a service subscription fee from DDNS providers
-        * <color #646464>Purchasing a FQDN is for a set period of time, regulated by the non-profit IANA <sup>(//Internet Assigned Numbers Authority//)</sup></color>\\ \\
+    - FQDN
-  - <color #4B4B4B>**Most users will likely configure DDNS**</color>
+      * **F**ully **Q**ualified **D**omain **N**ame is a URL <sup><color #646464>(google.com is a FQDN)</color></sup>
-    * <color #646464>See the [[doc:howto:ddns.client|DDNS Clients]] wiki on how to configure</color>
+      * Purchasing a FQDN is for a set period of time, regulated by the non-profit IANA <sup><color #646464>(//Internet Assigned Numbers Authority//)</color></sup>\\ \\
+  - **Most users will likely configure DDNS**
+    * See the [[doc:howto:ddns.client|DDNS Clients]] wiki
 </WRAP>
@@ Line 665: / Line 664: @@
 <WRAP indent>
-==== Zone Creation ====
 <WRAP 76.5em lo>
+<wrap right button>[[doc:uci:firewall|Firewall Wiki]]</wrap>
-  - <color #4B4B4B>**Configure default firewall rules**</color>\\ <code bash>
-uci add firewall zone ; uci set firewall.@zone[-1].name=vpn ; uci set firewall.@zone[-1].input=ACCEPT ; uci set firewall.@zone[-1].forward=ACCEPT ; uci set firewall.@zone[-1].output=ACCEPT ; uci set firewall.@zone[-1].network=vpn0</code>
-    - <color #646464>You can replace ''<color #647800>//name=//</color><color #007DC8>vpn</color>'' with ''<color #647800>//name=//</color><color #007DC8><name></color>''</color>
-      - <color #646464>If you choose to do so, ''<color #647800>//src=//</color><color #007DC8>vpn</color>'' will need to be updated accordingly</color>\\ \\
-  - <color #4B4B4B>**Configure default firewall forwarding**</color>\\ <code>uci add firewall forwarding ; uci set firewall.@forwarding[-1].src='vpn' ; uci set firewall.@forwarding[-1].dest='lan' ; uci add firewall forwarding ; uci set firewall.@forwarding[-1].src='lan' ; uci set firewall.@forwarding[-1].dest='vpn'</code>
 </WRAP>
@@ Line 683: / Line 673: @@
 <WRAP 76.5em lo>
-<wrap danger>A non-standard port (**//not//** //1194//) should be utilized for the VPN</wrap>
+<WRAP centeralign><wrap danger>A non-standard port (**//not//** //1194//) should be utilized for the VPN</wrap></WRAP>
 <tabbox Information>
+<wrap right>''<color #C86400>/etc/config/firewall</color>''</wrap>
 <color #508CAA>**Firewall Info**</color>
-  - <color #4B4B4B>**VPN traffic rules should be placed in the following order, below** '' <color #647800>option path /etc/firewall.user</color> '' **and any redirect rules**</color>
+  - **Traffic rules should be placed in the following order**
-    - <color #646464>InterZone Forwarding Rules</color>
+    - Firewall.User Script
-    - <color #646464>VPN Traffic Rules </color>\\ \\
+    - Redirect Rules
-  - <color #4B4B4B>**Rule protocol for VPNs should always be both TCP & UDP for troubleshooting purposes**</color>
+    - Router Network Default
-    - <color #646464>Allowing both prevents having to edit the firewall every time troubleshooting is needed</color>\\ \\
+    - VPN Network Default
-  - <color #4B4B4B>**SSL VPNs should always use UDP**</color>
+    - VPN InterZone Forwarding
-    - <color #646464>//Except under the following two scenarios//</color>
+    - VPN Traffic Rules\\ \\
-      - <color #646464>When troubleshooting\\ **OR**</color>
+  - **Rule protocol for VPNs should always be both TCP & UDP for troubleshooting purposes**
-      - <color #646464>When packet loss is high</color>\\ \\
+    - Allowing both prevents having to edit the firewall every time troubleshooting is needed\\ \\
-  - <color #4B4B4B>**A port >1025 but <10000 should be utilized for the VPN**</color>
+  - **SSL VPNs should always use UDP**
-    - <color #646464>If using a custom port, update [[:doc:howto:openvpn-streamlined-server-setup#vpn_server|VPN Server]] & [[:doc:howto:openvpn-streamlined-server-setup#clients|VPN Client]] configs accordingly</color>
+    - //Except under the following two scenarios//
+      - When troubleshooting\\ **OR**
+      - When packet loss is high\\ \\
+  - **A port >1025 but <10000 should be utilized for the VPN**
+    - If using a custom port, update [[:doc:howto:openvpn-streamlined-server-setup#vpn_server|VPN Server]] & [[:doc:howto:openvpn-streamlined-server-setup#clients|VPN Client]] configs accordingly
+      - If needing to bypass a strict firewall in front of the router, utilize port 443 <sup>[HTTPS]</sup>
@@ Line 706: / Line 702: @@
 <WRAP indent>
-<color #4B4B4B>**The following rules are required:**</color>
+**The following rules are required:**
   - //''<color #647D00>vi /etc/config/firewall</color>''//\\ \\ <code cpp>
 #::: Traffic Rules :::#
@@ Line 721: / Line 717: @@
     option  path            '/etc/firewall.user'
-# Default OpenWRT Rule #
+# Default OpenWrt Rule #
 config defaults
     option  input           'ACCEPT'
@@ Line 733: / Line 729: @@
 #------------------------------------------------
