OpenWrt Wiki

User Tools

Site Tools

You are here: OpenWrt Wiki » Welcome to OpenWrt » HOWTOs » OpenVPN Server HowTo (Streamlined)
  • čeština or Česky (Czech)
  • Deutsch (German)
  • English
  • Español (Spanish, Mexico)
  • Français (French)
  • Hungarian (magyar)
  • 日本語 (Japanese)
  • Poliski (Polish)
  • Português brasileiro (Portuguese, Brasil)
  • Русский (Russsian)
  • Tϋrkçe (Turkish)
  • 中文 (Chinese)
  • 國語 (Taiwanese)
doc:howto:openvpn-streamlined-server-setup
This wiki is read only and for archival purposes only. >>>>>>>>>> Please use the new OpenWrt wiki at https://openwrt.org/ <<<<<<<<<<

This is an old revision of the document!

Table of Contents

OpenVPN Server HowTo (Streamlined)

To prevent discombobulation, please follow the format already in place within this Wiki when editing
(incl. the Table of Contents)

Introduction

VPN Requirements

Five things are required for a SSL VPN:

  1. Encryption (Certificates)
  2. Network (VPN Interface Creation)
  3. Firewall Rules [VPN Traffic]
  4. VPN Server [Config]
  5. VPN Clients [Config]

Encryption

Easy-RSA does not create secure enough certs & has too many limitations, therefore OpenSSL should be utilized directly via an openssl.cnf

Prerequisites

openssl.cnf

Prerequisites

Commands are executed from within /etc/ssl/ OpenVPN Prerequisites

  1. Install Packages:
    1. opkg update ; opkg install openvpn-openssl luci-app-openvpn

  2. Download openssl.cnf:
    1. Save as /etc/ssl/openssl.cnf

  3. Navaigate to SSL directory & create required directories
    1. cd /etc/ssl ; mkdir -p ca/csr crl openvpn/clients

  4. Create Serial file
    1. echo 00 > serial
      • Maintains the serial for the most recent cert in order to know what serial to next assign
        • Serial is in hex, not dec[imal] format

  5. Create CRLnumber file
    1. echo 00 > crlnumber
      • CRL should be generated, but will only be utilized once a cert is revoked

  6. Create Index file
    1. touch index
      • Maintains an index of all certs issued [lines 744 - 759]
        • Keeps track of certs issued; extremely important if one has revoked a cert

  7. Create Rand file
    1. touch rand
      • Utilized for random characters & is queried by OpenSSL during key creation

Files & Folders

File & Folder Locations

  1. Config Locations:
    • Firewall: /etc/config/firewall
    • Network: /etc/config/network
    • OpenVPN: /etc/config/openvpn

  2. Folder Locations:
    • SSL: etc/ssl/
      • OpenVPN
        • CA & ICA Certs: /etc/ssl/ca/
          • CSR: /etc/ssl/ca/csr/
          • CRL: /etc/ssl/crl/
        • Client Certs: /etc/ssl/openvpn/clients/
        • Server Certs: /etc/ssl/openvpn/

Extensions

Certificate Extensions

  1. .csr:
    • certificate request

  2. .key:
    • private key
      • 4All key files, except for a server's, should be encrypted with a passphrase

  3. .crt:
    • signed certificate

  4. .p12:
    • PKCS12 certificate
      • Contains the CA.crt or concatenated ICA-CA.crt, Certificate.crt, and CertificateKey.key

OpenSSL

Synopsis

Section Synopsis

  • These tabs contain critical information one will likely find helpful while going through the steps in this wiki
    • Tabs 1 - 2 contain informational & reference links to the main man pages
    • Tabs 3 - 6 cover the definitions of KUs, EKUs, KEAs, & EC KEAs

Info

Cookbook Wiki OpenSSL Information

Changelog Vulnerabilities

Blog Certificates Explained News

Index OIDs Standards

Conf Config x509 Config

SSL Library SSL Manual

Crypto Library Crypto Manual

Man Pages

Command List OpenSSL Utility Command Manuals

req x509 pkcs12

ca crl verify

dhparam ecparam rsa

ciphers dgst engine list

speed

oscp smime

keyUsage

keyUsage

  1. digitalSignature
    1. Certificate may be used to apply a digital signature
      1. Digital signatures are often used for entity authentication & data origin authentication with integrity

  2. nonRepudiation
    1. Certificate may be used to sign data as above but the certificate public key may be used to provide non-repudiation services
      1. This prevents the signing entity from falsely denying some action

  3. keyEncipherment
    1. Certificate may be used to encrypt a symmetric key which is then transferred to the target
      1. Target decrypts key, subsequently using it to encrypt & decrypt data between the entities

  4. dataEncipherment
    1. Certificate may be used to encrypt & decrypt actual application data

  5. keyAgreement
    1. Certificate enables use of a key agreement protocol to establish a symmetric key with a target
    2. Symmetric key may then be used to encrypt & decrypt data sent between the entities

  6. keyCertSign
    1. CA ONLY
      1. Subject public key is used to verify signatures on certificates
      2. This extension must only be used for CA certificates

  7. cRLSign
    1. CA ONLY
      1. Subject public key is to verify signatures on revocation information, such as a CRL
      2. This extension must only be used for CA certificates

  8. encipherOnly
    1. KU keyAgreement is required
    2. Public key used only for enciphering data while performing key agreement

  9. decipherOnly
    1. KU keyAgreement is required
    2. Public key used only for deciphering data while performing key agreement

extendedKeyUsage

OID repository extendedKeyUsage

  1. serverAuth
    1. All VPN servers should be signed with this EKU present
      1. SSL/TLS Web/VPN Server authentication EKU, distinguishing a server which clients can authenticate against
      2. This supersedes nscertype options (ns in nscertype stands for NetScape [browser])

  2. clientAuth
    1. All VPN clients must be signed with this EKU present
      1. SSL/TLS Web/VPN Client authentication EKU distinguishing a client as a client only

  3. codeSigning
    1. Code Signing

  4. emailProtection
    1. Email Protection via S/MIME, allows you to send and receive encrypted emails