 # LuCI: From any host in any zone To any router
-# IP at port 1194 on this device (Accept Input)
+# IP at port 5000 on this device (Accept Input)
 config rule
     option  target          'ACCEPT'
@@ Line 739: / Line 735: @@
     option  proto           'tcp udp'
     option  src             '*'
-    option  dest_port       1194
+    option  dest_port       5000
     option  name            'Allow Forwarded VPN Request -> <device>'
 # Once Assigned VPN IP, Allow Inbound -> LAN #
 #------------------------------------------------
-# LuCI: From IP range 10.1.1.0/24 in any zone To IP
+# LuCI: From IP range 10.1.0.0/28 in any zone To IP
-# range 192.168.1.0/24 on this device (Accept Input)
+# range 192.168.1.0/28 on this device (Accept Input)
 config rule
     option  target          'ACCEPT'
@@ Line 751: / Line 747: @@
     option  proto           'tcp udp'
     option  src             '*'
-    option  src_ip          '10.1.1.0/24'
+    option  src_ip          '10.1.0.0/28'
     option  dest_ip         '192.168.1.0/26'
     option  name            'Allow VPN0 -> LAN'
@@ Line 757: / Line 753: @@
 # Once Assigned VPN IP, Allow Forwarded -> LAN #
 #------------------------------------------------
-# LuCI: From IP range 10.1.1.0/24 in any zone To IP
+# LuCI: From IP range 10.1.0.0/28 in any zone To IP
-# range 192.168.1.0/24  on this device (Accept Forward)
+# range 192.168.1.0/28  on this device (Accept Forward)
 config rule
     option  target          'ACCEPT'
@@ Line 764: / Line 760: @@
     option  family          'ipv4'
     option  src             '*'
-    option  src_ip          '10.1.1.0/24'
+    option  src_ip          '10.1.0.0/28'
     option  dest            '*'
     option  dest_ip         '192.168.1.0/26'
@@ Line 771: / Line 767: @@
 # Allow Outbound ICMP Traffic from VPN #
 #------------------------------------------------
-# LuCI: ICMP From IP range 10.1.1.0/24 in any
+# LuCI: ICMP From IP range 10.1.0.0/28 in any
 # zone To any host in lan (Accept Forward)
 config rule
@@ Line 777: / Line 773: @@
     option  proto           'icmp'
     option  src             '*'
-    option  src_ip          '10.1.1.0/24'
+    option  src_ip          '10.1.0.0/28'
     option  dest            'lan'
     option  name            'Allow VPN0 (ICMP) -> LAN'
@@ Line 784: / Line 780: @@
 #------------------------------------------------
 # LuCI: ICMP with type echo-request From IP range
-# 10.1.1.0/24 in any zone To any host in wan (Accept Forward)
+# 10.1.0.0/28 in any zone To any host in wan (Accept Forward)
 config rule
     option  target          'ACCEPT'
@@ Line 790: / Line 786: @@
     list    icmp_type       'echo-request'
     option  src             '*'
-    option  src_ip          '10.1.1.0/24'
+    option  src_ip          '10.1.0.0/28'
     option  dest            'wan'
     option  name            'Allow VPN0 (ICMP 8) -> <device> '
@@ Line 847: / Line 843: @@
 </code>\\
-  - <color #4B4B4B>**Commit changes**</color>\\ <code cpp>uci commit firewall ; /etc/init.d/firewall restart</code>
+  - **Commit changes**\\ <code cpp>/etc/init.d/firewall restart</code>
 </WRAP>
 <tabbox Logging>
-<wrap right>''<color #C86400>/etc/firewall.user</color>''</wrap>
 <color #508CAA>**firewall.user Script**</color>
+<wrap right button>[[doc:howto:log.messages#netfilter|Netfilter Log]]</wrap>\\ \\
+<wrap right>''<color #C86400>/etc/firewall.user</color>''</wrap>
 <WRAP indent>
-<color #4B4B4B>**The following rules are required:**</color>
+**The following rules are required:**
   - //''<color #647D00>vi /etc/firewall.user</color>''//\\ \\ <code cpp>
 #::: Traffic Rules :::#
@@ Line 862: / Line 860: @@
   # These rules make the assumption the default port of 1194 is not used for the VPN
+    # Port 5000 is being used arbitrarily for the VPN port
-  # Port 5000 is being used arbitrarily for the VPN port
     # Establish Custom Zones #
 #---------------------------------------------------
-iptables        -N  DROP-Brute
+iptables    -N  LOG-VPN
-iptables        -N  LOG-VPN
+iptables    -N  Rate_Limit
-iptables        -N  Rate_Limit
-    # Log All Dropped #
-#---------------------------------------------------
-iptables        -A  DROP-Brute              -j  LOG     --log-prefix    "<[[--- BRUTE DROPPED ---]]> : "        --log-level 4
-iptables        -A  DROP-Brute              -j  DROP
     # Establish Rate Limit #
 #---------------------------------------------------
-iptables        -A  Rate_Limit  -p  tcp     --dport     1194    -m  limit   --limit 1/min   --limit-burst   1   -j  DROP-Brute
+iptables    -A  Rate_Limit  -p  tcp     --dport     5000                                -j  LOG-VPN
-iptables        -A  Rate_Limit  -p  udp     --dport     1194    -m  limit   --limit 1/min   --limit-burst   1   -j  DROP-Brute
+iptables    -A  Rate_Limit  -p  udp     --dport     5000                                -j  LOG-VPN
-iptables        -A  Rate_Limit  -p  tcp     --dport     5000                                                    -j  LOG-VPN