  5. timeStamping
    1. Trusted Timestamping

  6. OCSPSigning
    1. OCSP Signing

  7. ipsecIKE
    1. IPSec Internet Key Exchange, of which I believe is in the same boat as the three below [#8]
      1. Research needs to be performed to determine if this EKU should also no longer be utilized
      2. clientAuth can be utilized in a IPSec VPN client cert

  8. ipsecEndSystem, ipsecTunnel, & ipsecUser
    1. SHOULD NOT BE UTILIZED
      1. Assigned in 1999, the semantics of these values were never clearly defined
      2. The use of these three EKU values in IKE/IPsec is obsolete and explicitly deprecated by this specification

  9. msCodeInd
    1. Microsoft Individual Code Signing (authenticode)

  10. msCodeCom
    1. Microsoft Commerical Code Signing (authenticode)

  11. mcCTLSign
    1. Microsoft Trust List Signing

  12. msEFS
    1. Microsoft Encrypted File System Signing

Key Exchange

Key Exchange

  1. RSA
    1. Key exchange occurs via encryption of a random value
      1. Client chooses a random value via the server public key
      2. Server public key must be an RSA key
      3. Server certificate must utilize KU keyAgreement

  2. DH_RSA
    1. Key exchange occurs via a static Diffie-Hellman key
      1. Server public key must be a Diffie-Hellman key
      2. Diffie-Hellman key must have been issued by a CA
      3. CA must be using an RSA key signing key

  3. DH_DSA
    1. Like DH_RSA, except CA used a DSA key in lieu of RSA

  4. DHE_RSA
    1. Key exchange occurs via an ephemeral Diffie-Hellman
      1. Server dynamically generates & signs a DH public key, sending it to the client
      2. Server Public Key must be an RSA key
      3. Server certificate must utilize KU digitalSignature

  5. DHE_DSA
    1. Like DHE_RSA, except CA used a DSA key in lieu of RSA

EC Key Exchange

Elliptic-Curve Key Exchange

  1. ECDH_ECDSA
    1. Like DH_DSA, but with elliptic curves
      1. Server public key must be an ECDH key
      2. Server certificate must be issued by a CA utilizing an ECDSA public key

  2. ECDH_RSA
    1. Like ECDH_ECDSA, except CA used an RSA key

  3. ECDHE_ECDSA
    1. Server sends dynamically generated EC Diffie-Hellman key, signing it via it's ECDSA key
      1. Equivalent to DHE_DSS, but with elliptic curves for both the Diffie-Hellman & signature

  4. ECDHE_RSA
    1. Like ECDHE_ECDSA, except Server public key is an RSA key
      1. Server public key signs the ephemeral EC Diffie-Hellman key

CA Creation

Prerequisites

/etc/ssl/openssl.cnf CA OpenSSL Prerequisites

Modify the following SubjectAltNames & V3 Profiles

  1. Certificate Authorities [Line 228]
    1. Main
      1. Line 234: DNS.1 = Router.1
        • Change Router.1 to what you'd like the name of your Certificate Authority to be

  2. Certificate Authority Clients [Line 253]
    1. Servers
      • Lines: 259 - 281
    2. Clients
      • Lines: 283 - 287

  3. Change SAN & V3 profile names from alt_ca_main to alt_ca_openwrt [lines 233, 353, & 357]
    1. Line 233: [ alt_ca_openwrt ]
    2. Line 353: [ v3_ca_openwrt ]
    3. Line 357: subjectAltName = @alt_ca_openwrt
Commands

Commands are executed from within /etc/ssl/ CA OpenSSL Commands

  1. Generate CA
    openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ca/OpenWrt-CA.key.pem -out ca/OpenWrt-CA.crt.pem -config ./openssl.cnf -extensions v3_ca
    • Key passphrase should be a 20 character minimum, containing at least: 2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols

  2. Generate CA CRL
    openssl ca -gencrl -keyfile ca/OpenWrt-CA.key.pem -cert ca/OpenWrt-CA.crt.pem -out crl/OpenWrt-CA.crl.pem -config ./openssl.cnf
  3. Convert CA CRL → DER CRL
    openssl crl -inform PEM -in crl/OpenWrt-CA.crl.pem -outform DER -out crl/OpenWrt-CA.crl

ICA Creation

Prerequisites

/etc/ssl/openssl.cnf ICA OpenSSL Prerequisites

Modify the following SubjectAltNames & V3 Profiles

  1. Certificate Authorities [Line 228]
    1. Router 2
      1. Line 239: DNS.1 = Router.2
        • Change Router.2 to what you'd like the name of your Intermediate CA to be

  2. Intermediate Certificate Authority Clients [Line 290]
    1. Servers
      • Lines: 296 - 312
    2. Clients
      • Lines: 314 - 322:

  3. Change SAN & V3 profile names from alt_ica_router2 to alt_ica_openvpn [lines 238, 360, & 364]
    1. Line 238: [ alt_ica_openvpn ]
    2. Line 360: [ v3_ica_openvpn ]
    3. Line 364: subjectAltName = @alt_ica_openvpn
Commands

Commands are executed from within /etc/ssl/ ICA OpenSSL Commands

  1. Generate Intermediate CA CSR
    openssl req -out ca/csr/OpenVPN-ICA.csr -new -days 3650 -sha512 -newkey rsa:4096 -keyout ca/OpenVPN-ICA.key -config ./openssl.cnf -extensions v3_ica_openvpn
    • Key passphrase should be a 20 character minimum, containing at least: 2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols

  2. Create & Sign ICA with CA
    openssl x509 -req -sha512 -days 3650 -in ca/csr/OpenVPN-ICA.csr -CA ca/OpenWrt-CA.crt.pem -CAkey ca/OpenWrt-CA.key.pem -CAserial ./serial -out ca/OpenVPN-ICA.crt.pem -extfile ./openssl.cnf -extensions v3_ica_openvpn
  3. Generate ICA CRL
    openssl ca -gencrl -keyfile ca/OpenVPN-ICA.key -cert ca/OpenVPN-ICA.crt.pem -out crl/OpenVPN-ICA.crl.pem -config ./openssl.cnf
  4. Convert ICA CRL → DER CRL
    openssl crl -inform PEM -in crl/OpenVPN-ICA.crl.pem -outform DER -out crl/OpenVPN-ICA.crl
  5. Concatenate ICA → CA Chain
    cat ca/OpenVPN-ICA.crt.pem ca/OpenWrt-CA.crt.pem > ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem

Index File

Info

Index Info

  • If wishing to maintain the index file automatically, openssl ca must be used to sign certs
    • openssl ca is not used in this wiki as it requires additional steps & adds unneeded complexity

Index

/etc/ssl/index Index File

Manually maintaining the index file consists of inputting 1 cert entry per line in the following format

  • Entering certificate information into the index file takes ~30s per cert
  • Copy & paste DN from the output of: openssl x509 -in certificate.crt -text -noout

V    261231235959Z    0a    unknown    /C=US/ST=State/L=Locality/O=Sophos UTM/OU=LAN/CN=Cert Common Name/emailaddress=whatever@whichever.com
1    2----------->    4->   5----->    6--------------------------------------------------------------------------------------------------->

  1. Status of Certificate
    1. V [Valid]
    2. R [Revoked]
    3. E [Expired]

  2. Expiration Date
    1. Format: YYMMDDHHMMSS followed by Z
      • 2026.12.31 @ 23:59:59

  3. Revocation Date
    1. Format: YYMMDDHHMMSSZ,reason
      1. Valid reasons are:
        1. keyCompromise
        2. CACompromise
        3. affiliationChanged
        4. superseded
        5. cessationOfOperation
        6. certificateHold
        7. privilegeWithdrawn
        8. AACompromise
    2. Empty if not revoked

  4. Serial number (hex format)
    1. 0a is hex for 10
      1. Windows:
        • Calculator has programmer feature which can convert dec ↔ hex
      2. Linux/BSD
        • cli hex → dec: printf '%d\n' 0x0a returns 10
        • cli dec → hex: printf '%x\n' 10 returns 0a

  5. Certificate Filename or Literal String
    1. Certificate Filename or Literal String unknown

  6. Distinguished Name

Server Cert

Prerequisites

/etc/ssl/openssl.cnf Server Cert OpenSSL Prerequisites

Modify the following SubjectAltNames & V3 Profiles

SubjectAltNames Profile

  1. Intermediate Certificate Authority Clients (Line 290)
    1. Change the SAN alt name alt_vpn_server2 to alt_openvpn_server
      1. Line 310: [ alt_openvpn_server ]

    2. Change the SAN IP from 10.0.1.1 to match your VPN Server IP
      1. Line 311: IP.1 = 10.0.1.1

    3. Change the SAN DNS from your.ddns.com to match your own DDNS and/or FQDN
      1. Line 312: DNS.1 = your.ddns.com
        • For each additional DNS or FQDN, add a new line in sequential order (i.e. DNS.2, DNS.3, etc.)

V3 Profile

  1. Intermediate Certificate Authority Clients (Line 473)
    1. Change the V3 profile name from [ v3_vpn_server2 ] to match alt name set above
      1. Line 496: [ v3_openvpn_server ]

    2. Change the SAN alt name from @alt_vpn_server2 to match alt name set above
      1. Line 502: subjectAltName = @alt_openvpn_server
Commands

Commands are executed from within /etc/ssl/ Server Cert OpenSSL Commands

  1. Generate VPN Server CSR
    openssl req -out ca/csr/vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/vpn-server.key.pem -config ./openssl.cnf -extensions v3_vpn_server -nodes
    • -nodes creates a signing key without encryption
      • For server certs only, as a passphrase prevents the server from starting/restarting without manual intervention

  2. Create & Sign Cert with CA
    openssl x509 -req -sha512 -days 3650 -in ca/csr/vpn-server.csr -CA ca/OpenVPN-ICA.crt.pem -CAkey ca/OpenVPN-ICA.key -CAserial ./serial -out certs/vpn-server.crt.pem -extfile ./openssl.cnf -extensions v3_vpn_server
  3. Export to PKCS12
    openssl pkcs12 -export -out openvpn/vpn-server.p12 -inkey openvpn/vpn-server.key.pem -in certs/vpn-server.crt.pem -certfile ca/OpenWrt-OpenVPN_CA-Chain.crt.pem
    • Do not encrypt this PKCS12

    • ICA is still used to sign the certs it issues
      • ICA - CA chain cert must be exported with the client cert & key to maintain the certificate chain of trust
        • Chain of Trust hierarchy: CA → Intermediate CA → Client

Client Certs

Do not use the same Common Name (CN) on more than one certificate

Prerequisites

/etc/ssl/openssl.cnf Client Cert OpenSSL Prerequisites

Modify the following SubjectAltNames & V3 Profiles

SubjectAltNames Profile

  1. Intermediate Certificate Authority Clients (Line 290)
    1. Change the SAN alt name alt_vpn2_user1 to alt_openvpn_<username>
      1. Line 315: [ alt_openvpn_<username> ]

    2. Change the SAN DNS from VPNserver-Client1-Device-Hostname to match client username
      1. Line 316: DNS.1 = VPN-<username>-Hostname
        • This makes configuring CCD more convenient

    3. Change the SAN email from user1@email.com to user's email
      1. Line 317: email.1 = user1@email.com

V3 Profile

  1. Intermediate Certificate Authority Clients (Line 473)
    1. Change the V3 profile name from [ v3_vpn2_user1 ] to match alt name set above
      1. Line 505: [ v3_openvpn_<username> ]

    2. Change the SAN alt name from @alt_vpn2_user1 to match alt name set above
      1. Line 511: subjectAltName = @alt_openvpn_<username>
Commands

Commands are executed from within /etc/ssl/ Client Cert OpenSSL Commands

  1. Generate VPN Client Certs
    openssl req -out ca/csr/vpn-client1.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/clients/vpn-client1-<username>-<hostname>.key.pem -config ./openssl.cnf -extensions v3_openvpn_<username>
    • Key passphrase should be a 20 character minimum, containing at least: 2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols

  2. Sign Cert with CA
    openssl x509 req -sha512 -days 3650 -in ca/csr/vpn-client1.csr -CA ca/OpenWrt-CA.crt.pem -CAkey ca/OpenWrt-CA.key -CAserial ./serial -out openvpn/clients/vpn-client1-<username>-<hostname>.crt.pem -extfile ./openssl.cnf -extensions v3_openvpn_<username>
  3. Export to PKCS12
    openssl pkcs12 -export -out openvpn/clients/vpn-client1.p12 -inkey openvpn/clients/vpn-client1.key.pem -in openvpn/clients/vpn-client1.crt.pem -certfile ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem

Diffie-Hellman Key

EC Cryptography Diifie-Hellman

  1. Generate DH Key (executed from /etc/ssl/)
    openssl dhparam -out openvpn/dh2048.pem 2048
    • Generating DH keys takes substantial amounts of time

    • You may wish to generate 3072bit and 4096bit DH keys as well
      • Generating multiple DH keys at once takes substantially less time due to the rand file

    • OpenVPN will add support for EC [Elliptic Curve] ciphers in v2.4
      • For EC, the Diffie-Hellman key must be generated with a value greater than the encryption key
        • For example, if you generate 2048bit cert keys, your dh.pem must exceed that value

TLS-Auth Key

  1. Generate TLS-Auth key (executed from /etc/ssl/)
    openvpn --genkey --secret openvpn/ta.key
    • This ensures PFS [Perfect Forward Secrecy] is maintained when utilizing a SSL cipher

    • tls-auth requires a static pre-shared key [PSK], generated in advance, and shared among all clients
      • This requires incoming packets to have a valid signature generated using the PSK key
        • If key is changed, it must be changed on all clients at the same time (no support for rollover)

Import & Backup

GnuPG is a great tool to manage CAs and client certificates GnuPG

Backup

Backup

Create a backup:

  1. Apply correct permissions:
    chmod 600 /etc/ssl/ca/* /etc/ssl/ca/csr/* /etc/ssl/crl/* /etc/ssl/openvpn/* /etc/ssl/openvpn/clients/* ; chmod 644 /etc/ssl/ca/*.crt* /etc/ssl/openvpn/*.crt* /etc/ssl/openvpn/clients/*.crt* /etc/ssl/crl/*.crl
  2. It's recommend to utilize GnuPG to encrypt a copy of the CAs & ICAs and their keys
    1. After creating an encrypted backup, and copying keys/P12s to their respective clients, securely erase them, overwriting the freespace

  3. To ensure the OpenVPN & SSL directories are included in sysupgrade backups
    1. vi /etc/sysupgrade.conf
      1. Add:
        • /etc/config/
        • /etc/openvpn/
        • /etc/ssl/
        • /etc/firewall.user
        • /etc/sysupgrade.conf
    2. # LuCI: System - Backup/Flash Firmware - Configuration
 
    # Directories #
#---------------------------------------------------
/etc/config/
/etc/openvpn/
/etc/ssl/
 
    # Files #
#---------------------------------------------------
/etc/firewall.user
/etc/sysupgrade.conf

Linux/BSD

Linux & BSD

If utilizing Linux/BSD:

  • Due to the sheer number of distros, and differing means of handling certificate authorities, please google:
    1. <your distro name> install certificate authority
    2. <your distro name> install intermediate certificate authority

Windows

Windows PEM Association.reg

If utilizing Windows:

  1. Download PEM Association.reg, then import into registry (Right ClickMerge)
    • This causes Windows to associate the .pem extension as a valid certificate extension

  2. Add your CA cert to the Trusted Root Certification Authorities (user must have Administrator privileges)
    1. Right click on OpenWrt-CA.crt.pem:
      1. Install CertificateLocal MachinePlace all certificates in the following storeBrowseTrusted Root Certification Authorities

  3. Add your ICA cert to the Intermediate Certification Authorities (user must have Administrator privileges)
    1. Right click on OpenVPN-ICA.crt.pem:
      1. Install CertificateLocal MachinePlace all certificates in the following storeBrowseIntermediate Certification Authorities

Network

Interface Creation

  1. Create VPN interface
    uci set network.vpn0=interface ; uci set network.vpn0.ifname=tun0 ; uci set network.vpn0.proto=none
    1. You can replace network.vpn0 with network.<name>
      1. If you choose to do so, network=vpn0 will need to be updated accordingly in Zone Creation

    2. You can replace ifname=tun0 with ifname=<name>
      1. If you choose to do so, option dev tun0 will need to be updated accordingly in VPN Server Config

  2. Commit changes
    uci commit network ; /etc/init.d/network reload

Configure DDNS

  1. A DDNS provider or FQDN is required for users who are not assigned static IPs by ISPs
    1. DDNS:
      • Dynamic Domain Name System providers provide the user with a dynamically updated DNS name for their public IP
    2. FQDN
      • Fully Qualified Domain Name is a URL (google.com is a FQDN)
        • Purchasing a FQDN is for a set period of time, regulated by the non-profit IANA (Internet Assigned Numbers Authority)

  2. Most users will likely configure DDNS

Firewall

Create Rules

A non-standard port (not 1194) should be utilized for the VPN

Information

Firewall Info

  1. VPN traffic rules should be placed in the following order, below option path /etc/firewall.user and any redirect rules
    1. InterZone Forwarding Rules
    2. VPN Traffic Rules

  2. Rule protocol for VPNs should always be both TCP & UDP for troubleshooting purposes
    1. Allowing both prevents having to edit the firewall every time troubleshooting is needed

  3. SSL VPNs should always use UDP
    1. Except under the following two scenarios
      1. When troubleshooting
        OR
      2. When packet loss is high

  4. A port >1025 but <10000 should be utilized for the VPN
    1. If using a custom port, update VPN Server & VPN Client configs accordingly

Rules

/etc/config/firewall Firewall Rules

The following rules are required:

  1. vi /etc/config/firewall

    #::: Traffic Rules :::#
# LuCI: Network - Firewall - Traffic Rules
 
 
#::: Defaults :::#
# LuCI: Network - Firewall
#------------------------------------------------
 
#::: Firewall.User Rules :::#
# LuCI: Network - Firewall - Custom Rules
config include
    option  path            '/etc/firewall.user'
 
# Default OpenWRT Rule #
config defaults
    option  input           'ACCEPT'
    option  output          'ACCEPT'
    option  forward         'DROP'
    option  syn_flood       1
    option  drop_invalid    1
 
 
# Allow initial VPN connection #
#------------------------------------------------
# LuCI: From any host in any zone To any router
# IP at port 1194 on this device (Accept Input) 
config rule
    option  target          'ACCEPT'
    option  family          'ipv4'
    option  proto           'tcp udp'
    option  src             '*'
    option  dest_port       1194
    option  name            'Allow Forwarded VPN Request -> <device>'
 
# Once Assigned VPN IP, Allow Inbound -> LAN #
#------------------------------------------------
# LuCI: From IP range 10.1.1.0/24 in any zone To IP
# range 192.168.1.0/24 on this device (Accept Input)
config rule
    option  target          'ACCEPT'
    option  family          'ipv4'
    option  proto           'tcp udp'
    option  src             '*'
    option  src_ip          '10.1.1.0/24'
    option  dest_ip         '192.168.1.0/26'
    option  name            'Allow VPN0 -> LAN'
 
# Once Assigned VPN IP, Allow Forwarded -> LAN #
#------------------------------------------------
# LuCI: From IP range 10.1.1.0/24 in any zone To IP
# range 192.168.1.0/24  on this device (Accept Forward)
config rule
    option  target          'ACCEPT'
    option  proto           'tcp udp'
    option  family          'ipv4'
    option  src             '*'
    option  src_ip          '10.1.1.0/24'
    option  dest            '*'
    option  dest_ip         '192.168.1.0/26'
    option  name            'Allow Forwarded VPN0 -> LAN'
 
# Allow Outbound ICMP Traffic from VPN #
#------------------------------------------------
# LuCI: ICMP From IP range 10.1.1.0/24 in any 
# zone To any host in lan (Accept Forward)
config rule
    option  target          'ACCEPT'
    option  proto           'icmp'
    option  src             '*'
    option  src_ip          '10.1.1.0/24'
    option  dest            'lan'
    option  name            'Allow VPN0 (ICMP) -> LAN'
 
# Allow Outbound Ping Requests from VPN #
#------------------------------------------------
# LuCI: ICMP with type echo-request From IP range
# 10.1.1.0/24 in any zone To any host in wan (Accept Forward)
config rule
    option  target          'ACCEPT'
    option  proto           'icmp'
    list    icmp_type       'echo-request'
    option  src             '*'
    option  src_ip          '10.1.1.0/24'
    option  dest            'wan'
    option  name            'Allow VPN0 (ICMP 8) -> <device> '
 
 
#::: Zones :::#
# LuCI: Network - Firewall - Zones
#------------------------------------------------
 
# LAN #
config zone
    option  name            'lan'
    option  network         'lan'
    option  input           'ACCEPT'
    option  output          'ACCEPT'
    option  forward         'DROP'
 
# VPN #
config zone
    option  name            'vpn'
    option  network         'vpn0'
    option  input           'ACCEPT'
    option  output          'ACCEPT'
    option  forward         'ACCEPT'
 
# WAN #
config zone
    option  name            'wan'
    option  network         'wan wan6'
    option  input           'DROP'
    option  output          'ACCEPT'
    option  forward         'DROP'
    option  masq            1
    option  mtu_fix         1
 
 
#::: InterZone Forwarding :::#
# LuCI: Network -> Firewall -> Zones -
# VPN - Edit - Inter-Zone Forwarding
#------------------------------------------------
 
# LAN to VPN #    
config forwarding
    option  dest            'vpn'
    option  src             'lan'
 
# LAN to WAN #
config forwarding
    option  dest            'wan'
    option  src             'lan'
 
# VPN to LAN #    
config forwarding
    option  dest            'lan'
    option  src             'vpn'

  2. Commit changes
    uci commit firewall ; /etc/init.d/firewall restart

Logging

/etc/firewall.user firewall.user Script

The following rules are required:

  1. vi /etc/firewall.user

    #::: Traffic Rules :::#
# LuCI: Network - Firewall - Custom Rules
 
  # These rules make the assumption the default port of 1194 is not used for the VPN
 
  # Port 5000 is being used arbitrarily for the VPN port
 
 
    # Establish Custom Zones #
#---------------------------------------------------
iptables        -N  DROP-Brute
iptables        -N  LOG-VPN
iptables        -N  Rate_Limit
 
    # Log All Dropped #
#---------------------------------------------------
iptables        -A  DROP-Brute              -j  LOG     --log-prefix    "<[[--- BRUTE DROPPED ---]]> : "        --log-level 4
iptables        -A  DROP-Brute              -j  DROP
 
    # Establish Rate Limit #
#---------------------------------------------------
iptables        -A  Rate_Limit  -p  tcp     --dport     1194    -m  limit   --limit 1/min   --limit-burst   1   -j  DROP-Brute
iptables        -A  Rate_Limit  -p  udp     --dport     1194    -m  limit   --limit 1/min   --limit-burst   1   -j  DROP-Brute
iptables        -A  Rate_Limit  -p  tcp     --dport     5000                                                    -j  LOG-VPN
iptables        -A  Rate_Limit  -p  udp     --dport     5000                                                    -j  LOG-VPN
iptables        -A  Rate_Limit  -p  tcp                                                                         -j  REJECT      --reject-with   tcp-reset
iptables        -A  Rate_Limit  -p  udp                                                                         -j  REJECT      --reject-with   icmp-port-unreachable
iptables        -A  Rate_Limit  !   -p      ICMP                                                                -j  LOG         --log-prefix    "<[[--- Connection DROPPED ---]]>: "
iptables        -A  Rate_Limit                                                                                  -j  DROP
 