+iptables    -A  Rate_Limit  -p  tcp                                                     -j  REJECT      --reject-with   tcp-reset
-iptables        -A  Rate_Limit  -p  udp     --dport     5000                                                    -j  LOG-VPN
+iptables    -A  Rate_Limit  -p  udp                                                     -j  REJECT      --reject-with   icmp-port-unreachable
-iptables        -A  Rate_Limit  -p  tcp                                                                         -j  REJECT      --reject-with   tcp-reset
+iptables    -A  Rate_Limit  !   -p      ICMP                                            -j  LOG         --log-prefix    "<[[--- Connection DROPPED ---]]>: "
-iptables        -A  Rate_Limit  -p  udp                                                                         -j  REJECT      --reject-with   icmp-port-unreachable
+iptables    -A  Rate_Limit                                                              -j  DROP
-iptables        -A  Rate_Limit  !   -p      ICMP                                                                -j  LOG         --log-prefix    "<[[--- Connection DROPPED ---]]>: "
-iptables        -A  Rate_Limit                                                                                  -j  DROP
     # Apply Rate Limit #
 #---------------------------------------------------
-iptables    -w  -I  INPUT       -p  tcp     --dport     1194    -m  state   --state NEW -m  recent  --set
+iptables    -I  INPUT       -p  tcp     --dport     5000    -m  state   --state NEW     -j  Rate_Limit
-iptables    -w  -I  INPUT       -p  tcp     --dport     1194    -m  state   --state NEW             --update    --seconds   60  --hitcount  1   -j  Rate_Limit
+iptables    -I  INPUT       -p  udp     --dport     5000    -m  state   --state NEW     -j  Rate_Limit
-iptables    -w  -I  INPUT       -p  udp     --dport     1194    -m  state   --state NEW -m  recent  --set
-iptables    -w  -I  INPUT       -p  udp     --dport     1194    -m  state   --state NEW             --update    --seconds   60  --hitcount  1   -j  Rate_Limit
-iptables        -I  INPUT       -p  tcp     --dport     5000    -m  state   --state NEW                                                         -j  Rate_Limit
-iptables        -I  INPUT       -p  udp     --dport     5000    -m  state   --state NEW                                                         -j  Rate_Limit
-    # Check for bans in Rate_Limit #
-#---------------------------------------------------
-iptables    -w  -A  INPUT       -p  tcp     --dport     1194    -j  Rate_Limit
     # Log VPN Traffic #
 #---------------------------------------------------
-iptables        -A  LOG-VPN                                     -j  LOG         --log-prefix    "<[[---  VPN Traffic ---]]> : "         --log-level 4
+iptables    -A  LOG-VPN                                                                 -j  LOG         --log-prefix    "<[[---  VPN Traffic ---]]> : "         --log-level 4
-iptables        -A  LOG-VPN                                     -j  ACCEPT
+iptables    -A  LOG-VPN                                                                 -j  ACCEPT
 </code>\\
-  - <color #4B4B4B>**Commit changes**</color>\\ <code cpp>/etc/init.d/firewall restart</code>
+  - **Commit changes**\\ <code cpp>/etc/init.d/firewall restart</code>
-  - <color #646464>**Please also see:**</color>
+  - **Please also see:**
     * [[doc:howto:log.essentials|Log Essentials]]
     * [[doc:howto:log.overview|Logging Servers]]
@@ Line 924: / Line 905: @@
 <WRAP indent>
+<WRAP 76.5em lo>
+<wrap right button>[[doc:howto:vpn.overview|VPN Overview]]</wrap>
+</WRAP>
@@ Line 929: / Line 913: @@
 <WRAP 76.5em lo>
-<wrap warning><color #FFFFFF>It's //strongly encouraged// to read through the OpenVPN HowTo & Man Page</color></wrap>
+<WRAP centeralign><wrap warning><color #FFFFFF>It's //strongly encouraged// to read through the OpenVPN HowTo & Man Page</color></wrap></WRAP>
 <tabbox Information>
+<wrap right>''<color #C86400>/etc/config/openvpn</color>''</wrap>
 <color #508CAA>**OpenVPN Information**</color>
-  * <color #4B4B4B>**This specific configuration has been designed to give the best performance possible, via** [[:doc:howto:openvpn-streamlined-server-setup#openvpn|MTU & Buffer]] **Tuning recommendations**</color>
+  * **This specific configuration has been designed to give the best performance possible, via** [[:doc:howto:openvpn-streamlined-server-setup#openvpn|MTU & Buffer]] **Tuning recommendations**
-    * <color #646464>DNS primary & secondary are [[https://developers.google.com/speed/public-dns/docs/using|Google's]]</color>
+    * DNS primary & secondary are [[https://www.opendns.com/setupguide/?url=familyshield|OpenDNS']]
-    * <color #646464>NTP is garnished from [[http://tf.nist.gov/tf-cgi/servers.cgi|NIST]] (time-c) and can be updated to your NTP server of choice</color>
+    * NTP is garnished from [[http://tf.nist.gov/tf-cgi/servers.cgi|NIST]] (time-c) and can be updated to your NTP server of choice
-      * <color #646464>NTP should be specified, but doesn't need to be NIST, as encryption handshakes, both server & client, must be accurate to within milliseconds</color>\\ \\
+      * NTP should be specified, but doesn't need to be NIST, as encryption handshakes, both server & client, must be accurate to within milliseconds\\ \\
-  * <color #4B4B4B>**//CCD directives// (under //Client Config//) are commented out, as one will need to read the** [[:doc:howto:openvpn-streamlined-server-setup#openvpn|OpenVPN HowTo]] **to understand how it's used**</color>
+  * **//CCD directives// (under //Client Config//) are commented out, as one will need to read the** [[:doc:howto:openvpn-streamlined-server-setup#openvpn|OpenVPN HowTo]] **to understand how it's used**
-      * <color #646464>CCD adds an extra layer of protection, allowing only those CNs specified to connect to the VPN, even if a valid client cert is used</color>\\ \\
+      * CCD adds an extra layer of protection, allowing only those CNs specified to connect to the VPN, even if a valid client cert is used\\ \\
-  * <color #4B4B4B>**Two or more servers can be run from this config file**</color>
+  * **Two or more servers can be run from this config file**
-    * <color #646464>To add additional servers, copy & paste first config directly below itself, with a blank line separating the two</color>\\ \\
+    * To add additional servers, copy & paste first config directly below itself, with a blank line separating the two\\ \\
-  * <color #4B4B4B>**The OpenVPN** [[:doc:howto:openvpn-streamlined-server-setup#vpn_wikis|HowTo & Man Page]] **provide every possible option for the Server & Client Configs**</color>
+  * **The OpenVPN** [[:doc:howto:openvpn-streamlined-server-setup#openvpn|HowTo & Man Page]] **provide every possible option for the Server & Client Configs** \\ \\
+  * **OpenVPN 2.4 added TLS Elliptic-Curve** ''[EC]'' **support**
+    * EC ciphers are faster & more efficient to process than SSL ciphers, resulting in higher throughput & less load
+    * OpenVPN on OpenWrt only supports a //maximum of 256 characters// for '' <color #647D00>option  tls_cipher</color>''
+      * Ciphers are listed in a hierarchical, chronological order of most secure & efficient to least efficient
+      * Disabled ciphers are specified at the end with an **''<color #960000>!</color>''** in front of the cipher\\ \\
+  * **Ciphers must match the capabilities of the server & clients**
+    * Available TLS ciphers: '' <color #647D00>openssl --show-tls</color> '' or '' <color #647D00>openssl ciphers -V | grep TLS</color>''
+    * Available SSL ciphers: '' <color #647D00>openssl ciphers -V | grep SSL</color>''
+      * For Windows client: '' <color #647D00>openssl ciphers -V | findstr /R SSL</color>''
@@ Line 949: / Line 943: @@
 <color #508CAA>**OpenVPN Server Config**</color>
-  - <color #4B4B4B>**Create config:**</color>\\ <code cpp>echo > /etc/config/openvpn ; vi /etc/config/openvpn</code>
+  - **Create config:**\\ <code cpp>echo > /etc/config/openvpn ; vi /etc/config/openvpn</code>
-    - <color #646464>**Paste the following & edit accordingly**</color>\\ \\ <code cpp>
+    - **Paste the following & edit accordingly**\\ \\ <code cpp>
 config openvpn 'VPNserver'
     option  enabled             1
@@ Line 962: / Line 954: @@
     option  topology            'subnet'
     option  proto               'udp'
-    option  port                1194
+    option  port                5000
     # Routes #
@@ Line 980: / Line 972: @@
     list    push                'dhcp-option    DNS 192.168.1.1'
     list    push                'dhcp-option    WINS 192.168.1.1'
-    list    push                'dhcp-option    DNS 8.8.8.8'
+    list    push                'dhcp-option    DNS 208.67.222.123'
-    list    push                'dhcp-option    DNS 8.8.4.4'
+    list    push                'dhcp-option    DNS 208.67.220.123'
     list    push                'dhcp-option    NTP 129.6.15.30'
@@ Line 995: / Line 987: @@
     option  cipher              AES-256-CBC
     option  auth                'SHA512'
-    option  tls_auth            '/etc/ssl/openvpn/ta.key 0'
+    option  tls_auth            '/etc/ssl/openvpn/tls-auth.key 0'
     # TLS:
     option  tls_server          1
     option  tls_version_min     1.2
-    option  tls_cipher          'TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384:TLS-RSA-WITH-AES-256-CBC-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4'
+    option  tls_cipher          'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA'
-    option  remote-cert-eku     'TLS Web Client Authentication'
     # Logging #
@@ Line 1007: / Line 998: @@
     option  log_append          '/tmp/openvpn.log'
     option  status              '/tmp/openvpn-status.log'