    # Apply Rate Limit #
#---------------------------------------------------
iptables    -w  -I  INPUT       -p  tcp     --dport     1194    -m  state   --state NEW -m  recent  --set
iptables    -w  -I  INPUT       -p  tcp     --dport     1194    -m  state   --state NEW             --update    --seconds   60  --hitcount  1   -j  Rate_Limit
iptables    -w  -I  INPUT       -p  udp     --dport     1194    -m  state   --state NEW -m  recent  --set
iptables    -w  -I  INPUT       -p  udp     --dport     1194    -m  state   --state NEW             --update    --seconds   60  --hitcount  1   -j  Rate_Limit
iptables        -I  INPUT       -p  tcp     --dport     5000    -m  state   --state NEW                                                         -j  Rate_Limit
iptables        -I  INPUT       -p  udp     --dport     5000    -m  state   --state NEW                                                         -j  Rate_Limit
 
    # Check for bans in Rate_Limit #
#---------------------------------------------------
iptables    -w  -A  INPUT       -p  tcp     --dport     1194    -j  Rate_Limit
 
    # Log VPN Traffic #
#---------------------------------------------------
iptables        -A  LOG-VPN                                     -j  LOG         --log-prefix    "<[[---  VPN Traffic ---]]> : "         --log-level 4
iptables        -A  LOG-VPN                                     -j  ACCEPT

  2. Commit changes
    /etc/init.d/firewall restart
  3. Please also see:

VPN Server

Config

It's strongly encouraged to read through the OpenVPN HowTo & Man Page

Information

OpenVPN Information

  • This specific configuration has been designed to give the best performance possible, via MTU & Buffer Tuning recommendations
    • DNS primary & secondary are Google's
    • NTP is garnished from NIST (time-c) and can be updated to your NTP server of choice
      • NTP should be specified, but doesn't need to be NIST, as encryption handshakes, both server & client, must be accurate to within milliseconds

  • CCD directives (under Client Config) are commented out, as one will need to read the OpenVPN HowTo to understand how it's used
    • CCD adds an extra layer of protection, allowing only those CNs specified to connect to the VPN, even if a valid client cert is used

  • Two or more servers can be run from this config file
    • To add additional servers, copy & paste first config directly below itself, with a blank line separating the two

  • The OpenVPN HowTo & Man Page provide every possible option for the Server & Client Configs

Config

/etc/config/openvpn OpenVPN Server Config

  1. Create config:
    echo > /etc/config/openvpn ; vi /etc/config/openvpn
    1. Paste the following & edit accordingly

      config openvpn 'VPNserver'
 
    option  enabled             1
 
    # Protocol #
#------------------------------------------------
    option  dev                 'tun'
    option  dev                 'tun0'
    option  topology            'subnet'
    option  proto               'udp'
    option  port                1194
 
    # Routes # 
#------------------------------------------------
    option  server              '10.1.0.0 255.255.255.240'
    option  ifconfig            '10.1.0.1 255.255.255.240'        
 
    # Client Config # 
#------------------------------------------------
    #   option  ccd_exclusive           1
    #   option  ifconfig_pool_persist   '/etc/openvpn/clients/ipp.txt'
    #   option  client_config_dir       '/etc/openvpn/clients/'
 
    # Pushed Routes # 
#------------------------------------------------
    list    push                'route 192.168.1.0 255.255.255.0'
    list    push                'dhcp-option    DNS 192.168.1.1'
    list    push                'dhcp-option    WINS 192.168.1.1'
    list    push                'dhcp-option    DNS 8.8.8.8'
    list    push                'dhcp-option    DNS 8.8.4.4'
    list    push                'dhcp-option    NTP 129.6.15.30'
 
    # Encryption # 
#------------------------------------------------
    # Diffie-Hellman:
    option  dh                  '/etc/ssl/openvpn/dh2048.pem'
 
    # PKCS12:
    option  pkcs12              '/etc/ssl/openvpn/vpn-server.p12'
 
    # SSL:
    option  cipher              AES-256-CBC
    option  auth                'SHA512'
    option  tls_auth            '/etc/ssl/openvpn/ta.key 0'
 
    # TLS:
    option  tls_server          1
    option  tls_version_min     1.2
    option  tls_cipher          'TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384:TLS-RSA-WITH-AES-256-CBC-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4'
    option  remote-cert-eku     'TLS Web Client Authentication'
 
    # Logging # 
#------------------------------------------------
    option  log_append          '/tmp/openvpn.log'
    option  status              '/tmp/openvpn-status.log'
    option  verb                7
 
    # Connection Options # 
#------------------------------------------------
    option  keepalive           '10 120'
    option  comp_lzo            'yes'
 
    # Connection Reliability # 
#------------------------------------------------
    option  client_to_client    1
    option  persist_key         1
    option  persist_tun         1
 
    # Connection Speed # 
#------------------------------------------------
    option  sndbuf              393216
    option  rcvbuf              393216
    option  fragment            0
    option  mssfix              0
    option  tun_mtu             48000
 
    # Pushed Buffers # 
#------------------------------------------------
    list    push                'sndbuf 393216'
    list    push                'rcvbuf 393216'
 
    # Permissions # 
#------------------------------------------------
    option  user                'nobody'
    option  group               'nogroup'
 
 
    # chroot #
#------------------------------------------------
    # chroot should be utilized in case the VPN is ever exploited; however, most commercial
    # routers don't have internal flash storage large enough to support it.  An OpenVPN 
    # chroot would be ~11MB in size.
 
    # Modify if chroot is configured #
    #--------------------------------------------
        # option  ccd_exclusive             1
        # option  ifconfig_pool_persist     /var/chroot-openvpn/etc/openvpn/clients/ipp.txt
        # option  client_config_dir         /var/chroot-openvpn/etc/openvpn/clients
 
        # option  cipher                    AES-256-CBC
        # option  dh                        /var/chroot-openvpn/etc/ssl/openvpn/dh2048.pem
        # option  pkcs12                    /var/chroot-openvpn/etc/ssl/openvpn/vpn-server.p12
        # option  tls_auth                  '/var/chroot-openvpn/etc/ssl/openvpn/ta.key 0'
  2. Commit changes

/etc/init.d/openvpn enable ; /etc/init.d/openvpn start ; sleep 2 ; cat /tmp/openvpn.log

Log Output

CCD Disabled

/tmp/openvpn.log Log Output w/o CCD Enabled 

root@OpenWrt ~ # cat /tmp/openvpn.log
Thu Oct 20 13:35:00 2016 us=668816 OpenVPN 2.3.11 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6]
Thu Oct 20 13:35:00 2016 us=668891 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
Thu Oct 20 13:35:00 2016 us=669836 Diffie-Hellman initialized with 2048 bit key
Thu Oct 20 13:35:00 2016 us=705181 Control Channel Authentication: using '/etc/ssl/openvpn/ta.key' as a OpenVPN static key file
Thu Oct 20 13:35:00 2016 us=705286 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Oct 20 13:35:00 2016 us=705351 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Oct 20 13:35:00 2016 us=705387 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
Thu Oct 20 13:35:00 2016 us=705489 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 72 bytes
Thu Oct 20 13:35:00 2016 us=705535 TLS-Auth MTU parms [ L:48104 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Thu Oct 20 13:35:00 2016 us=705589 Socket Buffers: R=[87380->327680] S=[16384->327680]
Thu Oct 20 13:35:00 2016 us=706121 TUN/TAP device tun0 opened
Thu Oct 20 13:35:00 2016 us=706200 TUN/TAP TX queue length set to 100
Thu Oct 20 13:35:00 2016 us=706254 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Oct 20 13:35:00 2016 us=706327 /sbin/ip link set dev tun0 up mtu 48000
Thu Oct 20 13:35:00 2016 us=708260 /sbin/ip addr add dev tun0 10.1.0.1/28 broadcast 10.1.0.15
Thu Oct 20 13:35:00 2016 us=713288 Data Channel MTU parms [ L:48104 D:48104 EF:104 EB:143 ET:0 EL:3 AF:3/1 ]
Thu Oct 20 13:35:00 2016 us=713438 GID set to nogroup
Thu Oct 20 13:35:00 2016 us=713500 UID set to nobody
Thu Oct 20 13:35:00 2016 us=713746 Listening for incoming TCP connection on [undef]
Thu Oct 20 13:35:00 2016 us=713811 TCPv4_SERVER link local (bound): [undef]
Thu Oct 20 13:35:00 2016 us=713857 TCPv4_SERVER link remote: [undef]
Thu Oct 20 13:35:00 2016 us=713922 MULTI: multi_init called, r=256 v=256
Thu Oct 20 13:35:00 2016 us=714000 IFCONFIG POOL: base=10.1.0.2 size=12, ipv6=0
Thu Oct 20 13:35:00 2016 us=714070 MULTI: TCP INIT maxclients=1024 maxevents=1028
Thu Oct 20 13:35:00 2016 us=714678 Initialization Sequence Completed

CCD Enabled

/tmp/openvpn.log Log Output w/ CCD Enabled 

root@OpenWrt ~ # cat /tmp/openvpn.log
Thu Oct 20 13:35:30 2016 us=653309 OpenVPN 2.3.11 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6]
Thu Oct 20 13:35:30 2016 us=653403 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
Thu Oct 20 13:35:30 2016 us=654598 Diffie-Hellman initialized with 2048 bit key
Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication: using '/etc/ssl/openvpn/ta.key' as a OpenVPN static key file
Thu Oct 20 13:35:30 2016 us=706592 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Oct 20 13:35:30 2016 us=706679 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Oct 20 13:35:30 2016 us=706722 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
Thu Oct 20 13:35:30 2016 us=706760 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 72 bytes
Thu Oct 20 13:35:30 2016 us=706804 TLS-Auth MTU parms [ L:48104 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Thu Oct 20 13:35:30 2016 us=706857 Socket Buffers: R=[87380->327680] S=[16384->327680]
Thu Oct 20 13:35:30 2016 us=707392 TUN/TAP device tun0 opened
Thu Oct 20 13:35:30 2016 us=707465 TUN/TAP TX queue length set to 100
Thu Oct 20 13:35:30 2016 us=707517 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Oct 20 13:35:30 2016 us=707587 /sbin/ip link set dev tun0 up mtu 48000
Thu Oct 20 13:35:30 2016 us=709190 /sbin/ip addr add dev tun0 10.1.0.1/28 broadcast 10.1.0.15
Thu Oct 20 13:35:30 2016 us=714514 Data Channel MTU parms [ L:48104 D:48104 EF:104 EB:143 ET:0 EL:3 AF:3/1 ]
Thu Oct 20 13:35:30 2016 us=714630 GID set to nogroup
Thu Oct 20 13:35:30 2016 us=714680 UID set to nobody
Thu Oct 20 13:35:30 2016 us=714859 Listening for incoming TCP connection on [undef]
Thu Oct 20 13:35:30 2016 us=714908 TCPv4_SERVER link local (bound): [undef]
Thu Oct 20 13:35:30 2016 us=714945 TCPv4_SERVER link remote: [undef]
Thu Oct 20 13:35:30 2016 us=714986 MULTI: multi_init called, r=256 v=256
Thu Oct 20 13:35:30 2016 us=715050 IFCONFIG POOL: base=10.1.0.2 size=12, ipv6=0
Thu Oct 20 13:35:30 2016 us=715095 ifconfig_pool_read(), in='vpn-client1-foobar1-device1,10.1.0.5', TODO: IPv6
Thu Oct 20 13:35:30 2016 us=715138 succeeded -> ifconfig_pool_set()
Thu Oct 20 13:35:30 2016 us=715176 ifconfig_pool_read(), in='vpn-client2-foobar2-device1,10.1.0.6', TODO: IPv6
Thu Oct 20 13:35:30 2016 us=715213 succeeded -> ifconfig_pool_set()
Thu Oct 20 13:35:30 2016 us=715249 IFCONFIG POOL LIST
Thu Oct 20 13:35:30 2016 us=715287 vpn-client1-foobar1-device1,10.1.0.5
Thu Oct 20 13:35:30 2016 us=715331 vpn-client2-foobar2-device1,10.1.0.6
Thu Oct 20 13:35:30 2016 us=715428 MULTI: TCP INIT maxclients=1024 maxevents=1028
Thu Oct 20 13:35:30 2016 us=715971 Initialization Sequence Completed