-    option  verb                7
+    option  verb                4
     # Connection Options #
@@ Line 1045: / Line 1036: @@
     # chroot would be ~11MB in size.
-    # Modify if chroot is configured #
+        # Modify if chroot is configured #
     #--------------------------------------------
         # option  ccd_exclusive             1
@@ Line 1054: / Line 1045: @@
         # option  dh                        /var/chroot-openvpn/etc/ssl/openvpn/dh2048.pem
         # option  pkcs12                    /var/chroot-openvpn/etc/ssl/openvpn/vpn-server.p12
-        # option  tls_auth                  '/var/chroot-openvpn/etc/ssl/openvpn/ta.key 0'
+        # option  tls_auth                  '/var/chroot-openvpn/etc/ssl/openvpn/tls-auth.key 0'
 </code>
-  - <color #4B4B4B>**Commit changes**</color>\\
+  - **Commit changes**\\ <code bash>/etc/init.d/openvpn enable ; /etc/init.d/openvpn start ; sleep 2 ; cat /tmp/openvpn.log</code>
-<code bash>/etc/init.d/openvpn enable ; /etc/init.d/openvpn start ; sleep 2 ; cat /tmp/openvpn.log</code>
+<tabbox CCD>
+<wrap right>''<color #C86400>/etc/openvpn/clients</color>''</wrap>
+<color #508CAA>**OpenVPN Server CCD Config**</color>
+  - **Enable CCD within Server config:**
+    - //''<color #647D00>vi /etc/config/openvpn</color>''// \\ <code cpp>
+   option  ccd_exclusive           1
+   option  ifconfig_pool_persist   '/etc/openvpn/clients/ipp.txt'
+   option  client_config_dir       '/etc/openvpn/clients/'
+</code>
+      * ''<color #647D00>ccd_exclusive</color>'': enables CCD
+      * ''<color #647D00>client_config_dir</color>'': Directory housing CCD client files
+      * ''<color #647D00>ifconfig_pool_persist</color>'': File containing common names from client files, followed by static IP for device\\ \\
+  - **Configure CCD files**
+    - For each VPN client, a file must be created which exactly mirrors the common name of each client cert
+      - File should contain an ''ifconfig'' command pushing a static IP to the client
+        - Client Certificate CN: ''<color #647D00>John Doe (OpenWrt VPNserver Client)</color>''
+          - Client File: ''<color #C86400>/etc/openvpn/clients/John Doe (OpenWrt VPNserver Client)</color>''
+            - File Output: ''//<color #647D00>ifconfig-push 10.1.0.6 255.255.255.240</color>//''\\ \\
+  - **Configure IPP file**
+    - One per line, each VPN client's CN needs to be specified, followed by their static IP
+      - IPP File: ''<color #C86400>/etc/openvpn/clients/ipp.txt</color>''
+        - File Output: ''<color #647D00>John Doe (OpenWrt VPNserver Client),10.1.0.6</color>''\\ \\
+  - **Start/Restart OpenVPN**
+    - Connect with each client to test\\ <code bash>/etc/init.d/openvpn stop ; /etc/init.d/openvpn start ; tail -f /tmp/openvpn.log</code>
 </tabbox>
 </WRAP>
@@ Line 1075: / Line 1093: @@
 Thu Oct 20 13:35:00 2016 us=668891 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
 Thu Oct 20 13:35:00 2016 us=669836 Diffie-Hellman initialized with 2048 bit key
-Thu Oct 20 13:35:00 2016 us=705181 Control Channel Authentication: using '/etc/ssl/openvpn/ta.key' as a OpenVPN static key file
+Thu Oct 20 13:35:00 2016 us=705181 Control Channel Authentication: using '/etc/ssl/openvpn/tls-auth.key' as a OpenVPN static key file
 Thu Oct 20 13:35:00 2016 us=705286 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
 Thu Oct 20 13:35:00 2016 us=705351 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
@@ Line 1109: / Line 1127: @@
 Thu Oct 20 13:35:30 2016 us=653403 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
 Thu Oct 20 13:35:30 2016 us=654598 Diffie-Hellman initialized with 2048 bit key
-Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication: using '/etc/ssl/openvpn/ta.key' as a OpenVPN static key file
+Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication: using '/etc/ssl/openvpn/tls-auth.key' as a OpenVPN static key file
 Thu Oct 20 13:35:30 2016 us=706592 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
 Thu Oct 20 13:35:30 2016 us=706679 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
@@ Line 1131: / Line 1149: @@
 Thu Oct 20 13:35:30 2016 us=715095 ifconfig_pool_read(), in='vpn-client1-foobar1-device1,10.1.0.5', TODO: IPv6
 Thu Oct 20 13:35:30 2016 us=715138 succeeded -> ifconfig_pool_set()
-Thu Oct 20 13:35:30 2016 us=715176 ifconfig_pool_read(), in='vpn-client2-foobar2-device1,10.1.0.6', TODO: IPv6
+Thu Oct 20 13:35:30 2016 us=715176 ifconfig_pool_read(), in='John Doe (OpenWrt VPNserver Client),10.1.0.6', TODO: IPv6
 Thu Oct 20 13:35:30 2016 us=715213 succeeded -> ifconfig_pool_set()
 Thu Oct 20 13:35:30 2016 us=715249 IFCONFIG POOL LIST
 Thu Oct 20 13:35:30 2016 us=715287 vpn-client1-foobar1-device1,10.1.0.5
-Thu Oct 20 13:35:30 2016 us=715331 vpn-client2-foobar2-device1,10.1.0.6
+Thu Oct 20 13:35:30 2016 us=715331 John Doe (OpenWrt VPNserver Client),10.1.0.6
 Thu Oct 20 13:35:30 2016 us=715428 MULTI: TCP INIT maxclients=1024 maxevents=1028
 Thu Oct 20 13:35:30 2016 us=715971 Initialization Sequence Completed
@@ Line 1149: / Line 1167: @@
 <WRAP 76.5em lo>
-<wrap warning><color #FFFFFF>Server's TLS-Auth key goes within the inline XML space</color></wrap>
+<WRAP centeralign><wrap warning><color #FFFFFF>Server's TLS-Auth key goes within the inline XML space</color></wrap></WRAP>
 </WRAP>
@@ Line 1157: / Line 1175: @@
 ==== Android ====
-<WRAP 76.5em lo>
+<WRAP indent 76.5em lo>
 <tabbox Information>
-<wrap right button>[[https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en|OpenVPN for Android]]  [[https://github.com/JW0914/Wikis/blob/master/OpenVPN/Documentation/Android%20Certificate%20Toast%20Removal.pdf|Toast Removal]]</wrap>
+<wrap right button>[[https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en|OpenVPN for Android]]</wrap>
 <color #508CAA>**Android Client Information**</color>
-  * <color #4B4B4B>**//OpenVPN for Android// is the best app for VPNs on Android**</color>\\ \\
+<WRAP centeralign><color #960000>**For compatibility with exFAT, Android sdcards have a non-customizable 771 permission structure**\\ It's //imperative//, for the security of the VPN, to ensure the certificate key is encrypted as specified under [[doc:howto:openvpn-streamlined-server-setup#client_certs|Client Certs]]</color></WRAP>
-  * <color #4B4B4B>**PKCS12 certs are installed into the //Android Keychain//**</color>
-    * <color #646464>As a security feature, a warning toast will always appear in the notification area due to user installed certs</color>
+  * **//OpenVPN for Android// is the best app for VPNs on Android**\\ \\
-      * <color #646464>This toast can be removed if you have a rooted device by following Toast Removal tutorial</color>
+  * **PKCS12 certs are installed into the //Android Keychain//**
-    * <color #646464>Another option is to include all certs & keys via inline XML within the client config file</color>\\ \\
+    * As a security feature, a warning toast will always appear in the notification area due to user installed certs
-  * <color #4B4B4B>**If you choose to reference the ''//ta.key//'', instead of utilizing inline XML**</color>
+      * This toast can be removed if you have a rooted device by following Toast Removal tutorial \\ \\
+    * Another option is to include all certs & keys via inline XML within the client config file
+      * //Regardless if all certs are referenced as inline xml or not, the final generated config inlines all certs//\\ \\
+  * **If you choose to reference the ''//tlsauth.key//'', instead of utilizing inline XML**
     - <color #960000>**//Remove://**</color>\\ <code cpp>
+    # Encryption #
+#------------------------------------------------
 key-direction 1
 <tls-auth>
 -----BEGIN OpenVPN Static key V1-----
@@ Line 1177: / Line 1201: @@
 </tls-auth></code>
     - <color #789600>**//Add://**</color>\\ <code cpp>
-tls-auth   /path/to/ta.key 1
+    # Encryption #
-</code>
+#------------------------------------------------
-  * <color #4B4B4B>**Some Android devices are not able to convert PKCS12 certs to x509 certs**</color>
+tls-auth    '/path/to/tlsauth.key' 1</code>
-    * <color #646464>If your device is affected, you will need to reference your individual certs in your Server Config</color>
+  * <color #960000>**Some Android devices are not able to convert PKCS12 certs to x509 certs**</color>
-      - <color #960000>**//Remove://**</color>\\ <code cpp>
+    * If your device is affected, you will need to reference your individual certs in your Server Config
- # Encryption #
-pkcs12     '/sdcard/openvpn/vpn-client1.p12'</code>
       - <color #789600>**//Add://**</color>\\ <code cpp>
- # Encryption #
+    # Encryption #
-ca         '/sdcard/openvpn/OpenWRT-OpenVPN_CA-Chain.crt.pem'
+#------------------------------------------------
-cert       '/sdcard/openvpn/keys/vpn-client1.crt.pem'
+ca      '/sdcard/openvpn/OpenWrt-OpenVPN_ICA-Chain.crt.pem'
-key        '/sdcard/openvpn/keys/vpn-client1.key.pem'</code>
+cert    '/sdcard/openvpn/vpn-client1.crt.pem'
-    * <wrap danger>For compatibility with exFAT, Android sdcards have a non-customizable 664 permission structure</wrap>
+key     '/sdcard/openvpn/vpn-client1.key.pem'</code>
-      * <color #AF0000>It is //crucial// to the security of the VPN to ensure the certificate key is encrypted as specified under [[doc:howto:openvpn-streamlined-server-setup#client_certs|Client Certs]]</color>
 <tabbox Config>
@@ Line 1198: / Line 1218: @@
 <code cpp>
-# Config Type #
+    # Config Type #
 #------------------------------------------------
 client
-# Connection  #
+    # Connection  #
 #------------------------------------------------
 dev tun
 proto udp
-remote your.ddns.com 1194
+remote your.ddns.com 5000
-# Speed #
+    # Speed #
 #------------------------------------------------
+mssfix 0
 fragment 0
-mssfix 0
 tun-mtu 48000
-# Reliability #
+    # Reliability #
 #------------------------------------------------
-comp-lzo
 float
 nobind
+comp-lzo
 persist-key
 persist-tun
 resolv-retry infinite
-# Encryption #
+    # Encryption #
 #------------------------------------------------
+auth SHA512
 auth-nocache
+# --- SSL --- #
 cipher AES-256-CBC
-remote-cert-eku "TLS Web Server Authentication"
+# --- TLS --- #
+key-direction 1
+tls-version-min 1.2
+remote-cert-eku 'TLS Web Server Authentication'
 <tls-auth>
@@ Line 1235: / Line 1264: @@
 </tls-auth>
-key-direction 1
+    # Logging #
-# Logging #
 #------------------------------------------------
 verb 5
 </code>
+<tabbox Inline XML>
+<color #508CAA>**Referencing certs via Inline XML**</color>
+  - <color #960000>**//Remove://**</color>\\ <code cpp>
+    # Encryption #
+#------------------------------------------------
+ca        '/sdcard/openvpn/OpenWrt-OpenVPN_ICA-Chain.crt.pem'
+cert      '/sdcard/openvpn/vpn-client1.crt.pem'
+key       '/sdcard/openvpn/vpn-client1.key.pem'
+tls-auth  '/path/to/tlsauth.key' 1</code>
+  - <color #789600>**//Add://**</color>\\ <code cpp>
+    # Encryption #
+#------------------------------------------------
+# --- TLS --- #
+key-direction 1
+<ca>
+#PASTE-CA-CERT-INLINE-HERE#
+</ca>
+<cert>
+#PASTE-VPN-SERVER-CERT-INLINE-HERE#
+</cert>
+<key>
+#PASTE-VPN-SERVER-KEY-INLINE-HERE#
+</key>
+<tls-auth>
+-----BEGIN OpenVPN Static key V1-----
+#PASTE-KEY-INLINE-HERE#
+-----END OpenVPN Static key V1-----
+</tls-auth></code>
+<tabbox Toast Removal>
+<wrap right button>[[http://wiki.cacert.org/FAQ/ImportRootCert#Android_Phones_.26_Tablets|CAcert Wiki]]  [[https://github.com/JW0914/Wikis/blob/master/OpenVPN/Documentation/Android%20Certificate%20Toast%20Removal.pdf|PDF]]</wrap>
+<color #508CAA>**Certificate Warning Toast Removal**</color>
+<wrap indent>If ''<color #C86400>/system/etc/security/cacerts.bks</color>'' exists on your device, refer to CAcert wiki, then continue</wrap>
+  - <color #789600>**Method 1:**</color>
+    - **Add certificate to Android Keychain**
+      - **//Settings// –> //Security// –> //Install from Storage//**\\ \\
+    - **Move certificate from userland to system trusted**
+      - **Android < 5.0:**
+        - Move new file
+          - <color #960000>**From:**</color> '' <color #C86400>/data/misc/keychain/cacertsadded/</color>''
+          - <color #789600>**To:**</color> '' <color #C86400>/system/etc/security/cacerts/</color>''\\ \\
+      - **Android > 5.0:**
+        - Move new file
+          - <color #960000>**From:**</color> '' <color #C86400>/data/misc/user/0/cacerts-added/</color>''
+          - <color #789600>**To:**</color> '' <color #C86400>/system/etc/security/cacerts/</color>''\\ \\
+  - <color #789600>**Method 2:**</color>
+    - **Save certificate with** ''.pem'' **extension**\\ \\
+    - **Garnish subject of certificate:**
+      - ''//<color #647D00>openssl x509 -inform PEM -subject_hash -in 0b112a89.0</color>//''
+        - Should be similar to: <color #647D00>0b112a89</color>\\ \\
+    - **Save certificate as text:**
+      - ''//<color #647D00>openssl x509 -inform PEM -text -in 0b112a89.0 > 0b112a89.0.txt</color>//''\\ \\
+    - **Swap PEM section and text:**
+      - ''<color #647D00>//-----BEGIN CERTIFICATE-----//</color>'' must be at top of file\\ \\
+    - **Rename file:** ''<color #647D00>0b112a89.0</color>''
+      - Replace with subject from //step b//\\ \\
+    - **Copy file to:** ''<color #C86400>/system/etc/security/cacerts/</color>''\\ \\
+    - **Set permissions:**
+      - ''//<color #647D00>chmod 644 0b112a89.0</color>//''\\ \\
+    - **Certificate should be listed under:**
+      - **//Settings// –> //Security// –> //Trusted Credentials// - //System//**
+        - If it's still under **//User//**:
+          - Disable/Re-Enable certificate in Android Settings
+            - This creates a file in ''<color #C86400>/data/misc/keychain/cacertsadded/</color>''
+          - Move that file to ''<color #C86400>/system/etc/security/cacerts/</color>''
+          - Delete original file from //step f//
 </tabbox>
 </WRAP>
-==== BSD ====
+==== BSD/Linux ====
-<WRAP 76.5em lo>
+<WRAP indent 76.5em lo>
-<wrap right>''<color #C86400>VPNserver-BSD.ovpn</color>''</wrap>
-<color #508CAA>**BSD Client Config**</color>
-</WRAP>
+<tabbox Information>
+<wrap button right>[[https://openvpn.net/index.php/open-source/downloads.html|OpenVPN Client]]</wrap>
+<color #508CAA>**BSD/Linux Client Information**</color>
+  * Due to the sheer number of distros & variances from one to the other, only the client config is being provided
-==== Linux ====
+<tabbox Config>
+<wrap right>''<color #C86400>/etc/openvpn/VPNserver.conf</color>''</wrap>
+<color #508CAA>**Linux/BSD Client Config**</color>
-<WRAP 76.5em lo>
+<code cpp>
-<wrap right>''<color #C86400>VPNserver-Linux.ovpn</color>''</wrap>
+# Config Type #
-<color #508CAA>**Linux Client Config**</color>
+#------------------------------------------------
+client
+# Connection  #
+#------------------------------------------------
+dev tun
+proto udp
+remote your.ddns.com 5000
+# Speed #
+#------------------------------------------------
+mssfix 0
+fragment 0
+tun-mtu 48000
+# Reliability #
+#------------------------------------------------
+float
+nobind
+comp-lzo
+persist-key
+persist-tun
+resolv-retry infinite
+    # Encryption #
+#------------------------------------------------
+auth SHA512
+auth-nocache
+# --- SSL --- #
+cipher AES-256-CBC
+# --- TLS --- #
+key-direction 1
+tls-version-min 1.2
+pkcs12 '/etc/ssl/openvpn/vpn-client1.p12'
+remote-cert-eku 'TLS Web Server Authentication'
+<tls-auth>
+-----BEGIN OpenVPN Static key V1-----
+#PASTE-KEY-INLINE-HERE#
+-----END OpenVPN Static key V1-----
+</tls-auth>
+# Logging #
+#------------------------------------------------
+verb 5
+</code>
+</tabbox>
 </WRAP>
@@ Line 1265: / Line 1420: @@
 ==== Windows ====
-<WRAP 76.5em lo>
+<WRAP indent 76.5em lo>
 <tabbox Information>
@@ Line 1271: / Line 1426: @@
 <color #508CAA>**Windows Client Information**</color>
-  * <color #4B4B4B>**If PKCS12 cert isn't stored in the same directory as the ovpn config , the path to the PKCS12 cert must be referenced**</color>
+  * **If PKCS12 cert isn't stored in the same directory as the ovpn config , the path to the PKCS12 cert must be referenced**
-    * <color #646464>You must use double backslashes for the path: ''<color #C86400>C:\\Path\\to\\PKCS12</color>''</color>
+    * You must use double backslashes for the path: ''<color #C86400>C:\\Path\\to\\PKCS.p12</color>''
@@ Line 1288: / Line 1443: @@
 dev tun
 proto udp
-remote your.ddns.com 1194
+remote your.ddns.com 5000
 # Speed #
 #------------------------------------------------
-fragment 0
 mssfix 0
+fragment 0
 tun-mtu 48000
 # Reliability #
 #------------------------------------------------
-comp-lzo
 float
 nobind
+comp-lzo
 persist-key
 persist-tun
 resolv-retry infinite
-# Encryption #
+    # Encryption #
 #------------------------------------------------
+auth SHA512
 auth-nocache
+# --- SSL --- #
 cipher AES-256-CBC
+# --- TLS --- #
+key-direction 1
+tls-version-min 1.2
 pkcs12 vpn-client1.p12
 remote-cert-eku "TLS Web Server Authentication"
@@ Line 1317: / Line 1481: @@
 -----END OpenVPN Static key V1-----
 </tls-auth>
-key-direction 1
 # Logging #
@@ Line 1371: / Line 1533: @@
     option  dest            'wan'
     option  src             'vpn'</code>
-  - <color #4B4B4B>**Commit changes**</color>\\ <code bash>/etc/init.d/firewall restart</code>
+  - **Commit changes**\\ <code bash>/etc/init.d/firewall restart</code>
@@ Line 1379: / Line 1541: @@
   - <color #960000>**//Remove://**</color>\\ <code cpp>
-    list    push                'dhcp-option    DNS 8.8.8.8'
+    list    push                'dhcp-option        DNS 208.67.222.123'
-    list    push                'dhcp-option    DNS 8.8.4.4'</code>
+    list    push                'dhcp-option        DNS 208.67.220.123'</code>
   - <color #789600>**//Add://**</color>\\ <code cpp>
     list    push                'redirect-gateway   def1 local'
     list    push                'dhcp-option        DNS 10.1.0.1'</code>
-  - <color #4B4B4B>**Commit changes**</color>\\ <code bash>/etc/init.d/openvpn restart</code>
+  - **Commit changes**\\ <code bash>/etc/init.d/openvpn restart</code>
 </tabbox>
 </WRAP>
@@ Line 1482: / Line 1644: @@
 <WRAP 76.5em lo>
-  * <color #4B4B4B>**//Please take the time to read//**</color>
+  * **//Please take the time to read//**
-    * <color #646464>//If you refuse to help yourself, don't expect someone else to help you//</color>\\ \\
+    * //If you refuse to help yourself, don't expect someone else to help you//\\ \\
-  * <color #4B4B4B>**//The answer to any question about an OpenVPN Client or Server configuration is contained within the//** //[[:doc:howto:openvpn-streamlined-server-setup#vpn_wikis|VPN Wiki Section]]//</color>
+  * **//The answer to any question about an OpenVPN Client or Server configuration is contained within the//** //[[:doc:howto:openvpn-streamlined-server-setup#vpn_wikis|VPN Wiki]]// **//or//** //[[:doc:howto:openvpn-streamlined-server-setup#openssl|OpenSSL]]// **//sections//**
-    * <color #646464>//If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the [[:doc:howto:openvpn-streamlined-server-setup#openwrt|OpenWRT]] or [[:doc:howto:openvpn-streamlined-server-setup#openvpn|OpenVPN]] forums//</color>\\ \\
+    * //If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the [[:doc:howto:openvpn-streamlined-server-setup#openwrt|OpenWrt]] or [[:doc:howto:openvpn-streamlined-server-setup#openvpn|OpenVPN]] forums//\\ \\
-  * <color #4B4B4B>**//Please do not publish questions directly to this Wiki, as://**</color>
+  * <color #960000>**//Please do not publish questions directly to this Wiki, as://**</color>
-    * <color #646464>//Most importantly, it's __not__ monitored for questions//</color>
+    * //Most importantly, it's __not__ monitored for questions//
-    * <color #646464>//It clutters the Wiki, possibly making it more difficult for others to navigate//</color>
+    * //It clutters the Wiki, possibly making it more difficult for others to navigate//
 </WRAP>

OpenWrt Wiki

User Tools

Site Tools

Differences

Page Tools