Clients

Server's TLS-Auth key goes within the inline XML space

Android

Information

OpenVPN for Android Toast Removal Android Client Information

  • OpenVPN for Android is the best app for VPNs on Android

  • PKCS12 certs are installed into the Android Keychain
    • As a security feature, a warning toast will always appear in the notification area due to user installed certs
      • This toast can be removed if you have a rooted device by following Toast Removal tutorial
    • Another option is to include all certs & keys via inline XML within the client config file

  • If you choose to reference the ta.key, instead of utilizing inline XML
    1. Remove:
      key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
#PASTED-KEY-INLINE-HERE#
-----END OpenVPN Static key V1-----
</tls-auth>
    2. Add:
      tls-auth   /path/to/ta.key 1
  • Some Android devices are not able to convert PKCS12 certs to x509 certs
    • If your device is affected, you will need to reference your individual certs in your Server Config
      1. Remove:
         # Encryption #
pkcs12     '/sdcard/openvpn/vpn-client1.p12'
      2. Add:
         # Encryption #
ca         '/sdcard/openvpn/OpenWRT-OpenVPN_CA-Chain.crt.pem'
cert       '/sdcard/openvpn/vpn-client1.crt.pem'
key        '/sdcard/openvpn/vpn-client1.key.pem'
    • For compatibility with exFAT, Android sdcards have a non-customizable 664 permission structure
      • It is crucial to the security of the VPN to ensure the certificate key is encrypted as specified under Client Certs

Config

/sdcard/OpenVPN/OpenWrt/VPNserver.ovpn Android Client Config 

# Config Type #
#------------------------------------------------
client
 
# Connection  #
#------------------------------------------------
dev tun
proto udp
remote your.ddns.com 1194
 
# Speed #
#------------------------------------------------
fragment 0
mssfix 0
tun-mtu 48000
 
# Reliability #
#------------------------------------------------
comp-lzo
float
nobind
persist-key
persist-tun
resolv-retry infinite
 
# Encryption #
#------------------------------------------------
auth-nocache
cipher AES-256-CBC
remote-cert-eku "TLS Web Server Authentication"
 
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
#PASTE-KEY-INLINE-HERE#
-----END OpenVPN Static key V1-----
</tls-auth>
 
key-direction 1
 
# Logging #
#------------------------------------------------
verb 5

BSD

VPNserver-BSD.ovpn BSD Client Config

Linux

VPNserver-Linux.ovpn Linux Client Config

Windows

Information

OpenVPN Client Windows Client Information

  • If PKCS12 cert isn't stored in the same directory as the ovpn config , the path to the PKCS12 cert must be referenced
    • You must use double backslashes for the path: C:\\Path\\to\\PKCS12

Config

C:\Program Files\OpenVPN\config\OpenWrt\VPNserver.ovpn Windows Client Config 

# Config Type #
#------------------------------------------------
client
 
# Connection  #
#------------------------------------------------
dev tun
proto udp
remote your.ddns.com 1194
 
# Speed #
#------------------------------------------------
fragment 0
mssfix 0
tun-mtu 48000
 
# Reliability #
#------------------------------------------------
comp-lzo
float
nobind
persist-key
persist-tun
resolv-retry infinite
 
# Encryption #
#------------------------------------------------
auth-nocache
cipher AES-256-CBC
pkcs12 vpn-client1.p12
remote-cert-eku "TLS Web Server Authentication"
 
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
#PASTE-KEY-INLINE-HERE#
-----END OpenVPN Static key V1-----
</tls-auth>
 
key-direction 1
 
# Logging #
#------------------------------------------------
verb 5

Optional

Redirect Gateway (Same Subnet)

It's recommended to read Gateway Redirect prior to continuing Gateway Redirect

Firewall Config

/etc/config/firewall LAN Zone & InterZone Forwarding

  1. Add:
    #::: Zones :::#
# LuCI: Network - Firewall - Zones
 
# Add: LAN Masquerade #
#------------------------------------------------
config zone
    option  name            'lan'
    option  network         'lan'
    option  input           'ACCEPT'
    option  output          'ACCEPT'
    option  forward         'DROP'
    option  masq            1
  2. Add:
    #::: InterZone Forwarding :::#
# LuCI: Network -> Firewall -> Zones -> VPN - 
# Edit - Inter-Zone Forwarding
 
# Allow Forwarding VPN -> WAN #
#------------------------------------------------
config forwarding
    option  dest            'wan'
    option  src             'vpn'
  3. Commit changes
    /etc/init.d/firewall restart

Server Config

/etc/config/openvpn Pushed Routes

  1. Remove:
        list    push                'dhcp-option    DNS 8.8.8.8'
    list    push                'dhcp-option    DNS 8.8.4.4'
  2. Add:
        list    push                'redirect-gateway   def1 local'
    list    push                'dhcp-option        DNS 10.1.0.1'
  3. Commit changes
    /etc/init.d/openvpn restart

VPN Wikis

OpenSSL

Guides

OpenSSL Guides

Info

OpenSSL Info

OpenVPN

Android

Android

Guides

Guides

Highly Recommended

Help

If needing help

Tuning

Tuning

OpenWrt

Help

If needing help

Wiki

Wiki

Questions

  • Please take the time to read
    • If you refuse to help yourself, don't expect someone else to help you

  • The answer to any question about an OpenVPN Client or Server configuration is contained within the VPN Wiki Section
    • If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the OpenWRT or OpenVPN forums

  • Please do not publish questions directly to this Wiki, as:
    • Most importantly, it's not monitored for questions
    • It clutters the Wiki, possibly making it more difficult for others to navigate
doc/howto/openvpn-streamlined-server-setup.1477113161.txt.bz2 · Last modified: 2016/10/22 07:12 by JW0914

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
CC Attribution-Noncommercial-Share Alike 3.0 Unported Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki