User Tools

Site Tools


doc:howto:openvpn-streamlined-server-setup
This wiki is read only and for archival purposes only. >>>>>>>>>> Please use the new OpenWrt wiki at https://openwrt.org/ <<<<<<<<<<

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:openvpn-streamlined-server-setup [2016/10/30 16:04]
JW0914 [Introduction] Minor formatting tweak
doc:howto:openvpn-streamlined-server-setup [2018/02/03 14:28] (current)
ssdnvv alte Version wiederhergestellt (2018/01/18 05:21)
Line 9: Line 9:
 ===== Introduction ===== ===== Introduction =====
  
-<​WRAP ​indent>+<​WRAP ​box 78em lo>
  
 +<tabbox Purpose>
 +<color #​508CAA>​**VPN Server Purpose**</​color>​
  
-==== VPN Requirements ====+  * Provides an encrypted remote connection over WAN to router and downstream devices
  
-<WRAP 75em lo> +  * If Gateway Redirect is utilized, it provides an encrypted connection ​for local traffic
-Five requirements ​for SSL VPNs: +
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​encryption|Encryption [Certificates]]] +
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​network|Network [VPN Interface]]] +
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​firewall|Firewall [Traffic Rules]]] +
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_server|Server [Config]]] +
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​clients|Clients [Config]]] +
-</​WRAP>​+
  
 +<tabbox Requirements>​
 +<color #​508CAA>​**SSL VPN Requirements**</​color>​
 +
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​encryption|Encryption]] [Certificates]
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​network|Network]] [VPN Interface]
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​firewall|Firewall]] [Traffic Rules]
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_server|Server]] [Config]
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​clients|Clients]] [Config]\\ \\
 +
 +<tabbox Editing>
 +<wrap right button>​[[https://​github.com/​JW0914/​Wikis/​blob/​master/​Scripts%2BConfigs/​Vim/​.vimrc|VimRC]] ​ [[http://​vim.wikia.com/​wiki/​Tutorial|Vim Tutorial]]</​wrap>​
 +<color #​508CAA>​**Editing Configs**</​color>​
 +
 +  * Vim is the default command line text editor\\ \\
 +  * If you've never utilized Vim before, please see the Vim Tutorial
 +    * Save the VimRC to ''<​color #​C86400>​~/​.vimrc</​color>''​
 +</​tabbox>​
 </​WRAP>​ </​WRAP>​
 +
  
  
Line 29: Line 42:
  
 <WRAP centeralign 78.25em lo> <WRAP centeralign 78.25em lo>
-<​wrap ​danger>​Easy-RSA //does not// create secure enough certs & has too many limitations,​ therefore OpenSSL should be utilized directly via an openssl.cnf</​wrap>​+<​wrap ​warning><​color #FFFFFF>​Easy-RSA //does not// create secure enough certs & has too many limitations,​ therefore OpenSSL should be utilized directly via an openssl.cnf</​color>​</​wrap>​
 </​WRAP>​ </​WRAP>​
  
-<WRAP indent> 
  
 +<WRAP indent>
  
 ==== Prerequisites ==== ==== Prerequisites ====
  
 <WRAP box lo> <WRAP box lo>
-<wrap right button>​[[https://​github.com/​JW0914/​Wikis/​blob/​master/​Scripts%2BConfigs/​OpenSSL/​OpenSSL.cnf|openssl.cnf]]</​wrap>​+<wrap right button>​[[https://​github.com/​JW0914/​Wikis/​blob/​master/​Scripts%2BConfigs/​OpenSSL/​openssl.cnf|openssl.cnf]]</​wrap>​
  
 <tabbox Prerequisites>​ <tabbox Prerequisites>​
Line 44: Line 57:
 <color #​508CAA>​**OpenVPN Prerequisites**</​color>​ <color #​508CAA>​**OpenVPN Prerequisites**</​color>​
  
-  - <color #4B4B4B>**Install Packages:**</​color>​ +  - **Install Packages:​** 
-    - //''<​color #​647D00>​opkg update ; opkg install openvpn-openssl luci-app-openvpn</​color>''//​\\ \\ +    - //''<​color #​647D00>​opkg update ; opkg install openvpn-openssl luci-app-openvpn ​openssl-util</​color>''//​\\ \\ 
-  - <color #4B4B4B>**Download openssl.cnf:​**</​color>​ +  - **Download openssl.cnf:​** 
-    - <color #646464>Save as ''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''​</​color>​\\ \\ +    - Save as ''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''​\\ \\ 
-  - <color #4B4B4B>**Navaigate to SSL directory & create required directories**</​color>​+  - **Navaigate to SSL directory & create required directories**
     - //''<​color #​647D00>​cd /etc/ssl ; mkdir -p ca/csr crl openvpn/​clients</​color>''//​\\ \\     - //''<​color #​647D00>​cd /etc/ssl ; mkdir -p ca/csr crl openvpn/​clients</​color>''//​\\ \\
-  - <color #4B4B4B>**Create Serial file**</​color>​+  - **Create Serial file**
     - //''<​color #​647D00>​echo 00 > serial</​color>''//​     - //''<​color #​647D00>​echo 00 > serial</​color>''//​
-      * <color #646464>Maintains the serial for the most recent cert in order to know what serial to next assign</​color>​ +      * Maintains the serial for the most recent cert in order to know what serial to next assign 
-        * <color #646464>Serial is in hex, not dec[//​imal//​] format</​color>​\\ \\ +        * Serial is in hex, not dec[//​imal//​] format\\ \\ 
-  - <color #4B4B4B>**Create CRLnumber file**</​color>​ +  - **Create CRLnumber file** 
-    - //''<​color #​647D00>​echo 00 > crlnumber</​color>''//​ +    - //''<​color #​647D00>​echo 00 > crl/crlnumber</​color>''//​ 
-            * <color #646464>CRL should be generated, but will only be utilized once a cert is revoked</​color>​\\ \\ +            * CRL should be generated, but will only be utilized once a cert is revoked\\ \\ 
-  - <color #4B4B4B>**Create Index file**</​color>​+  - **Create Index file**
     - //''<​color #​647D00>​touch index</​color>''//​     - //''<​color #​647D00>​touch index</​color>''//​
-      * <color #646464>Maintains an index of all certs issued <​sup>​[lines ​744 759]</sup></color+      * Maintains an index of all certs issued <sup><​color #646464>​[lines ​644 689]</color></sup
-        * <color #646464>Keeps track of certs issued; extremely important if one has revoked a cert</​color>​\\ \\ +        * Keeps track of certs issued; extremely important if one has revoked a cert\\ \\ 
-  - <color #4B4B4B>**Create Rand file**</​color>​+  - **Create Rand file**
     - //''<​color #​647D00>​touch rand</​color>''//​     - //''<​color #​647D00>​touch rand</​color>''//​
-      * <color #646464>Utilized for random characters & is queried by OpenSSL during key creation</​color>​+      * Utilized for random characters & is queried by OpenSSL during key creation
  
  
Line 69: Line 82:
 <color #​508CAA>​**File & Folder Locations**</​color>​ <color #​508CAA>​**File & Folder Locations**</​color>​
  
-  - <color #4B4B4B>**Config Locations:​**</​color>​ +  - **Config Locations:​** 
-    * <color #646464>Firewall: ''<​color #​C86400>/​etc/​config/​firewall</​color>''​</​color>​ +    * Firewall: ''<​color #​C86400>/​etc/​config/​firewall</​color>''​ 
-    * <color #646464>Network: ''<​color #​C86400>/​etc/​config/​network</​color>''​</​color>​ +    * Network: ''<​color #​C86400>/​etc/​config/​network</​color>''​ 
-    * <color #646464>OpenSSL: ''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''​</​color>​ +    * OpenSSL: ''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''​ 
-    * <color #646464>OpenVPN: ''<​color #​C86400>/​etc/​config/​openvpn</​color>''​</​color>​\\ \\ +    * OpenVPN: ''<​color #​C86400>/​etc/​config/​openvpn</​color>''​\\ \\ 
-  - <color #4B4B4B>**Folder Locations:​**</​color>​ +  - **Folder Locations:​** 
-    * <color #646464>OpenVPN</​color>​ +    * OpenVPN 
-      * <color #646464>CA & ICA Certs: ''<​color #​C86400>/​etc/​ssl/​ca/</​color>''​</​color>​ +      * CA & ICA Certs: ''<​color #​C86400>/​etc/​ssl/​ca/</​color>''​ 
-        * <color #646464>CSR: ''<​color #​C86400>/​etc/​ssl/​ca/​csr/</​color>''​</​color>​ +        * CSR: ''<​color #​C86400>/​etc/​ssl/​ca/​csr/</​color>''​ 
-        * <color #646464>CRL: ''<​color #​C86400>/​etc/​ssl/​crl/</​color>''​</​color>​ +        * CRL: ''<​color #​C86400>/​etc/​ssl/​crl/</​color>''​ 
-      * <color #646464>Client Certs: ''<​color #​C86400>/​etc/​ssl/​openvpn/​clients/</​color>''​</​color>​ +      * Client Certs: ''<​color #​C86400>/​etc/​ssl/​openvpn/​clients/</​color>''​ 
-      * <color #646464>Server Certs: ''<​color #​C86400>/​etc/​ssl/​openvpn/</​color>''​</​color>​+      * Server Certs: ''<​color #​C86400>/​etc/​ssl/​openvpn/</​color>''​
  
 <tabbox Extensions>​ <tabbox Extensions>​
 <color #​508CAA>​**Certificate Extensions**</​color>​ <color #​508CAA>​**Certificate Extensions**</​color>​
  
-  - <color #4B4B4B>**.csr:**</​color>​ +  - **.csr:** 
-    * <color #646464>//​certificate request//</​color>​\\ \\ +    * //​certificate request//\\ \\ 
-  - <color #4B4B4B>**.key:**</​color>​ +  - **.key:** 
-    * <color #646464>//private key//</​color>​ +    * //private key// 
-      * <color #64646>4All key files, except for a server'​s,​ should be encrypted with a passphrase</​color>​\\ \\ +      * 4All key files, except for a server'​s,​ should be encrypted with a passphrase\\ \\ 
-  - <color #4B4B4B>**.crt:**</​color>​ +  - **.crt:** 
-    * <color #646464>//signed certificate//​</​color>​\\ \\ +    * //signed certificate//​\\ \\ 
-  - <color #4B4B4B>**.p12:**</​color>​ +  - **.p12:** 
-    * <color #646464>//PKCS12 certificate//​</​color>​ +    * //PKCS12 certificate//​ 
-      * <color #646464>Contains the //CA.crt// or concatenated //​ICA-CA.crt//,​ //​Certificate.crt//,​ and //​CertificateKey.key//​</​color>​+      * Contains the //CA.crt// or concatenated //​ICA-CA.crt//,​ //​Certificate.crt//,​ and //​CertificateKey.key//​
 </​tabbox>​ </​tabbox>​
 </​WRAP>​ </​WRAP>​
Line 107: Line 120:
 <color #​508CAA>​**Section Synopsis**</​color>​ <color #​508CAA>​**Section Synopsis**</​color>​
  
-  * <color #4B4B4B>**These tabs contain critical information one will likely find helpful while going through the steps in this wiki**</​color>​ +  * **These tabs contain critical information one will likely find helpful while going through the steps in this wiki** 
-    * <color #646464>Tabs 2 - 3 contain informational & reference links to the main man pages</​color>​ +    * Tabs 2 - 3 contain informational & reference links to the main man pages 
-    * <color #646464>Tabs 4 - 7 cover the definitions of KUs, EKUs, KEAs, & EC KEAs</​color>​+    * Tabs 4 - 7 cover the definitions of KUs, EKUs, KEAs, & EC KEAs
  
  
Line 177: Line 190:
 <color #​508CAA>​**keyUsage**</​color>​ <color #​508CAA>​**keyUsage**</​color>​
  
-  - <color #4B4B4B>**digitalSignature**</​color>​ +  - **digitalSignature** 
-    - <color #646464>Certificate may be used to apply a digital signature</​color>​ +    - Certificate may be used to apply a digital signature 
-      - <color #646464>Digital signatures are often used for entity authentication & data origin authentication with integrity</​color>​\\ \\ +      - Digital signatures are often used for entity authentication & data origin authentication with integrity\\ \\ 
-  - <color #4B4B4B>**nonRepudiation**</​color>​ +  - **nonRepudiation** 
-    - <color #646464>Certificate may be used to sign data as above but the certificate public key may be used to provide non-repudiation services</​color>​ +    - Certificate may be used to sign data as above but the certificate public key may be used to provide non-repudiation services 
-      - <color #646464>This prevents the signing entity from falsely denying some action</​color>​\\ \\ +      - This prevents the signing entity from falsely denying some action\\ \\ 
-  - <color #4B4B4B>**keyEncipherment**</​color>​ +  - **keyEncipherment** 
-    - <color #646464>Certificate may be used to encrypt a symmetric key which is then transferred to the target</​color>​ +    - Certificate may be used to encrypt a symmetric key which is then transferred to the target 
-      - <color #646464>Target decrypts key, subsequently using it to encrypt & decrypt data between the entities</​color>​\\ \\ +      - Target decrypts key, subsequently using it to encrypt & decrypt data between the entities\\ \\ 
-  - <color #4B4B4B>**dataEncipherment**</​color>​ +  - **dataEncipherment** 
-    - <color #646464>Certificate may be used to encrypt & decrypt actual application data</​color>​\\ \\ +    - Certificate may be used to encrypt & decrypt actual application data\\ \\ 
-  - <color #4B4B4B>**keyAgreement**</​color>​ +  - **keyAgreement** 
-    - <color #646464>Certificate enables use of a key agreement protocol to establish a symmetric key with a target</​color>​ +    - Certificate enables use of a key agreement protocol to establish a symmetric key with a target 
-    - <color #646464>Symmetric key may then be used to encrypt & decrypt data sent between the entities</​color>​\\ \\ +    - Symmetric key may then be used to encrypt & decrypt data sent between the entities\\ \\ 
-  - <color #4B4B4B>**keyCertSign**</​color>​+  - **keyCertSign**
     - <wrap danger>​CA ONLY</​wrap>​     - <wrap danger>​CA ONLY</​wrap>​
-      - <color #646464>Subject public key is used to verify signatures on certificates</​color>​+      - Subject public key is used to verify signatures on certificates
       - <color #​AF0000>//​This extension must only be used for CA certificates//</​color>​\\ \\       - <color #​AF0000>//​This extension must only be used for CA certificates//</​color>​\\ \\
-  - <color #4B4B4B>**cRLSign**</​color>​+  - **cRLSign**
     - <wrap danger>​CA ONLY</​wrap>​     - <wrap danger>​CA ONLY</​wrap>​
-      - <color #646464>Subject public key is to verify signatures on revocation information,​ such as a CRL</​color>​+      - Subject public key is to verify signatures on revocation information,​ such as a CRL
       - <color #​AF0000>//​This extension must only be used for CA certificates//</​color>​\\ \\       - <color #​AF0000>//​This extension must only be used for CA certificates//</​color>​\\ \\
-  - <color #4B4B4B>**encipherOnly**</​color>​ +  - **encipherOnly** 
-    - <color #646464>KU ''<​color #​009B9B>​keyAgreement</​color>''​ is required</​color>​ +    - KU ''<​color #​009B9B>​keyAgreement</​color>''​ is required 
-    - <color #646464>Public key used only for enciphering data while performing key agreement</​color>​\\ \\ +    - Public key used only for enciphering data while performing key agreement\\ \\ 
-  - <color #4B4B4B>**decipherOnly**</​color>​ +  - **decipherOnly** 
-    - <color #646464>KU ''<​color #​009B9B>​keyAgreement</​color>''​ is required</​color>​ +    - KU ''<​color #​009B9B>​keyAgreement</​color>''​ is required 
-    - <color #646464>Public key used only for deciphering data while performing key agreement</​color>​+    - Public key used only for deciphering data while performing key agreement
  
  
Line 211: Line 224:
 <color #​508CAA>​**extendedKeyUsage**</​color>​ <color #​508CAA>​**extendedKeyUsage**</​color>​
  
-  - <color #4B4B4B>**serverAuth**</​color>​ +  - **serverAuth** 
-    - <color #646464>All VPN servers should be signed with this EKU present</​color>​ +    - All VPN servers should be signed with this EKU present 
-      - <color #646464>SSL/TLS Web/VPN Server authentication EKU, distinguishing a server which clients can authenticate against</​color>​ +      - SSL/TLS Web/VPN Server authentication EKU, distinguishing a server which clients can authenticate against 
-      - <color #646464>This supersedes ''<​color #​009B9B>​nscertype</​color>''​ options (''<​color #​009B9B>​ns</​color>''​ in ''<​color #​009B9B>​nscertype</​color>''​ stands for NetScape [browser])</​color>​\\ \\ +      - This supersedes ''<​color #​009B9B>​nscertype</​color>''​ options (''<​color #​009B9B>​ns</​color>''​ in ''<​color #​009B9B>​nscertype</​color>''​ stands for NetScape [browser])\\ \\ 
-  - <color #4B4B4B>**clientAuth**</​color>​ +  - **clientAuth** 
-    - <color #646464>All VPN clients //must// be signed with this EKU present</​color>​ +    - All VPN clients //must// be signed with this EKU present 
-      - <color #646464>SSL/TLS Web/VPN Client authentication EKU distinguishing a client as a client only</​color>​\\ \\ +      - SSL/TLS Web/VPN Client authentication EKU distinguishing a client as a client only\\ \\ 
-  - <color #4B4B4B>**codeSigning**</​color>​ +  - **codeSigning** 
-    - <color #646464>Code Signing</​color>​\\ \\ +    - Code Signing\\ \\ 
-  - <color #4B4B4B>**emailProtection**</​color>​ +  - **emailProtection** 
-    - <color #646464>Email Protection via S/MIME, allows you to send and receive encrypted emails</​color>​\\ \\ +    - Email Protection via S/MIME, allows you to send and receive encrypted emails\\ \\ 
-  - <color #4B4B4B>**timeStamping**</​color>​ +  - **timeStamping** 
-    - <color #646464>Trusted Timestamping</​color>​\\ \\ +    - Trusted Timestamping\\ \\ 
-  - <color #4B4B4B>**OCSPSigning**</​color>​ +  - **OCSPSigning** 
-    - <color #646464>OCSP Signing</​color>​\\ \\ +    - OCSP Signing\\ \\ 
-  - <color #4B4B4B>**ipsecIKE**</​color>​ +  - **ipsecIKE** 
-    - <color #646464>IPSec Internet Key Exchange, of which I believe is in the same boat as the three below [#8]</​color>​ +    - IPSec Internet Key Exchange, of which I believe is in the same boat as the three below [#8] 
-      - <color #646464>Research needs to be performed to determine if this EKU should also no longer be utilized</​color>​ +      - Research needs to be performed to determine if this EKU should also no longer be utilized 
-      - <color #646464>''<​color #​009B9B>​clientAuth</​color>''​ can be utilized in a IPSec VPN client cert</​color>​\\ \\ +      - ''<​color #​009B9B>​clientAuth</​color>''​ can be utilized in a IPSec VPN client cert\\ \\ 
-  - <color #4B4B4B>**ipsecEndSystem,​ ipsecTunnel,​ & ipsecUser**</​color>​+  - **ipsecEndSystem,​ ipsecTunnel,​ & ipsecUser**
     - <wrap danger>​SHOULD NOT BE UTILIZED</​wrap>​     - <wrap danger>​SHOULD NOT BE UTILIZED</​wrap>​
-      - <color #646464>Assigned in 1999, the semantics of these values were never clearly defined</​color>​ +      - Assigned in 1999, the semantics of these values were never clearly defined 
-      - <color #7D7D7D>**RFC 4945:**</​color>​ <color #646464>The use of these three EKU values is obsolete and explicitly deprecated by this specification</​color> ​<​sup><​color #7D7D7D>​[5.1.3.12]</​color></​sup>​\\ \\ +      - **RFC 4945:** The use of these three EKU values is obsolete and explicitly deprecated by this specification <​sup><​color #646464>​[5.1.3.12]</​color></​sup>​\\ \\ 
-  - <color #4B4B4B>**msCodeInd**</​color>​ +  - **msCodeInd** 
-    - <color #646464>Microsoft Individual Code Signing (authenticode)</​color>​\\ \\ +    - Microsoft Individual Code Signing (authenticode)\\ \\ 
-  - <color #4B4B4B>**msCodeCom**</​color>​ +  - **msCodeCom** 
-    - <color #646464>Microsoft Commerical Code Signing (authenticode)</​color>​\\ \\ +    - Microsoft Commerical Code Signing (authenticode)\\ \\ 
-  - <color #4B4B4B>**mcCTLSign**</​color>​ +  - **mcCTLSign** 
-    - <color #646464>Microsoft Trust List Signing</​color>​\\ \\ +    - Microsoft Trust List Signing\\ \\ 
-  - <color #4B4B4B>**msEFS**</​color>​ +  - **msEFS** 
-    - <color #646464>Microsoft Encrypted File System Signing</​color>​\\ \\+    - Microsoft Encrypted File System Signing\\ \\
  
  
Line 247: Line 260:
 <color #​508CAA>​**Key Exchange**</​color>​ <color #​508CAA>​**Key Exchange**</​color>​
  
-  - <color #4B4B4B>**RSA**</​color>​ +  - **RSA** 
-    - <color #646464>Key exchange occurs via encryption of a random value</​color>​ +    - Key exchange occurs via encryption of a random value 
-      - <color #646464>Client chooses a random value via the server public key</​color>​ +      - Client chooses a random value via the server public key 
-      - <color #646464>Server public key must be an RSA key</​color>​ +      - Server public key must be an RSA key 
-      - <color #646464>Server certificate must utilize KU ''<​color #​009B9B>​keyAgreement</​color>''​</​color>​\\ \\ +      - Server certificate must utilize KU ''<​color #​009B9B>​keyAgreement</​color>''​\\ \\ 
-  - <color #4B4B4B>**DH_RSA**</​color>​ +  - **DH_RSA** 
-    - <color #646464>Key exchange occurs via a static Diffie-Hellman key</​color>​ +    - Key exchange occurs via a static Diffie-Hellman key 
-      - <color #646464>Server public key must be a Diffie-Hellman key</​color>​ +      - Server public key must be a Diffie-Hellman key 
-      - <color #646464>Diffie-Hellman key must have been issued by a CA</​color>​ +      - Diffie-Hellman key must have been issued by a CA 
-      - <color #646464>CA must be using an RSA key signing key</​color>​\\ \\ +      - CA must be using an RSA key signing key\\ \\ 
-  - <color #4B4B4B>**DH_DSA**</​color>​ +  - **DH_DSA** 
-    - <color #646464>Like ''<​color #​009B9B>​DH_RSA</​color>'',​ except CA used a DSA key in lieu of RSA</​color>​\\ \\ +    - Like ''<​color #​009B9B>​DH_RSA</​color>'',​ except CA used a DSA key in lieu of RSA\\ \\ 
-  - <color #4B4B4B>**DHE_RSA**</​color>​ +  - **DHE_RSA** 
-    - <color #646464>Key exchange occurs via an ephemeral Diffie-Hellman</​color>​ +    - Key exchange occurs via an ephemeral Diffie-Hellman 
-      - <color #646464>Server dynamically generates & signs a DH public key, sending it to the client</​color>​ +      - Server dynamically generates & signs a DH public key, sending it to the client 
-      - <color #646464>Server Public Key must be an RSA key</​color>​ +      - Server Public Key must be an RSA key 
-      - <color #646464>Server certificate must utilize KU ''<​color #​009B9B>​digitalSignature</​color>''​</​color>​\\ \\ +      - Server certificate must utilize KU ''<​color #​009B9B>​digitalSignature</​color>''​\\ \\ 
-  - <color #4B4B4B>**DHE_DSA**</​color>​ +  - **DHE_DSA** 
-    - <color #646464>Like ''<​color #​009B9B>​DHE_RSA</​color>'',​ except CA used a DSA key in lieu of RSA</​color>​+    - Like ''<​color #​009B9B>​DHE_RSA</​color>'',​ except CA used a DSA key in lieu of RSA
  
  
Line 271: Line 284:
 <color #​508CAA>​**Elliptic-Curve Key Exchange**</​color>​ <color #​508CAA>​**Elliptic-Curve Key Exchange**</​color>​
  
-  - <color #4B4B4B>**ECDH_ECDSA**</​color>​ +  - **ECDH_ECDSA** 
-    - <color #646464>Like DH_DSA, but with elliptic curves</​color>​ +    - Like ''​<color #009B9B>DH_DSA</​color>''​, but with elliptic curves 
-      - <color #646464>Server public key must be an ECDH key</​color>​ +      - Server public key must be an ECDH key 
-      - <color #646464>Server certificate must be issued by a CA utilizing an ECDSA public key</​color>​\\ \\ +      - Server certificate must be issued by a CA utilizing an ECDSA public key\\ \\ 
-  - <color #4B4B4B>**ECDH_RSA**</​color>​ +  - **ECDH_RSA** 
-    - <color #646464>Like ''<​color #​009B9B>​ECDH_ECDSA</​color>'',​ except CA used an RSA key</​color>​\\ \\ +    - Like ''<​color #​009B9B>​ECDH_ECDSA</​color>'',​ except CA used an RSA key\\ \\ 
-  - <color #4B4B4B>**ECDHE_ECDSA**</​color>​ +  - **ECDHE_ECDSA** 
-    - <color #646464>Server sends dynamically generated EC Diffie-Hellman key, signing it via it's ECDSA key</​color>​ +    - Server sends dynamically generated EC Diffie-Hellman key, signing it via it's ECDSA key 
-      - <color #646464>Equivalent to DHE_DSS, but with elliptic curves for both the Diffie-Hellman & signature</​color>​\\ \\ +      - Equivalent to ''​<color #009B9B>DHE_DSS</​color>''​, but with elliptic curves for both the Diffie-Hellman & signature\\ \\ 
-  - <color #4B4B4B>**ECDHE_RSA**</​color>​ +  - **ECDHE_RSA** 
-    - <color #646464>Like ''<​color #​009B9B>​ECDHE_ECDSA</​color>'',​ except Server public key is an RSA key</​color>​ +    - Like ''<​color #​009B9B>​ECDHE_ECDSA</​color>'',​ except Server public key is an RSA key 
-      - <color #646464>Server public key signs the ephemeral EC Diffie-Hellman key</​color>​+      - Server public key signs the ephemeral EC Diffie-Hellman key
 </​tabbox>​ </​tabbox>​
 </​WRAP>​ </​WRAP>​
Line 291: Line 304:
 === CA Creation === === CA Creation ===
  
-<WRAP 75em lo>+<​WRAP ​indent ​75em lo>
 <tabbox Prerequisites>​ <tabbox Prerequisites>​
 <wrap right>''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''</​wrap>​ <wrap right>''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''</​wrap>​
Line 297: Line 310:
  
 <WRAP indent> <WRAP indent>
-<color #4B4B4B>**Modify the following SubjectAltNames & V3 Profiles**</​color>​+**Modify the following SubjectAltNames & V3 Profiles**
  
-  - <color #646464>**Certificate Authorities** <​sup>​[Line ​228]</sup></​color+  - **Certificate Authorities** <​sup>​[Line ​177]</​sup>​ 
-    - <color #​4B4B4B4>​//Main//</​color>​ +    - //Main// 
-      - <color #646464>**Line ​234:**</​color> ​''<​color #​647D00>​DNS.1 = Router.1</​color>''​ +      - **Line ​183:** ''<​color #​647D00>​DNS.1 = //Router.1//</​color>''​ 
-        * <color #646464>//Change//</​color> ​''<​color #506400>//Router.1//</​color>'' ​<color #646464>//to what you'd like the name of your Certificate Authority to be//</​color>​\\ \\ +        * //Change// ''<​color #007DC8>​Router.1</​color>''​ //to what you'd like the name of your Certificate Authority to be//\\ \\ 
-  - <color #646464>**Certificate Authority Clients** <​sup>​[Line ​253]</sup></color+  - **Certificate Authority Clients** <sup><​color #646464>​[Line ​205]</color></sup
-    - <color #​4B4B4B4>​//Servers//</​color>​ +    - //​Servers//​ 
-      * <color #646464>**Lines:​** ​259 281</​color>​ +      * **Lines:​** ​198 220 
-    - <color #​4B4B4B4>​//Clients//</​color>​ +    - //​Clients//​ 
-      * <color #646464>**Lines:​** ​283 287</​color>​\\ \\ +      * **Lines:​** ​222 226\\ \\
-  - <color #​646464>​**Change SAN & V3 profile names from** ''<​color #​647D00>​alt_ca_main</​color>''​ **to** ''<​color #​647D00>​alt_ca_openwrt</​color>''</​color>​ <​sup><​color #​646464>​[lines 233, 353, & 357]</​color></​sup>​ +
-    - <color #​646464>​**Line 233:** ''<​color #​647D00>​[ alt_ca_openwrt ]</​color>''</​color>​ +
-    - <color #​646464>​**Line 353:** ''<​color #​647D00>​[ v3_ca_openwrt ]</​color>''</​color>​ +
-    - <color #​646464>​**Line 357:** ''<​color #​647D00>​subjectAltName = @alt_ca_openwrt</​color>''</​color>​+
 </​WRAP>​ </​WRAP>​
  
Line 319: Line 328:
 <color #​508CAA>​**CA OpenSSL Commands**</​color>​ <color #​508CAA>​**CA OpenSSL Commands**</​color>​
  
-  - <color #​4B4B4B4>​**Generate CA**</​color>​\\ <code bash>​openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ca/​OpenWrt-CA.key.pem -out ca/​OpenWrt-CA.crt.pem -config ./​openssl.cnf -extensions ​v3_ca_openwrt</​code>​+  - <color #​4B4B4B4>​**Generate CA**</​color>​\\ <code bash>​openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ca/​OpenWrt-CA.key.pem -out ca/​OpenWrt-CA.crt.pem -config ./​openssl.cnf -extensions ​v3_ca</​code>​
     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\
   - <color #​4B4B4B4>​**Generate CA CRL**</​color>​\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenWrt-CA.key.pem -cert ca/​OpenWrt-CA.crt.pem -out crl/​OpenWrt-CA.crl.pem -config ./​openssl.cnf</​code>​   - <color #​4B4B4B4>​**Generate CA CRL**</​color>​\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenWrt-CA.key.pem -cert ca/​OpenWrt-CA.crt.pem -out crl/​OpenWrt-CA.crl.pem -config ./​openssl.cnf</​code>​
Line 330: Line 339:
 === ICA Creation === === ICA Creation ===
  
-<WRAP 75em lo> +<​WRAP ​indent ​75em lo>
 <tabbox Prerequisites>​ <tabbox Prerequisites>​
 <wrap right>''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''</​wrap>​ <wrap right>''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''</​wrap>​
Line 337: Line 345:
  
 <WRAP indent> <WRAP indent>
-<color #4B4B4B>**Modify the following SubjectAltNames & V3 Profiles**</​color>​+**Modify the following SubjectAltNames & V3 Profiles**
  
-  - <color #646464>**Certificate Authorities** <​sup>​[Line ​228]</sup></color+  - **Certificate Authorities** <sup><​color #646464>​[Line ​177]</color></sup
-    - <color #4B4B4B>//Router 2//</​color>​ +    - //Router 2// 
-      - <color #646464>**Line ​239:**</​color> ​''<​color #​647D00>​DNS.1 = Router.2</​color>''​ +      - **Line ​188:** ''<​color #​647D00>​DNS.1 = //Router.2//</​color>''​ 
-        * <color #646464>//Change ''<​color #647D00>​Router.2</​color>''​ to what you'd like the name of your Intermediate CA to be//</​color>​\\ \\ +        * //Change// ''<​color #007DC8>​Router.2</​color>'' ​//to what you'd like the name of your Intermediate CA to be//\\ \\ 
-  - <color #646464>**Intermediate Certificate Authority Clients** <​sup>​[Line ​290]</sup></color+  - **Intermediate Certificate Authority Clients** <sup><​color #646464>​[Line ​229]</color></sup
-    - <color #​4B4B4B4>​//Servers//</​color>​ +    -//​Servers//​ 
-      * <color #646464>**Lines:​** ​296 312</​color>​ +      * **Lines:​** ​235 251 
-    - <color #​4B4B4B4>​//Clients//</​color>​ +    - //​Clients//​ 
-      * <color #646464>**Lines:​** ​314 322:</​color>​\\ \\ +      * **Lines:​** ​253 261:\\ \\
-  - <color #​646464>​**Change SAN & V3 profile names from** ''<​color #​647D00>​alt_ica_router2</​color>''​ **to** ''<​color #​647D00>​alt_ica_openvpn</​color>''</​color>​ <​sup>​[lines 238, 360, & 364]</​sup>​ +
-    - <color #​646464>​**Line 238:** ''<​color #​647D00>​[ alt_ica_openvpn ]</​color>''</​color>​ +
-    - <color #​646464>​**Line 360:** ''<​color #​647D00>​[ v3_ica_openvpn ]</​color>''</​color>​ +
-    - <color #​646464>​**Line 364:** ''<​color #​647D00>​subjectAltName = @alt_ica_openvpn</​color>''</​color>​+
 </​WRAP>​ </​WRAP>​
  
Line 359: Line 363:
 <color #​508CAA>​**ICA OpenSSL Commands**</​color>​ <color #​508CAA>​**ICA OpenSSL Commands**</​color>​
  
-  - <color #​4B4B4B4>​**Generate Intermediate CA CSR**</​color>​\\ <code bash>​openssl req -out ca/​csr/​OpenVPN-ICA.csr -new -days 3650 -sha512 -newkey rsa:4096 -keyout ca/​OpenVPN-ICA.key -config ./​openssl.cnf -extensions ​v3_ica_openvpn</​code>​+  - <color #​4B4B4B4>​**Generate Intermediate CA CSR**</​color>​\\ <code bash>​openssl req -out ca/​csr/​OpenVPN-ICA.csr -new -days 3650 -sha512 -newkey rsa:4096 -keyout ca/​OpenVPN-ICA.key -config ./​openssl.cnf -extensions ​v3_ica_router2</​code>​
     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\
-  - <color #​4B4B4B4>​**Create & Sign ICA with CA**</​color>​\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​OpenVPN-ICA.csr -CA ca/​OpenWrt-CA.crt.pem -CAkey ca/​OpenWrt-CA.key.pem -CAserial ./serial -out ca/​OpenVPN-ICA.crt.pem -extfile ./​openssl.cnf -extensions ​v3_ica_openvpn</​code>​+  - <color #​4B4B4B4>​**Create & Sign ICA with CA**</​color>​\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​OpenVPN-ICA.csr -CA ca/​OpenWrt-CA.crt.pem -CAkey ca/​OpenWrt-CA.key.pem -CAserial ./serial -out ca/​OpenVPN-ICA.crt.pem -extfile ./​openssl.cnf -extensions ​v3_ica_router2</​code>​
   - <color #​4B4B4B4>​**Generate ICA CRL**</​color>​\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenVPN-ICA.key -cert ca/​OpenVPN-ICA.crt.pem -out crl/​OpenVPN-ICA.crl.pem -config ./​openssl.cnf</​code>​   - <color #​4B4B4B4>​**Generate ICA CRL**</​color>​\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenVPN-ICA.key -cert ca/​OpenVPN-ICA.crt.pem -out crl/​OpenVPN-ICA.crl.pem -config ./​openssl.cnf</​code>​
   - <color #​4B4B4B4>​**Convert ICA CRL -> DER CRL**</​color>​\\ <code bash>​openssl crl -inform PEM -in crl/​OpenVPN-ICA.crl.pem -outform DER -out crl/​OpenVPN-ICA.crl</​code>​   - <color #​4B4B4B4>​**Convert ICA CRL -> DER CRL**</​color>​\\ <code bash>​openssl crl -inform PEM -in crl/​OpenVPN-ICA.crl.pem -outform DER -out crl/​OpenVPN-ICA.crl</​code>​
Line 371: Line 375:
 === Index File === === Index File ===
  
-<WRAP 75em lo>+<​WRAP ​indent ​75em lo>
  
 <tabbox Info> <tabbox Info>
Line 377: Line 381:
 <color #​508CAA>​**Index Info**</​color>​ <color #​508CAA>​**Index Info**</​color>​
  
-  * <color #4B4B4B>**If wishing to maintain the index file automatically,​** ''​openssl ca''​ **must be used to sign certs**</​color>​ +  * **If wishing to maintain the index file automatically,​** ''​<color #647D00>openssl ca</​color>​''​ **must be used to sign certs** 
-    * <color #646464>''​openssl ca''​ is not used in this wiki as it requires additional steps & adds unneeded complexity</​color>​\\ \\+    * ''​openssl ca''​ is not used in this wiki as it requires additional steps & adds unneeded complexity\\ \\
  
  
Line 386: Line 390:
  
 <WRAP indent> <WRAP indent>
-<color #4B4B4B>**Manually maintaining the index file consists of inputting 1 cert entry per line in the following format**</​color>​ +**Manually maintaining the index file consists of inputting 1 cert entry per line in the following format** 
-  * <color #646464>Entering certificate information into the index file takes ~30s per cert</​color>​ +  * Entering certificate information into the index file takes ~30s per cert 
-  * <color #646464>Copy & paste DN from the output of: ''​ //<color #​647D00>​openssl x509 -in certificate.crt -text -noout</​color>//''​</​color>​+  * Copy & paste DN from the output of: ''​ //<color #​647D00>​openssl x509 -in certificate.crt -text -noout</​color>//''​
 <code cpp> <code cpp>
-V    261231235959Z ​   0a    unknown ​   /​C=US/​ST=State/​L=Locality/​O=Sophos UTM/​OU=LAN/​CN=Cert Common Name/​emailaddress=whatever@whichever.com +V    261231235959Z ​           0a    unknown ​   /​C=US/​ST=State/​L=Locality/​O=Sophos UTM/​OU=LAN/​CN=Cert Common Name/​emailaddress=whatever@whichever.com 
-1    2-----------> ​   4-> ​  ​5-----> ​   6---------------------------------------------------------------------------------------------------></​code>​+1    2-----------> ​   ​3-> ​    4-> ​  ​5-----> ​   6---------------------------------------------------------------------------------------------------></​code>​
 </​WRAP>​ </​WRAP>​
-  - <color #4B4B4B>**Status of Certificate**</​color>​ +  - **Status of Certificate** 
-    - <color #646464>**''​V''​** [Valid]</​color>  ​ +    - **''​V''​** [Valid] 
-    - <color #646464>**''​R''​** [Revoked]</​color> ​ +    - **''​R''​** [Revoked] 
-    - <color #646464>**''​E''​** [Expired]</​color>​\\ \\ +    - **''​E''​** [Expired]\\ \\ 
-  - <color #4B4B4B>**Expiration Date**</​color> ​ +  - **Expiration Date** 
-    - <color #646464>Format: **''​YYMMDDHHMMSS''​** followed by **''​Z''​**</​color>​ +    - Format: **''​YYMMDDHHMMSS''​** followed by **''​Z''​** 
-      * <color #646464>//​2026.12.31 @ 23:59:59//</​color>​\\ \\ +      * //​2026.12.31 @ 23:​59:​59//​\\ \\ 
-  - <color #4B4B4B>**Revocation Date**</​color> ​ +  - **Revocation Date** 
-    - <color #646464>Format: **''​YYMMDDHHMMSSZ,​reason''​**</​color>​ +    - Format: **''​YYMMDDHHMMSSZ,​reason''​** 
-      - <color #4B4B4B>Valid reasons are:</​color>​+      - Valid reasons are:
         - ''<​color #​009B9B>​keyCompromise</​color>''​         - ''<​color #​009B9B>​keyCompromise</​color>''​
         - ''<​color #​009B9B>​CACompromise</​color>''​         - ''<​color #​009B9B>​CACompromise</​color>''​
Line 411: Line 415:
         - ''<​color #​009B9B>​privilegeWithdrawn</​color>''​         - ''<​color #​009B9B>​privilegeWithdrawn</​color>''​
         - ''<​color #​009B9B>​AACompromise</​color>''​         - ''<​color #​009B9B>​AACompromise</​color>''​
-    - <color #646464>Empty if not revoked</​color>​\\ \\ +    - Empty if not revoked 
-  - <color #4B4B4B>**Serial number** <​sup>​(//​hex//​ format)</​sup></color+      * Certain distros were erroring out without a whitespace for 3 in the index file, which is why it's there\\ \\ 
-    - <color #646464>**''​0a''​** is hex for 10</​color>​ +  - **Serial number** <sup><​color #646464>​(//​hex//​ format)</​color></sup
-      - <color #646464>**Windows:​**</​color> ​ +    - **''​0a''​** is hex for 10 
-        * <color #646464>Calculator has programmer feature which can convert dec <-> hex</​color>​ +      - **Windows:​** 
-      - <color #646464>**Linux/​BSD**</​color> ​ +        * Calculator has programmer feature which can convert dec <-> hex 
-        * <color #646464>cli hex -> dec: ''​ //<color #​647D00>​printf '​%d\n'​ 0x0a</​color>//​ ''​ returns ''<​color #​647D00>​10</​color>''​</​color> ​ +      - **Linux/​BSD** 
-        * <color #646464>cli dec -> hex: ''​ //<color #​647D00>​printf '​%x\n'​ 10</​color>//​ ''​ returns ''<​color #​647D00>​0a</​color>''​</​color> ​\\ \\ +        * cli hex -> dec: ''​ //<color #​647D00>​printf '​%d\n'​ 0x0a</​color>//​ ''​ returns ''<​color #​647D00>​10</​color>''​ 
-  - <color #4B4B4B>**Certificate Filename or Literal String**</​color>​ +        * cli dec -> hex: ''​ //<color #​647D00>​printf '​%x\n'​ 10</​color>//​ ''​ returns ''<​color #​647D00>​0a</​color>''​ \\ \\ 
-    - <color #646464>Certificate Filename or Literal String **''​unknown''​**</​color>​\\ \\ +  - **Certificate Filename or Literal String** 
-  - <color #4B4B4B>**Distinguished Name**</​color>​+    - Certificate Filename or Literal String **''​unknown''​**\\ \\ 
 +  - **Distinguished Name**
 </​tabbox>​ </​tabbox>​
 </​WRAP>​ </​WRAP>​
Line 427: Line 432:
 === Server Cert === === Server Cert ===
  
-<WRAP 75em lo> +<​WRAP ​indent ​75em lo>
 <tabbox Prerequisites>​ <tabbox Prerequisites>​
 <wrap right>''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''</​wrap>​ <wrap right>''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''</​wrap>​
Line 434: Line 438:
  
 <WRAP indent> <WRAP indent>
-<color #4B4B4B>**Modify the following SubjectAltNames & V3 Profiles**</​color>​+**Modify the following SubjectAltNames & V3 Profiles**
 <WRAP indent> <WRAP indent>
 **__SubjectAltNames Profile__** **__SubjectAltNames Profile__**
  
-  - <color #4B4B4B>**Intermediate Certificate Authority Clients**</​color> ​<sup><​color #646464>​(Line ​290)</​color>​</​sup>​ +  - **Intermediate Certificate Authority Clients** <​sup>​(Line ​229)</​sup>​ 
-    - <color #4B4B4B>//Change the SAN alt name ''<​color #​647D00>​alt_vpn_server2</​color>''​ to ''<​color #​647D00>​alt_openvpn_server</​color>''//</​color>​ +    - //Change the server'SAN IP from// ''<​color #​647D00>​10.0.1.1</​color>'' ​//to match your VPN Server IP// 
-      - <color #​646464>​**Line 310:** ''<​color #​647D00>​[ alt_openvpn_server ]</​color>''</​color>​\\ \\ +      - **Line ​250:** ''<​color #​647D00>​IP.1 = //10.0.1.1//</​color>''​\\ \\ 
-    - <color #​4B4B4B>//​Change the SAN IP from ''<​color #​647D00>​10.0.1.1</​color>''​ to match your VPN Server IP//</​color>​ +    - //Change the SAN DNS from// ''<​color #​647D00>​your.ddns.com</​color>'' ​//to match your own DDNS and/or FQDN// 
-      - <color #646464>**Line ​311:** ''<​color #​647D00>​IP.1 = 10.0.1.1</​color>''​</​color>​\\ \\ +      - **Line ​251:** ''<​color #​647D00>​DNS.1 = //your.ddns.com//</​color>''​ 
-    - <color #4B4B4B>//Change the SAN DNS from ''<​color #​647D00>​your.ddns.com</​color>''​ to match your own DDNS and/or FQDN//</​color>​ +        * //For each additional DNS or FQDN, add a new line in sequential order// (i.e. DNS.2, DNS.3, etc.)
-      - <color #646464>**Line ​312:** ''<​color #​647D00>​DNS.1 = your.ddns.com</​color>''​</​color>​ +
-        * <color #646464>//For each additional DNS or FQDN, add a new line in sequential order// (i.e. DNS.2, DNS.3, etc.)</​color>​ +
- +
-**__V3 Profile__** +
- +
-  - <color #​4B4B4B>​**Intermediate Certificate Authority Clients**</​color>​ <​sup><​color #​646464>​(Line 473)</​color></​sup>​ +
-    - <color #​4B4B4B>//​Change the V3 profile name from ''<​color #​647D00>​[ v3_vpn_server2 ]</​color>''​ to match alt name set above//</​color>​ +
-      - <color #​646464>​**Line 496:** ''<​color #​647D00>​[ v3_openvpn_server ]</​color>''</​color>​\\ \\ +
-    - <color #​4B4B4B>//​Change the SAN alt name from ''<​color #​647D00>​@alt_vpn_server2</​color>''​ to match alt name set above//</​color>​ +
-      - <color #​646464>​**Line 502:** ''<​color #​647D00>​subjectAltName = @alt_openvpn_server</​color>''</​color>​+
 </​WRAP>​ </​WRAP>​
 </​WRAP>​ </​WRAP>​
Line 462: Line 456:
 <color #​508CAA>​**Server Cert OpenSSL Commands**</​color>​ <color #​508CAA>​**Server Cert OpenSSL Commands**</​color>​
  
-  - <color #4B4B4B>**Generate VPN Server CSR**</​color>​\\ <code bash>​openssl req -out ca/​csr/​vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​vpn-server.key.pem -config ./​openssl.cnf -extensions ​v3_openvpn_server ​-nodes</​code>​ +  - **Generate VPN Server CSR**\\ <code bash>​openssl req -out ca/​csr/​vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​vpn-server.key.pem -config ./​openssl.cnf -extensions ​v3_vpn_server ​-nodes</​code>​ 
-    * <color #4B4B4B>**''​-nodes''​**</​color>​ <color #4B4B4B>creates a signing key without encryption</​color>​ +    * **''​-nodes''​** creates a signing key without encryption 
-      * <color #646464>For server certs **//​only//​**,​ as a passphrase prevents the server from starting/​restarting without manual intervention</​color>​\\ \\ +      * For server certs **//​only//​**,​ as a passphrase prevents the server from starting/​restarting without manual intervention\\ \\ 
-  - <color #4B4B4B>**Create & Sign Cert with CA**</​color>​\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​vpn-server.csr -CA ca/​OpenVPN-ICA.crt.pem -CAkey ca/​OpenVPN-ICA.key -CAserial ./serial -out certs/​vpn-server.crt.pem -extfile ./​openssl.cnf -extensions ​v3_openvpn_server</​code>​ +  - **Create & Sign Cert with CA**\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​vpn-server.csr -CA ca/​OpenVPN-ICA.crt.pem -CAkey ca/​OpenVPN-ICA.key -CAserial ./serial -out certs/​vpn-server.crt.pem -extfile ./​openssl.cnf -extensions ​v3_vpn_server</​code>​ 
-  - <color #4B4B4B>**Export to PKCS12**</​color>​\\ <code bash>​openssl pkcs12 -export -out openvpn/​vpn-server.p12 -inkey openvpn/​vpn-server.key.pem -in certs/​vpn-server.crt.pem -certfile ca/​OpenWrt-OpenVPN_CA-Chain.crt.pem</​code>​+  - **Export to PKCS12**\\ <code bash>​openssl pkcs12 -export -out openvpn/​vpn-server.p12 -inkey openvpn/​vpn-server.key.pem -in certs/​vpn-server.crt.pem -certfile ca/​OpenWrt-OpenVPN_CA-Chain.crt.pem</​code>​
     * <color #​AF0000>​**//​Do not encrypt this PKCS12//​**</​color>​\\ \\     * <color #​AF0000>​**//​Do not encrypt this PKCS12//​**</​color>​\\ \\
-    * <color #​4B4B4B4>​ICA is still used to sign the certs it issues</​color>​ +    * ICA is still used to sign the certs it issues 
-      * <color #646464>ICA - CA chain cert must be exported with the client cert & key to maintain the certificate chain of trust</​color>​ +      * ICA - CA chain cert must be exported with the client cert & key to maintain the certificate chain of trust 
-        * <color #646464>//Chain of Trust hierarchy: CA -> Intermediate CA -> Client//</​color>​+        * //Chain of Trust hierarchy: CA -> Intermediate CA -> Client//
 </​tabbox>​ </​tabbox>​
 </​WRAP>​ </​WRAP>​
Line 477: Line 471:
 === Client Certs === === Client Certs ===
  
-<WRAP 75em lo> +<​WRAP ​indent ​75em lo> 
-<wrap danger>​Do not use the same Common Name (CN) on more than one certificate</​wrap>​+<WRAP centeralign>​<wrap danger>​Do not use the same Common Name (CN) on more than one certificate</​wrap></​WRAP>
  
 <tabbox Prerequisites>​ <tabbox Prerequisites>​
Line 485: Line 479:
  
 <WRAP indent> <WRAP indent>
-<color #4B4B4B>**Modify the following SubjectAltNames & V3 Profiles**</​color>​+**Modify the following SubjectAltNames & V3 Profiles**
  
 <WRAP indent> <WRAP indent>
 **__SubjectAltNames Profile__** **__SubjectAltNames Profile__**
  
-  - <color #4B4B4B>**Intermediate Certificate Authority Clients**</​color> ​<​sup><​color #​646464>​(Line ​290)</​color></​sup>​ +  - **Intermediate Certificate Authority Clients** <​sup><​color #​646464>​(Line ​229)</​color></​sup>​ 
-    - <color #4B4B4B>//Change the SAN alt name ''<​color #​647D00>​alt_vpn2_user1''​ to ''​alt_openvpn_//<​username>//</​color>''//</​color>​ +    - //Change the SAN DNS from// ''<​color #​647D00>​VPNserver-Client1-Device-Hostname</​color>'' ​//to match client username//​ 
-      - <color #​646464>​**Line 315:** ''<​color #​647D00>​[ alt_openvpn_//<​username>//​ ]</​color>''</​color>​\\ \\ +      - **Line ​255:** ''<​color #​647D00>​DNS.1 = //VPN-<​username>​-Hostname//</​color>''​ 
-    - <color #​4B4B4B>//​Change the SAN DNS from ''<​color #​647D00>​VPNserver-Client1-Device-Hostname</​color>''​ to match client username//</​color>​ +        * //This makes configuring CCD more convenient//​\\ \\ 
-      - <color #646464>**Line ​316:** ''<​color #​647D00>​DNS.1 = VPN-//<​username>//​-Hostname</​color>''​</​color>​ +    - //Change the SAN email from// ''<​color #​647D00>​user1@email.com</​color>'' ​//to user's email// 
-        * <color #646464>//This makes configuring CCD more convenient//​</​color>​\\ \\ +      - **Line ​256** ''<​color #​647D00>​email.1 = //user1@email.com//</​color>''​
-    - <color #4B4B4B>//Change the SAN email from ''<​color #​647D00>​user1@email.com</​color>''​ to user's email//</​color>​ +
-      - <color #646464>**Line ​317:** ''<​color #​647D00>​email.1 = user1@email.com</color>''<​/color> +
- +
-**__V3 Profile__** +
- +
-  - <color #​4B4B4B>​**Intermediate Certificate Authority Clients**</​color> ​<​sup><​color #​646464>​(Line 473)</​color></​sup>​ +
-    - <color #​4B4B4B>//​Change the V3 profile name from ''​<color #​647D00>​[ v3_vpn2_user1 ]</​color>''​ to match alt name set above//</​color>​ +
-      - <color #​646464>​**Line 505:** ''<​color #​647D00>​[ v3_openvpn_//<​username>//​ ]</​color>''</​color>​\\ \\ +
-    - <color #​4B4B4B>//​Change the SAN alt name from ''<​color #​647D00>​@alt_vpn2_user1</​color>''​ to match alt name set above//</​color>​ +
-      - <color #​646464>​**Line 511:** ''<​color #​647D00>​subjectAltName = @alt_openvpn_//<​username>//</​color>''</​color>​+
 </​WRAP>​ </​WRAP>​
 </​WRAP>​ </​WRAP>​
Line 514: Line 498:
 <color #​508CAA>​**Client Cert OpenSSL Commands**</​color>​ <color #​508CAA>​**Client Cert OpenSSL Commands**</​color>​
  
-  - <color #4B4B4B>**Generate VPN Client Certs**</​color>​\\ <code bash>​openssl req -out ca/​csr/​vpn-client1.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.key.pem -config ./​openssl.cnf -extensions ​v3_openvpn_<​username>​</​code>​+  - **Generate VPN Client Certs**\\ <code bash>​openssl req -out ca/​csr/​vpn-client1.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.key.pem -config ./​openssl.cnf -extensions ​v3_vpn2_user1</​code>​
     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\
-  - <color #4B4B4B>**Sign Cert with CA**</​color>​\\ <code bash>​openssl x509 req -sha512 -days 3650 -in ca/​csr/​vpn-client1.csr -CA ca/​OpenWrt-CA.crt.pem -CAkey ca/​OpenWrt-CA.key -CAserial ./serial -out openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.crt.pem -extfile ./​openssl.cnf -extensions ​v3_openvpn_<​username>​</​code>​ +  - **Sign Cert with CA**\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​vpn-client1.csr -CA ca/​OpenWrt-CA.crt.pem -CAkey ca/​OpenWrt-CA.key -CAserial ./serial -out openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.crt.pem -extfile ./​openssl.cnf -extensions ​v3_vpn2_user1</​code>​ 
-  - <color #4B4B4B>**Export to PKCS12**</​color>​\\ <code bash>​openssl pkcs12 -export -out openvpn/​clients/​vpn-client1.p12 -inkey openvpn/​clients/​vpn-client1.key.pem -in openvpn/​clients/​vpn-client1.crt.pem -certfile ca/​OpenWrt-OpenVPN_ICA-Chain.crt.pem</​code>​+  - **Export to PKCS12**\\ <code bash>​openssl pkcs12 -export -out openvpn/​clients/​vpn-client1.p12 -inkey openvpn/​clients/​vpn-client1.key.pem -in openvpn/​clients/​vpn-client1.crt.pem -certfile ca/​OpenWrt-OpenVPN_ICA-Chain.crt.pem</​code>​
 </​tabbox>​ </​tabbox>​
 </​WRAP>​ </​WRAP>​
Line 524: Line 508:
 === Diffie-Hellman Key === === Diffie-Hellman Key ===
  
-<WRAP 75em lo>+<​WRAP ​indent ​75em lo>
 <wrap right button>​[[https://​wiki.openssl.org/​index.php/​Diffie_Hellman|DH Wiki]] ​ [[https://​wiki.openssl.org/​index.php/​Elliptic_Curve_Cryptography|EC Wiki]]</​wrap>​ <wrap right button>​[[https://​wiki.openssl.org/​index.php/​Diffie_Hellman|DH Wiki]] ​ [[https://​wiki.openssl.org/​index.php/​Elliptic_Curve_Cryptography|EC Wiki]]</​wrap>​
 </​WRAP>​ </​WRAP>​
  
-<​WRAP ​53.5em lo>+<​WRAP ​51.5em lo>
  
-  - <color #4B4B4B>**Generate DH Key**</​color> ​<​sup><​color #​646464>​(executed from</​color> ​''<​color #​C86400>/​etc/​ssl/</​color>''​<color #646464>)</​color></​sup>​\\ <code bash>​openssl dhparam -out openvpn/​dh2048.pem 2048</​code>​ +  - **Generate DH Key** <​sup><​color #​646464>​(executed from ''<​color #​C86400>/​etc/​ssl/</​color>''​)</​color></​sup>​\\ <code bash>​openssl dhparam -out openvpn/​dh2048.pem 2048</​code>​ 
-    * <color #4B4B4B>**Generating DH keys takes substantial amounts of time**</​color>​\\ \\     +    * **Generating DH keys takes substantial amounts of time**\\ \\     
-    * <color #4B4B4B>**You may wish to generate 3072bit and 4096bit DH keys as well**</​color>​ +    * **You may wish to generate 3072bit and 4096bit DH keys as well** 
-      * <color #646464>Generating multiple DH keys at once takes substantially less time due to the rand file</​color>​\\ \\ +      * Generating multiple DH keys at once takes substantially less time due to the rand file\\ \\ 
-    * <color #4B4B4B>**OpenVPN will add support for EC [//Elliptic Curve//] ciphers in v2.4**</​color>​ +    * **OpenVPN will add support for EC [//Elliptic Curve//] ciphers in v2.4** 
-      * <color #646464>For EC, the Diffie-Hellman key must be generated with a value **//greater than//** the encryption key</​color>​ +      * For EC, the Diffie-Hellman key must be generated with a value **//greater than//** the encryption key 
-        * <color #646464>For example, if you generate 2048bit cert keys, your dh.pem must exceed that value</​color>​+        * For example, if you generate 2048bit cert keys, your dh.pem must exceed that value
 </​WRAP>​ </​WRAP>​
  
Line 542: Line 526:
 === TLS-Auth Key === === TLS-Auth Key ===
  
-<​WRAP ​53.5em lo>+<​WRAP ​51.5em lo>
  
-  - <color #4B4B4B>**Generate TLS-Auth key**</​color> ​<​sup><​color #646464>(executed from</​color>​ ''<​color #​C86400>/​etc/​ssl/</​color>''​<color #646464>)</​color>​</​sup>​\\ <code bash>​openvpn --genkey --secret openvpn/ta.key</​code>​ +  - **Generate TLS-Auth key** <sup>(<color #​646464>​executed from</​color>​ ''<​color #​C86400>/​etc/​ssl/</​color>''​)</​sup>​\\ <code bash>​openvpn --genkey --secret openvpn/tls-auth.key</​code>​ 
-    ​* <color #​4B4B4B>​**This ensures ​PFS**</​color>​ <color #​646464>​[Perfect Forward Secrecy]</​color>​ <color #4B4B4B>**is maintained when utilizing a SSL cipher**</​color>​\\ \\ +    * This ensures **P**erfect **F**orward **S**ecrecy ​is maintained when utilizing a SSL cipher\\ \\ 
-    * <color #4B4B4B>''​tls-auth'' ​**requires a static ​pre-shared key**</​color>​ <color #​646464>​[PSK]</​color><​color #4B4B4B>**, generated in advance, and shared among all clients**</​color>​ +    * ''​tls-auth''​ requires a static ​**P**re-**S**hared **K**ey, generated in advance, and shared among all clients 
-      * <color #646464>This requires incoming packets to have a valid signature generated using the PSK key</​color>​ +      * This requires incoming packets to have a valid signature generated using the PSK key 
-        * <color #646464>If key is changed, it must be changed on all clients at the same time (no support for rollover)</​color>​\\ \\+        * If key is changed, it must be changed on all clients at the same time (no support for rollover)\\ \\
 </​WRAP>​ </​WRAP>​
  
Line 557: Line 541:
  
 <WRAP 76.5em lo> <WRAP 76.5em lo>
-<wrap safety>​GnuPG is a great tool to manage CAs and client certificates</​wrap> ​ <wrap right button>​[[https://​www.gnupg.org/​|GnuPG]]</​wrap>​+<WRAP centeralign>​<wrap safety>​GnuPG is a great tool to manage CAs and client certificates</​wrap> ​ <wrap right button>​[[https://​www.gnupg.org/​|GnuPG]]</​wrap></​WRAP>
  
 <tabbox Backup> <tabbox Backup>
Line 564: Line 548:
 <WRAP indent> <WRAP indent>
  
-<color #4B4B4B>**Create a backup:**</​color>​ +**Create a backup:** 
-  - <color #4B4B4B>**Apply correct permissions:​**</​color>​\\ <code bash>+  - **Apply correct permissions:​**\\ <code bash>
 chmod 600 /​etc/​ssl/​ca/​* /​etc/​ssl/​ca/​csr/​* /​etc/​ssl/​crl/​* /​etc/​ssl/​openvpn/​* /​etc/​ssl/​openvpn/​clients/​* ; chmod 644 /​etc/​ssl/​ca/​*.crt* /​etc/​ssl/​openvpn/​*.crt* /​etc/​ssl/​openvpn/​clients/​*.crt* /​etc/​ssl/​crl/​*.crl</​code>​ chmod 600 /​etc/​ssl/​ca/​* /​etc/​ssl/​ca/​csr/​* /​etc/​ssl/​crl/​* /​etc/​ssl/​openvpn/​* /​etc/​ssl/​openvpn/​clients/​* ; chmod 644 /​etc/​ssl/​ca/​*.crt* /​etc/​ssl/​openvpn/​*.crt* /​etc/​ssl/​openvpn/​clients/​*.crt* /​etc/​ssl/​crl/​*.crl</​code>​
-  - <color #4B4B4B>**Utilize GnuPG to encrypt a copy of**</​color> ​''<​color #​C86400>/​etc/​ssl/</​color>''​ +  - **Utilize GnuPG to encrypt a copy of** ''<​color #​C86400>/​etc/​ssl/</​color>''​ 
-    - <color #646464>**Create separate encryption tars for:**</​color> ​+    - **Create separate encryption tars for:**
       * ''<​color #​C86400>/​etc/​ssl/​ca/</​color>''​       * ''<​color #​C86400>/​etc/​ssl/​ca/</​color>''​
       * ''<​color #​C86400>/​etc/​ssl/​openvpn/</​color>''​       * ''<​color #​C86400>/​etc/​ssl/​openvpn/</​color>''​
       * ''<​color #​C86400>/​etc/​ssl/​openvpn/​clients/</​color>''​\\ \\       * ''<​color #​C86400>/​etc/​ssl/​openvpn/​clients/</​color>''​\\ \\
-    - <color #646464>**After creating encrypted backups:**</​color>​ +    - **After creating encrypted backups:​** 
-      - <color #646464>Copy p12s to their respective clients</​color>​ +      - Copy p12s to their respective clients 
-      - <color #646464>Securely erase unencrypted client, CA, & ICA keys and PKCS12s, overwriting freespace at least 5x</​color>​\\ \\ +      - Securely erase unencrypted client, CA, & ICA keys and PKCS12s, overwriting freespace at least 5x\\ \\ 
-  - <color #4B4B4B>**Add directories & files to**</​color> ​''<​color #​C86400>/​etc/​sysupgrade.conf</​color>''​+  - **Add directories & files to** ''<​color #​C86400>/​etc/​sysupgrade.conf</​color>''​
     - //''<​color #​647D00>​vi /​etc/​sysupgrade.conf</​color>''//​     - //''<​color #​647D00>​vi /​etc/​sysupgrade.conf</​color>''//​
       - <color #​789600>​**//​Add://​**</​color>​       - <color #​789600>​**//​Add://​**</​color>​
Line 604: Line 588:
 <WRAP indent> <WRAP indent>
  
-<color #4B4B4B>**If utilizing Linux/​BSD:​**</​color>​ +**If utilizing Linux/​BSD:​** 
-  * <color #4B4B4B>Due to the sheer number of distros, and differing means of handling certificate authorities,​ please google:</​color>​ +  * Due to the sheer number of distros, and differing means of handling certificate authorities,​ please google: 
-    - <color #646464>//<your distro name>// install certificate authority</​color>​ +    - //<your distro name>// install certificate authority 
-    - <color #646464>//<your distro name>// install intermediate certificate authority</​color>​+    - //<your distro name>// install intermediate certificate authority
 </​WRAP>​ </​WRAP>​
  
Line 616: Line 600:
 <WRAP indent> <WRAP indent>
  
-<color #4B4B4B>**If utilizing Windows:**</​color>​ +**If utilizing Windows:​** 
-    - <color #4B4B4B>**Download**</​color> ​<color #​C86400>​PEM Association.reg</​color><​color #4B4B4B>**, then import into registry**</​color> ​<​sup><​color #​646464>​(//​Right Click// -> //​Merge//​)</​color></​sup>​ +    - **Download** <color #​C86400>​PEM Association.reg</​color>​**,​ then import into registry** <​sup><​color #​646464>​(//​Right Click// -> //​Merge//​)</​color></​sup>​ 
-      * <color #646464>//This causes Windows to associate the .pem extension as a valid certificate extension//</​color>​\\ \\ +      * //This causes Windows to associate the .pem extension as a valid certificate extension//​\\ \\ 
-    - <color #4B4B4B>**Add your CA cert to the //Trusted Root Certification Authorities//​**</​color> ​<​sup><​color #​646464>​(user must have //​Administrator//​ privileges)</​color></​sup>​ +    - **Add your CA cert to the //Trusted Root Certification Authorities//​** <​sup><​color #​646464>​(user must have //​Administrator//​ privileges)</​color></​sup>​ 
-      - <color #646464>//Right click on//</​color> ​<color #​C86400>​OpenWrt-CA.crt.pem</​color>:​+      - //Right click on// <color #​C86400>​OpenWrt-CA.crt.pem</​color>:​
         - <color #​7D7D7D>​**//​Install Certificate//​** -> **//Local Machine//** -> **//Place all certificates in the following store//** -> **//​Browse//​** -> **//Trusted Root Certification Authorities//​**</​color>​\\ \\         - <color #​7D7D7D>​**//​Install Certificate//​** -> **//Local Machine//** -> **//Place all certificates in the following store//** -> **//​Browse//​** -> **//Trusted Root Certification Authorities//​**</​color>​\\ \\
-    - <color #4B4B4B>**Add your ICA cert to the //​Intermediate Certification Authorities//​**</​color> ​<​sup><​color #​646464>​(user must have //​Administrator//​ privileges)</​color></​sup>​ +    - **Add your ICA cert to the //​Intermediate Certification Authorities//​** <​sup><​color #​646464>​(user must have //​Administrator//​ privileges)</​color></​sup>​ 
-      - <color #646464>//Right click on//</​color> ​<color #​C86400>​OpenVPN-ICA.crt.pem</​color>:​+      - //Right click on// <color #​C86400>​OpenVPN-ICA.crt.pem</​color>:​
         - <color #​7D7D7D>​**//​Install Certificate//​** -> **//Local Machine//** -> **//Place all certificates in the following store//** -> **//​Browse//​** -> **//​Intermediate Certification Authorities//​**</​color>​         - <color #​7D7D7D>​**//​Install Certificate//​** -> **//Local Machine//** -> **//Place all certificates in the following store//** -> **//​Browse//​** -> **//​Intermediate Certification Authorities//​**</​color>​
 </​WRAP>​ </​WRAP>​
Line 646: Line 630:
 <WRAP 60em lo> <WRAP 60em lo>
  
-  - <color #4B4B4B>**Create VPN interface**</​color>​\\ <code bash>uci set network.vpn0=interface ; uci set network.vpn0.ifname=tun0 ; uci set network.vpn0.proto=none</​code>​ +  - **Create VPN interface**\\ <code bash>uci set network.vpn0=interface ; uci set network.vpn0.ifname=tun0 ; uci set network.vpn0.proto=none</​code>​ 
-    - <color #4B4B4B>You can replace</​color> ​''<​color #​647800>//​network.//</​color><​color #​007DC8>​vpn0</​color>'' ​<color #4B4B4B>with</​color> ​''<​color #​647800>//​network.//</​color><​color #​007DC8><​name></​color>''​ +    - You can replace ''<​color #​647800>//​network.//</​color><​color #​007DC8>​vpn0</​color>''​ with ''<​color #​647800>//​network.//</​color><​color #​007DC8><​name></​color>''​ 
-      - <color #646464>If you choose to do so, ''<​color #​007DC8>​vpn</​color>''​ will need to be updated accordingly in [[:​doc:​howto:​openvpn-streamlined-server-setup#​https://​wiki.openwrt.org/​doc/​howto/​openvpn-streamlined-server-setup#​create_rules|Firewall Rules]]</​color>​\\ \\ +      - If you choose to do so, ''<​color #​007DC8>​vpn</​color>''​ will need to be updated accordingly in [[:​doc:​howto:​openvpn-streamlined-server-setup#​https://​wiki.openwrt.org/​doc/​howto/​openvpn-streamlined-server-setup#​create_rules|Firewall Rules]]\\ \\ 
-    - <color #646464>You can replace ''<​color #​647800>//​ifname=//</​color><​color #​007DC8>​tun0</​color>''​ with ''<​color #​647800>//​ifname=//</​color><​color #​007DC8><​name></​color>''​</​color>​ +    - You can replace ''<​color #​647800>//​ifname=//</​color><​color #​007DC8>​tun0</​color>''​ with ''<​color #​647800>//​ifname=//</​color><​color #​007DC8><​name></​color>''​ 
-      - <color #646464>If you choose to do so, ''<​color #​647800>//​option dev//</​color>​ <color #​007DC8>​tun0</​color>''​ will need to be updated accordingly in [[:​doc:​howto:​openvpn-streamlined-server-setup#​config|VPN Server Config]]</​color>​\\ \\ +      - If you choose to do so, ''<​color #​647800>//​option dev//</​color>​ <color #​007DC8>​tun0</​color>''​ will need to be updated accordingly in [[:​doc:​howto:​openvpn-streamlined-server-setup#​config|VPN Server Config]]\\ \\ 
-  - <color #4B4B4B>**Commit changes**</​color>​\\  <code cpp>uci commit network ; /​etc/​init.d/​network reload</​code>​+  - **Commit changes**\\ ​ <code cpp>uci commit network ; /​etc/​init.d/​network reload</​code>​
  
 </​WRAP>​ </​WRAP>​
Line 661: Line 645:
 <wrap right button>​[[doc:​howto:​ddns.client|DDNS Wiki]]</​wrap>​ <wrap right button>​[[doc:​howto:​ddns.client|DDNS Wiki]]</​wrap>​
  
-<wrap indent><​color #7D7D7D>​**//​Applies to connections from WAN//**</​color>​</​wrap>​ +<wrap indent>​**//​Applies to connections from WAN//​**</​wrap>​ 
-  - <color #4B4B4B>**A DDNS provider or FQDN is required for users who are not assigned static IPs by ISPs**</​color>​ +  - **A DDNS provider or FQDN is required for users who are not assigned static IPs by ISPs** 
-    - <color #646464>DDNS:</​color>​ +    - DDNS: 
-      * <color #646464>**D**ynamic **D**omain **N**ame **S**ervice providers provide the user with a dynamically updated DNS name for their public IP</​color>​ +      * **D**ynamic **D**omain **N**ame **S**ervice providers provide the user with a dynamically updated DNS name for their public IP 
-      * <color #646464>Purchasing occurs as a service subscription fee from DDNS providers</​color>​ +      * Purchasing occurs as a service subscription fee from DDNS providers 
-    - <color #646464>FQDN</​color>​ +    - FQDN 
-      * <color #646464>**F**ully **Q**ualified **D**omain **N**ame is a URL <​sup>​(google.com is a FQDN)</sup></color+      * **F**ully **Q**ualified **D**omain **N**ame is a URL <sup><​color #646464>​(google.com is a FQDN)</color></sup
-      * <color #646464>Purchasing a FQDN is for a set period of time, regulated by the non-profit IANA <​sup>​(//​Internet Assigned Numbers Authority//​)</​sup></color>\\ \\ +      * Purchasing a FQDN is for a set period of time, regulated by the non-profit IANA <sup><​color #646464>​(//​Internet Assigned Numbers Authority//​)</​color></sup>\\ \\ 
-  - <color #4B4B4B>**Most users will likely configure DDNS**</​color>​ +  - **Most users will likely configure DDNS** 
-    * <color #646464>See the [[doc:​howto:​ddns.client|DDNS Clients]] wiki</​color>​+    * See the [[doc:​howto:​ddns.client|DDNS Clients]] wiki
  
 </​WRAP>​ </​WRAP>​
Line 689: Line 673:
  
 <WRAP 76.5em lo> <WRAP 76.5em lo>
-<wrap danger>A non-standard port (**//​not//​** //1194//) should be utilized for the VPN</​wrap>​+<WRAP centeralign>​<wrap danger>A non-standard port (**//​not//​** //1194//) should be utilized for the VPN</​wrap></​WRAP>
  
 <tabbox Information>​ <tabbox Information>​
Line 695: Line 679:
 <color #​508CAA>​**Firewall Info**</​color>​ <color #​508CAA>​**Firewall Info**</​color>​
  
-  - <color #4B4B4B>**Traffic rules should be placed in the following order**</​color>​ +  - **Traffic rules should be placed in the following order** 
-    - <color #646464>Firewall.User Script</​color>​ +    - Firewall.User Script 
-    - <color #646464>Redirect Rules</​color>​ +    - Redirect Rules 
-    - <color #646464>Router Network Default</​color>​ +    - Router Network Default 
-    - <color #646464>VPN Network Default</​color>​ +    - VPN Network Default 
-    - <color #646464>VPN InterZone Forwarding</​color>​ +    - VPN InterZone Forwarding 
-    - <color #646464>VPN Traffic Rules</​color>​\\ \\ +    - VPN Traffic Rules\\ \\ 
-  - <color #4B4B4B>**Rule protocol for VPNs should always be both TCP & UDP for troubleshooting purposes**</​color>​ +  - **Rule protocol for VPNs should always be both TCP & UDP for troubleshooting purposes** 
-    - <color #646464>Allowing both prevents having to edit the firewall every time troubleshooting is needed</​color>​\\ \\ +    - Allowing both prevents having to edit the firewall every time troubleshooting is needed\\ \\ 
-  - <color #4B4B4B>**SSL VPNs should always use UDP**</​color>​ +  - **SSL VPNs should always use UDP** 
-    - <color #646464>//Except under the following two scenarios//</​color>​ +    - //Except under the following two scenarios//​ 
-      - <color #646464>When troubleshooting\\ **OR**</​color>​ +      - When troubleshooting\\ **OR** 
-      - <color #646464>When packet loss is high</​color>​\\ \\ +      - When packet loss is high\\ \\ 
-  - <color #4B4B4B>**A port >1025 but <10000 should be utilized for the VPN**</​color>​ +  - **A port >1025 but <10000 should be utilized for the VPN** 
-    - <color #646464>If using a custom port, update [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_server|VPN Server]] & [[:​doc:​howto:​openvpn-streamlined-server-setup#​clients|VPN Client]] configs accordingly</​color>+    - If using a custom port, update [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_server|VPN Server]] & [[:​doc:​howto:​openvpn-streamlined-server-setup#​clients|VPN Client]] configs accordingly 
 +      - If needing to bypass a strict firewall in front of the router, utilize port 443 <​sup>​[HTTPS]</sup>
  
  
Line 717: Line 702:
  
 <WRAP indent> <WRAP indent>
-<color #4B4B4B>**The following rules are required:**</​color>​+**The following rules are required:**
   - //''<​color #​647D00>​vi /​etc/​config/​firewall</​color>''//​\\ \\ <code cpp>   - //''<​color #​647D00>​vi /​etc/​config/​firewall</​color>''//​\\ \\ <code cpp>
 #::: Traffic Rules :::# #::: Traffic Rules :::#
Line 732: Line 717:
     option ​ path            '/​etc/​firewall.user'​     option ​ path            '/​etc/​firewall.user'​
  
-# Default ​OpenWRT ​Rule #+# Default ​OpenWrt ​Rule #
 config defaults config defaults
     option ​ input           '​ACCEPT'​     option ​ input           '​ACCEPT'​
Line 858: Line 843:
  
 </​code>​\\ ​ </​code>​\\ ​
-  - <color #4B4B4B>**Commit changes**</​color>​\\ <code cpp>/​etc/​init.d/​firewall restart</​code>​+  - **Commit changes**\\ <code cpp>/​etc/​init.d/​firewall restart</​code>​
 </​WRAP>​ </​WRAP>​
  
Line 869: Line 854:
  
 <WRAP indent> <WRAP indent>
-<color #4B4B4B>**The following rules are required:**</​color>​+**The following rules are required:**
   - //''<​color #​647D00>​vi /​etc/​firewall.user</​color>''//​\\ \\ <code cpp>   - //''<​color #​647D00>​vi /​etc/​firewall.user</​color>''//​\\ \\ <code cpp>
 #::: Traffic Rules :::# #::: Traffic Rules :::#
Line 875: Line 860:
  
   # These rules make the assumption the default port of 1194 is not used for the VPN   # These rules make the assumption the default port of 1194 is not used for the VPN
-   +    ​# Port 5000 is being used arbitrarily for the VPN port
-  ​# Port 5000 is being used arbitrarily for the VPN port+
     ​     ​
  
     # Establish Custom Zones #     # Establish Custom Zones #
 #​--------------------------------------------------- #​---------------------------------------------------
-iptables ​       ​-N ​ DROP-Brute +iptables ​   -N  LOG-VPN 
-iptables ​       ​-N  LOG-VPN +iptables ​   -N  Rate_Limit
-iptables ​       -N  Rate_Limit +
- +
-    # Log All Dropped # +
-#​--------------------------------------------------- +
-iptables ​       -A  DROP-Brute ​             -j  LOG     ​--log-prefix ​   "<​[[--- BRUTE DROPPED ---]]> : " ​       --log-level 4 +
-iptables ​       -A  DROP-Brute ​             -j  DROP+
  
     # Establish Rate Limit #     # Establish Rate Limit #
 #​--------------------------------------------------- #​---------------------------------------------------
-iptables ​       ​-A ​ Rate_Limit ​ -p  tcp     ​--dport ​    ​1194 ​   -m  limit   ​--limit 1/min   ​--limit-burst ​  ​1 ​  ​-j ​ DROP-Brute +iptables ​   -A  Rate_Limit ​ -p  tcp     ​--dport ​    ​5000 ​                               -j  LOG-VPN 
-iptables ​       -A  Rate_Limit ​ -p  udp     ​--dport ​    ​1194 ​   -m  limit   ​--limit 1/min   ​--limit-burst ​  ​1 ​  ​-j ​ DROP-Brute +iptables ​   -A  Rate_Limit ​ -p  udp     ​--dport ​    ​5000 ​                               -j  LOG-VPN 
-iptables ​       ​-A  Rate_Limit ​ -p  tcp     ​--dport ​    ​5000 ​                                                   -j  LOG-VPN +iptables ​   -A  Rate_Limit ​ -p  tcp                                                     ​-j  REJECT ​     --reject-with ​  ​tcp-reset 
-iptables ​       -A  Rate_Limit ​ -p  udp     ​--dport ​    ​5000 ​                                                   -j  LOG-VPN +iptables ​   -A  Rate_Limit ​ -p  udp                                                     ​-j  REJECT ​     --reject-with ​  ​icmp-port-unreachable 
-iptables ​       -A  Rate_Limit ​ -p  tcp                                                                         ​-j  REJECT ​     --reject-with ​  ​tcp-reset +iptables ​   -A  Rate_Limit ​ !   ​-p ​     ICMP                                            -j  LOG         ​--log-prefix ​   "<​[[--- Connection DROPPED ---]]>: " 
-iptables ​       -A  Rate_Limit ​ -p  udp                                                                         ​-j  REJECT ​     --reject-with ​  ​icmp-port-unreachable +iptables ​   -A  Rate_Limit ​                                                             -j  DROP
-iptables ​       -A  Rate_Limit ​ !   ​-p ​     ICMP                                                                -j  LOG         ​--log-prefix ​   "<​[[--- Connection DROPPED ---]]>: " +
-iptables ​       -A  Rate_Limit ​                                                                                 -j  DROP+
  
     # Apply Rate Limit #     # Apply Rate Limit #
 #​--------------------------------------------------- #​---------------------------------------------------
-iptables ​   ​-w  ​-I  INPUT       ​-p ​ tcp     ​--dport ​    1194    ​-m ​ state   ​--state NEW -m  recent ​ --set +iptables ​   -I  INPUT       ​-p ​ tcp     ​--dport ​    5000    ​-m ​ state   ​--state NEW     ​-j ​ Rate_Limit 
-iptables ​   -w  -I  INPUT       ​-p ​ tcp     ​--dport ​    ​1194 ​   -m  state   ​--state NEW             ​--update ​   --seconds ​  ​60 ​ --hitcount ​ 1   -j  Rate_Limit +iptables ​   -I  INPUT       ​-p ​ udp     ​--dport ​    ​5000 ​   -m  state   ​--state NEW     ​-j ​ Rate_Limit
-iptables ​   ​-w  ​-I  INPUT       ​-p ​ udp     --dport ​    ​1194 ​   -m  state   ​--state NEW -m  recent ​ --set +
-iptables ​   -w  -I  INPUT       ​-p ​ udp     ​--dport ​    ​1194 ​   -m  state   ​--state NEW             ​--update ​   --seconds ​  ​60 ​ --hitcount ​ 1   ​-j ​ Rate_Limit +
-iptables ​       -I  INPUT       ​-p ​ tcp     --dport ​    ​5000 ​   -m  state   ​--state NEW                                                         -j  Rate_Limit +
-iptables ​       -I  INPUT       ​-p ​ udp     ​--dport ​    ​5000 ​   -m  state   ​--state NEW                                                         ​-j ​ Rate_Limit +
- +
-    # Check for bans in Rate_Limit # +
-#​--------------------------------------------------- +
-iptables ​   -w  -A  INPUT       ​-p ​ tcp     ​--dport ​    ​1194 ​   ​-j  Rate_Limit+
  
     # Log VPN Traffic #     # Log VPN Traffic #
 #​--------------------------------------------------- #​---------------------------------------------------
-iptables ​       -A  LOG-VPN ​                                    ​-j  LOG         ​--log-prefix ​   "<​[[--- ​ VPN Traffic ---]]> : " ​        ​--log-level 4 +iptables ​   -A  LOG-VPN ​                                                                ​-j  LOG         ​--log-prefix ​   "<​[[--- ​ VPN Traffic ---]]> : " ​        ​--log-level 4 
-iptables ​       -A  LOG-VPN ​                                    ​-j  ACCEPT+iptables ​   -A  LOG-VPN ​                                                                ​-j  ACCEPT
  
 </​code>​\\ </​code>​\\
-  - <color #4B4B4B>**Commit changes**</​color>​\\ <code cpp>/​etc/​init.d/​firewall restart</​code>​ +  - **Commit changes**\\ <code cpp>/​etc/​init.d/​firewall restart</​code>​ 
-  - <color #646464>**Please also see:**</​color>​+  - **Please also see:**
     * [[doc:​howto:​log.essentials|Log Essentials]]     * [[doc:​howto:​log.essentials|Log Essentials]]
     * [[doc:​howto:​log.overview|Logging Servers]]     * [[doc:​howto:​log.overview|Logging Servers]]
Line 945: Line 913:
  
 <WRAP 76.5em lo> <WRAP 76.5em lo>
-<wrap warning><​color #​FFFFFF>​It'​s //strongly encouraged//​ to read through the OpenVPN HowTo & Man Page</​color></​wrap>​+<WRAP centeralign>​<wrap warning><​color #​FFFFFF>​It'​s //strongly encouraged//​ to read through the OpenVPN HowTo & Man Page</​color></​wrap></​WRAP>
  
 <tabbox Information>​ <tabbox Information>​
Line 951: Line 919:
 <color #​508CAA>​**OpenVPN Information**</​color>​ <color #​508CAA>​**OpenVPN Information**</​color>​
  
-  * <color #4B4B4B>**This specific configuration has been designed to give the best performance possible, via** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|MTU & Buffer]] **Tuning recommendations**</​color>​ +  * **This specific configuration has been designed to give the best performance possible, via** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|MTU & Buffer]] **Tuning recommendations** 
-    * <color #646464>DNS primary & secondary are [[https://developers.google.com/speed/public-dns/​docs/​using|Google's]]</​color>​ +    * DNS primary & secondary are [[https://www.opendns.com/setupguide/?​url=familyshield|OpenDNS']] 
-    * <color #646464>NTP is garnished from [[http://​tf.nist.gov/​tf-cgi/​servers.cgi|NIST]] (time-c) and can be updated to your NTP server of choice</​color>​ +    * NTP is garnished from [[http://​tf.nist.gov/​tf-cgi/​servers.cgi|NIST]] (time-c) and can be updated to your NTP server of choice 
-      * <color #646464>NTP should be specified, but doesn'​t need to be NIST, as encryption handshakes, both server & client, must be accurate to within milliseconds</​color>​\\ \\ +      * NTP should be specified, but doesn'​t need to be NIST, as encryption handshakes, both server & client, must be accurate to within milliseconds\\ \\ 
-  * <color #4B4B4B>**//CCD directives//​ (under //Client Config//) are commented out, as one will need to read the** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|OpenVPN HowTo]] **to understand how it's used**</​color>​ +  * **//CCD directives//​ (under //Client Config//) are commented out, as one will need to read the** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|OpenVPN HowTo]] **to understand how it's used** 
-      * <color #646464>CCD adds an extra layer of protection, allowing only those CNs specified to connect to the VPN, even if a valid client cert is used</​color>​\\ \\ +      * CCD adds an extra layer of protection, allowing only those CNs specified to connect to the VPN, even if a valid client cert is used\\ \\ 
-  * <color #4B4B4B>**Two or more servers can be run from this config file**</​color>​ +  * **Two or more servers can be run from this config file** 
-    * <color #646464>To add additional servers, copy & paste first config directly below itself, with a blank line separating the two</​color>​\\ \\ +    * To add additional servers, copy & paste first config directly below itself, with a blank line separating the two\\ \\ 
-  * <color #4B4B4B>**The OpenVPN** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|HowTo & Man Page]] **provide every possible option for the Server & Client Configs**</​color>​+  * **The OpenVPN** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|HowTo & Man Page]] **provide every possible option for the Server & Client Configs** ​\\ \\ 
 +  * **OpenVPN 2.4 added TLS Elliptic-Curve** ''​[EC]''​ **support** 
 +    * EC ciphers are faster & more efficient to process than SSL ciphers, resulting in higher throughput & less load 
 +    * OpenVPN on OpenWrt only supports a //maximum of 256 characters//​ for ''​ <color #​647D00>​option ​ tls_cipher</​color>​''​ 
 +      * Ciphers are listed in a hierarchical,​ chronological order of most secure & efficient to least efficient 
 +      * Disabled ciphers are specified at the end with an **''<​color #​960000>​!</​color>''​** in front of the cipher\\ \\ 
 +  * **Ciphers must match the capabilities of the server & clients** 
 +    * Available TLS ciphers: ''​ <color #​647D00>​openssl --show-tls</​color>​ ''​ or ''​ <color #​647D00>​openssl ciphers -V | grep TLS</​color>''​ 
 +    * Available SSL ciphers: ''​ <color #​647D00>​openssl ciphers -V | grep SSL</​color>''​ 
 +      * For Windows client: ''​ <color #​647D00>​openssl ciphers -V | findstr /R SSL</​color>''​
  
  
Line 966: Line 943:
 <color #​508CAA>​**OpenVPN Server Config**</​color>​ <color #​508CAA>​**OpenVPN Server Config**</​color>​
  
-  - <color #4B4B4B>**Create config:**</​color>​\\ <code cpp>echo > /​etc/​config/​openvpn ; vi /​etc/​config/​openvpn</​code>​ +  - **Create config:**\\ <code cpp>echo > /​etc/​config/​openvpn ; vi /​etc/​config/​openvpn</​code>​ 
-    - <color #646464>**Paste the following & edit accordingly**</​color>​\\ \\ <code cpp>+    - **Paste the following & edit accordingly**\\ \\ <code cpp>
 config openvpn '​VPNserver'​ config openvpn '​VPNserver'​
- 
     option ​ enabled ​            1     option ​ enabled ​            1
  
Line 996: Line 972:
     list    push                '​dhcp-option ​   DNS 192.168.1.1'​     list    push                '​dhcp-option ​   DNS 192.168.1.1'​
     list    push                '​dhcp-option ​   WINS 192.168.1.1'​     list    push                '​dhcp-option ​   WINS 192.168.1.1'​
-    list    push                '​dhcp-option ​   DNS 8.8.8.8+    list    push                '​dhcp-option ​   DNS 208.67.222.123
-    list    push                '​dhcp-option ​   DNS 8.8.4.4'+    list    push                '​dhcp-option ​   DNS 208.67.220.123'
     list    push                '​dhcp-option ​   NTP 129.6.15.30'​     list    push                '​dhcp-option ​   NTP 129.6.15.30'​
  
Line 1011: Line 987:
     option ​ cipher ​             AES-256-CBC     option ​ cipher ​             AES-256-CBC
     option ​ auth                '​SHA512'​     option ​ auth                '​SHA512'​
-    option ​ tls_auth ​           '/​etc/​ssl/​openvpn/​ta.key 0'+    option ​ tls_auth ​           '/​etc/​ssl/​openvpn/​tls-auth.key 0'
     ​     ​
     # TLS:     # TLS:
     option ​ tls_server ​         1     option ​ tls_server ​         1
     option ​ tls_version_min ​    1.2     option ​ tls_version_min ​    1.2
-    option ​ tls_cipher ​         '​TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:​TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384:​TLS-RSA-WITH-AES-256-CBC-SHA256:​!aNULL:​!eNULL:​!LOW:​!3DES:​!MD5:​!SHA:​!EXP:​!PSK:​!SRP:​!DSS:​!RC4+    option ​ tls_cipher ​         '​TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:​TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:​!aNULL:​!eNULL:​!LOW:​!3DES:​!MD5:​!SHA:​!EXP:​!PSK:​!SRP:​!DSS:​!RC4:!kRSA'
-    option ​ remote-cert-eku ​    '​TLS Web Client Authentication'+
  
     # Logging #      # Logging # 
Line 1023: Line 998:
     option ​ log_append ​         '/​tmp/​openvpn.log'​     option ​ log_append ​         '/​tmp/​openvpn.log'​
     option ​ status ​             '/​tmp/​openvpn-status.log'​     option ​ status ​             '/​tmp/​openvpn-status.log'​
-    option ​ verb                ​5+    option ​ verb                ​4
  
     # Connection Options #      # Connection Options # 
Line 1061: Line 1036:
     # chroot would be ~11MB in size.     # chroot would be ~11MB in size.
  
-    ​# Modify if chroot is configured #+        ​# Modify if chroot is configured #
     #​--------------------------------------------     #​--------------------------------------------
         # option ​ ccd_exclusive ​            1         # option ​ ccd_exclusive ​            1
Line 1070: Line 1045:
         # option ​ dh                        /​var/​chroot-openvpn/​etc/​ssl/​openvpn/​dh2048.pem         # option ​ dh                        /​var/​chroot-openvpn/​etc/​ssl/​openvpn/​dh2048.pem
         # option ​ pkcs12 ​                   /​var/​chroot-openvpn/​etc/​ssl/​openvpn/​vpn-server.p12         # option ​ pkcs12 ​                   /​var/​chroot-openvpn/​etc/​ssl/​openvpn/​vpn-server.p12
-        # option ​ tls_auth ​                 '/​var/​chroot-openvpn/​etc/​ssl/​openvpn/​ta.key 0'+        # option ​ tls_auth ​                 '/​var/​chroot-openvpn/​etc/​ssl/​openvpn/​tls-auth.key 0'
 </​code>​ </​code>​
-  - <color #4B4B4B>**Commit changes**</​color>​\\ <code bash>/​etc/​init.d/​openvpn enable ; /​etc/​init.d/​openvpn start ; sleep 2 ; cat /​tmp/​openvpn.log</​code>​+  - **Commit changes**\\ <code bash>/​etc/​init.d/​openvpn enable ; /​etc/​init.d/​openvpn start ; sleep 2 ; cat /​tmp/​openvpn.log</​code>​
  
  
Line 1079: Line 1054:
 <color #​508CAA>​**OpenVPN Server CCD Config**</​color>​ <color #​508CAA>​**OpenVPN Server CCD Config**</​color>​
  
-  - <color #4B4B4B>**Enable CCD within Server config:**</​color>​+  - **Enable CCD within Server config:**
     - //''<​color #​647D00>​vi /​etc/​config/​openvpn</​color>''//​ \\ <code cpp>     - //''<​color #​647D00>​vi /​etc/​config/​openvpn</​color>''//​ \\ <code cpp>
    ​option ​ ccd_exclusive ​          1    ​option ​ ccd_exclusive ​          1
Line 1085: Line 1060:
    ​option ​ client_config_dir ​      '/​etc/​openvpn/​clients/'​    ​option ​ client_config_dir ​      '/​etc/​openvpn/​clients/'​
 </​code>​ </​code>​
-      * ''<​color #​647D00>​ccd_exclusive</​color>'': ​<color #646464>enables CCD</​color>​ +      * ''<​color #​647D00>​ccd_exclusive</​color>'':​ enables CCD 
-      * ''<​color #​647D00>​client_config_dir</​color>'': ​<color #646464>Directory housing CCD client files</​color>​ +      * ''<​color #​647D00>​client_config_dir</​color>'':​ Directory housing CCD client files 
-      * ''<​color #​647D00>​ifconfig_pool_persist</​color>'': ​<color #646464>File containing common names from client files, followed by static IP for device</​color>​\\ \\ +      * ''<​color #​647D00>​ifconfig_pool_persist</​color>'':​ File containing common names from client files, followed by static IP for device\\ \\ 
-  - <color #4B4B4B>**Configure CCD files**</​color>​ +  - **Configure CCD files** 
-    - <color #4B4B4B>For each VPN client, a file must be created which exactly mirrors the common name of each client cert</​color>​ +    - For each VPN client, a file must be created which exactly mirrors the common name of each client cert 
-      - <color #646464>File should contain an ''​ifconfig''​ command pushing a static IP to the client</​color>​ +      - File should contain an ''​ifconfig''​ command pushing a static IP to the client 
-        - <color #646464>Client Certificate CN:</​color> ​''<​color #​647D00>​John Doe (OpenWrt VPNserver Client)</​color>''​ +        - Client Certificate CN: ''<​color #​647D00>​John Doe (OpenWrt VPNserver Client)</​color>''​ 
-          - <color #646464>Client File:</​color> ​''<​color #​C86400>/​etc/​openvpn/​clients/​John Doe (OpenWrt VPNserver Client)</​color>''​ +          - Client File: ''<​color #​C86400>/​etc/​openvpn/​clients/​John Doe (OpenWrt VPNserver Client)</​color>''​ 
-            - <color #646464>File Output:</​color> ​''//<​color #​647D00>​ifconfig-push 10.1.0.6 255.255.255.240</​color>//''​\\ \\ +            - File Output: ''//<​color #​647D00>​ifconfig-push 10.1.0.6 255.255.255.240</​color>//''​\\ \\ 
-  - <color #4B4B4B>**Configure IPP file**</​color>​ +  - **Configure IPP file** 
-    - <color #646464>One per line, each VPN client'​s CN needs to be specified, followed by their static IP</​color>​ +    - One per line, each VPN client'​s CN needs to be specified, followed by their static IP 
-      - <color #646464>IPP File:</​color> ​''<​color #​C86400>/​etc/​openvpn/​clients/​ipp.txt</​color>''​ +      - IPP File: ''<​color #​C86400>/​etc/​openvpn/​clients/​ipp.txt</​color>''​ 
-        - <color #646464>File Output:</​color> ​''<​color #​647D00>​John Doe (OpenWrt VPNserver Client),​10.1.0.6</​color>''​\\ \\ +        - File Output: ''<​color #​647D00>​John Doe (OpenWrt VPNserver Client),​10.1.0.6</​color>''​\\ \\ 
-  - <color #4B4B4B>**Start/​Restart OpenVPN**</​color>​ +  - **Start/​Restart OpenVPN** 
-    - <color #646464>Connect with each client to test</​color>​\\ <code bash>/​etc/​init.d/​openvpn stop ; /​etc/​init.d/​openvpn start ; tail -f /​tmp/​openvpn.log</​code>​+    - Connect with each client to test\\ <code bash>/​etc/​init.d/​openvpn stop ; /​etc/​init.d/​openvpn start ; tail -f /​tmp/​openvpn.log</​code>​
  
 </​tabbox>​ </​tabbox>​
Line 1118: Line 1093:
 Thu Oct 20 13:35:00 2016 us=668891 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09 Thu Oct 20 13:35:00 2016 us=668891 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09
 Thu Oct 20 13:35:00 2016 us=669836 Diffie-Hellman initialized with 2048 bit key Thu Oct 20 13:35:00 2016 us=669836 Diffie-Hellman initialized with 2048 bit key
-Thu Oct 20 13:35:00 2016 us=705181 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​ta.key' as a OpenVPN static key file+Thu Oct 20 13:35:00 2016 us=705181 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​tls-auth.key' as a OpenVPN static key file
 Thu Oct 20 13:35:00 2016 us=705286 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication Thu Oct 20 13:35:00 2016 us=705286 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication
 Thu Oct 20 13:35:00 2016 us=705351 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication Thu Oct 20 13:35:00 2016 us=705351 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication
Line 1152: Line 1127:
 Thu Oct 20 13:35:30 2016 us=653403 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09 Thu Oct 20 13:35:30 2016 us=653403 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09
 Thu Oct 20 13:35:30 2016 us=654598 Diffie-Hellman initialized with 2048 bit key Thu Oct 20 13:35:30 2016 us=654598 Diffie-Hellman initialized with 2048 bit key
-Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​ta.key' as a OpenVPN static key file+Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​tls-auth.key' as a OpenVPN static key file
 Thu Oct 20 13:35:30 2016 us=706592 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication Thu Oct 20 13:35:30 2016 us=706592 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication
 Thu Oct 20 13:35:30 2016 us=706679 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication Thu Oct 20 13:35:30 2016 us=706679 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication
Line 1192: Line 1167:
  
 <WRAP 76.5em lo> <WRAP 76.5em lo>
-<wrap warning><​color #​FFFFFF>​Server'​s TLS-Auth key goes within the inline XML space</​color></​wrap>​+<WRAP centeralign>​<wrap warning><​color #​FFFFFF>​Server'​s TLS-Auth key goes within the inline XML space</​color></​wrap></​WRAP>
 </​WRAP>​ </​WRAP>​
  
Line 1200: Line 1175:
 ==== Android ==== ==== Android ====
  
-<WRAP 76.5em lo>+<​WRAP ​indent ​76.5em lo>
  
 <tabbox Information>​ <tabbox Information>​
-<wrap right button>​[[https://​play.google.com/​store/​apps/​details?​id=de.blinkt.openvpn&​hl=en|OpenVPN ​Client]]</​wrap> ​+<wrap right button>​[[https://​play.google.com/​store/​apps/​details?​id=de.blinkt.openvpn&​hl=en|OpenVPN ​for Android]]</​wrap> ​
 <color #​508CAA>​**Android Client Information**</​color>  ​ <color #​508CAA>​**Android Client Information**</​color>  ​
  
-  * <color #4B4B4B>​**//​OpenVPN for Android// is the best app for VPNs on Android**</​color>​\\ \\ +<WRAP centeralign>​<color #960000>**For compatibility with exFAT, Android sdcards have a non-customizable 771 permission structure**\\ It's //​imperative//,​ for the security of the VPN, to ensure the certificate key is encrypted as specified under [[doc:​howto:​openvpn-streamlined-server-setup#​client_certs|Client Certs]]</​color></​WRAP>​ 
-  * <color #4B4B4B>**PKCS12 certs are installed into the //Android Keychain//​**</​color>​ + 
-    * <color #646464>As a security feature, a warning toast will always appear in the notification area due to user installed certs</​color>​ +  * **//OpenVPN for Android// is the best app for VPNs on Android**\\ \\ 
-      * <color #646464>This toast can be removed if you have a rooted device by following Toast Removal tutorial</​color>​ +  * **PKCS12 certs are installed into the //Android Keychain//​** 
-    * <color #646464>Another option is to include all certs & keys via inline XML within the client config file</color>\\ \\ +    * As a security feature, a warning toast will always appear in the notification area due to user installed certs 
-  * <color #4B4B4B>**If you choose to reference the ''//​ta.key//'',​ instead of utilizing inline XML**</​color>​+      * This toast can be removed if you have a rooted device by following Toast Removal tutorial ​\\ \\ 
 +    * Another option is to include all certs & keys via inline XML within the client config file 
 +      * //​Regardless if all certs are referenced as inline xml or not, the final generated config inlines all certs//\\ \\ 
 +  * **If you choose to reference the ''//​tlsauth.key//'',​ instead of utilizing inline XML**
     - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp>     - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp>
 +    # Encryption #
 +#​------------------------------------------------
 key-direction 1 key-direction 1
 +
 <​tls-auth>​ <​tls-auth>​
 -----BEGIN OpenVPN Static key V1----- -----BEGIN OpenVPN Static key V1-----
Line 1220: Line 1201:
 </​tls-auth></​code>​ </​tls-auth></​code>​
     - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>     - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>
-tls-auth ​  ​/path/to/ta.key 1 +    # Encryption # 
-</​code>​ +#​------------------------------------------------ 
-  * <color #4B4B4B>**Some Android devices are not able to convert PKCS12 certs to x509 certs**</​color>​ +tls-auth ​   '​/path/to/tlsauth.key' ​1</​code>​ 
-    * <color #646464>If your device is affected, you will need to reference your individual certs in your Server Config</​color>​ +  * <color #960000>**Some Android devices are not able to convert PKCS12 certs to x509 certs**</​color>​ 
-      - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp> +    * If your device is affected, you will need to reference your individual certs in your Server Config
- # Encryption # +
-pkcs12 ​    '/​sdcard/​openvpn/​vpn-client1.p12'</​code>​+
       - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>       - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>
- # Encryption # +    ​# Encryption # 
-ca         ​'/​sdcard/​openvpn/​OpenWrt-OpenVPN_ICA-Chain.crt.pem'​ +#​------------------------------------------------ 
-cert       ​'/​sdcard/​openvpn/​vpn-client1.crt.pem'​ +ca      '/​sdcard/​openvpn/​OpenWrt-OpenVPN_ICA-Chain.crt.pem'​ 
-key        '/​sdcard/​openvpn/​vpn-client1.key.pem'</​code>​ +cert    '/​sdcard/​openvpn/​vpn-client1.crt.pem'​ 
-<WRAP centeralign><​wrap danger>​For compatibility with exFAT, Android sdcards have a non-customizable 664 permission structure</​wrap>​\\ <color #​AF0000>​Therefore it's //crucial// to the security of the VPN to ensure the certificate key is encrypted as specified under [[doc:​howto:​openvpn-streamlined-server-setup#​client_certs|Client Certs]]</​color></​WRAP>​ +key     ​'/​sdcard/​openvpn/​vpn-client1.key.pem'</​code>​
  
 <tabbox Config> <tabbox Config>
Line 1240: Line 1218:
  
 <code cpp> <code cpp>
-# Config Type #+    ​# Config Type #
 #​------------------------------------------------ #​------------------------------------------------
 client client
  
-# Connection ​ #+    ​# Connection ​ #
 #​------------------------------------------------ #​------------------------------------------------
 dev tun dev tun
Line 1250: Line 1228:
 remote your.ddns.com 5000 remote your.ddns.com 5000
  
-# Speed #+    ​# Speed #
 #​------------------------------------------------ #​------------------------------------------------
 +mssfix 0
 fragment 0 fragment 0
-mssfix 0 
 tun-mtu 48000 tun-mtu 48000
  
-# Reliability #+    ​# Reliability #
 #​------------------------------------------------ #​------------------------------------------------
-comp-lzo 
 float float
 nobind nobind
 +comp-lzo
 +
 persist-key persist-key
 persist-tun persist-tun
 resolv-retry infinite resolv-retry infinite
  
-# Encryption #+    ​# Encryption #
 #​------------------------------------------------ #​------------------------------------------------
 auth SHA512 auth SHA512
 auth-nocache auth-nocache
 +
 +# --- SSL --- #
 cipher AES-256-CBC cipher AES-256-CBC
-remote-cert-eku ​"TLS Web Server Authentication"+ 
 +# --- TLS --- # 
 +key-direction 1 
 +tls-version-min 1.2 
 + 
 +remote-cert-eku ​'TLS Web Server Authentication'
  
 <​tls-auth>​ <​tls-auth>​
Line 1278: Line 1264:
 </​tls-auth>​ </​tls-auth>​
  
-key-direction 1 +    ​# Logging #
- +
-# Logging #+
 #​------------------------------------------------ #​------------------------------------------------
 verb 5 verb 5
 </​code>​ </​code>​
 +
 +<tabbox Inline XML>
 +<color #​508CAA>​**Referencing certs via Inline XML**</​color>​
 +
 +  - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp>
 +    # Encryption #
 +#​------------------------------------------------
 +ca        '/​sdcard/​openvpn/​OpenWrt-OpenVPN_ICA-Chain.crt.pem'​
 +cert      '/​sdcard/​openvpn/​vpn-client1.crt.pem'​
 +key       '/​sdcard/​openvpn/​vpn-client1.key.pem'​
 +tls-auth ​ '/​path/​to/​tlsauth.key'​ 1</​code>​
 +  - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>
 +    # Encryption #
 +#​------------------------------------------------
 +
 +# --- TLS --- #
 +key-direction 1
 +
 +<ca>
 +#​PASTE-CA-CERT-INLINE-HERE#​
 +</ca>
 +
 +<​cert>​
 +#​PASTE-VPN-SERVER-CERT-INLINE-HERE#​
 +</​cert>​
 +
 +<key>
 +#​PASTE-VPN-SERVER-KEY-INLINE-HERE#​
 +</​key>​
 +
 +<​tls-auth>​
 +-----BEGIN OpenVPN Static key V1-----
 +#​PASTE-KEY-INLINE-HERE#​
 +-----END OpenVPN Static key V1-----
 +</​tls-auth></​code>​
  
 <tabbox Toast Removal> <tabbox Toast Removal>
Line 1289: Line 1308:
 <color #​508CAA>​**Certificate Warning Toast Removal**</​color>​ <color #​508CAA>​**Certificate Warning Toast Removal**</​color>​
  
-<wrap indent><​color #4B4B4B>If ''<​color #​C86400>/​system/​etc/​security/​cacerts.bks</​color>''​ exists on your device, refer to CAcert wiki, then continue</​color>​</​wrap>​ +<wrap indent>​If ''<​color #​C86400>/​system/​etc/​security/​cacerts.bks</​color>''​ exists on your device, refer to CAcert wiki, then continue</​wrap>​ 
-  - <color #4B4B4B>​**Method 1:​**</​color>​ +  - <color #789600>​**Method 1:​**</​color>​ 
-    - <color #646464>**Add certificate to Android Keychain**</​color>​ +    - **Add certificate to Android Keychain** 
-      - <color #7D7D7D>**//​Settings//​ –> //​Security//​ –> //Install from Storage//**</​color>​\\ \\ +      - **//​Settings//​ –> //​Security//​ –> //Install from Storage//​**\\ \\ 
-    - <color #646464>**Move certificate from userland to system trusted**</​color>​ +    - **Move certificate from userland to system trusted** 
-      - <color #7D7D7D>**Android < 5.0:**</​color>​ +      - **Android < 5.0:** 
-        - <color #646464>Move new file</​color>​+        - Move new file
           - <color #​960000>​**From:​**</​color>​ ''​ <color #​C86400>/​data/​misc/​keychain/​cacertsadded/</​color>''​           - <color #​960000>​**From:​**</​color>​ ''​ <color #​C86400>/​data/​misc/​keychain/​cacertsadded/</​color>''​
           - <color #​789600>​**To:​**</​color>​ ''​ <color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​\\ \\           - <color #​789600>​**To:​**</​color>​ ''​ <color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​\\ \\
-      - <color #7D7D7D>**Android > 5.0:**</​color>​ +      - **Android > 5.0:** 
-        - <color #646464>Move new file</​color>​+        - Move new file
           - <color #​960000>​**From:​**</​color>​ ''​ <color #​C86400>/​data/​misc/​user/​0/​cacerts-added/</​color>''​           - <color #​960000>​**From:​**</​color>​ ''​ <color #​C86400>/​data/​misc/​user/​0/​cacerts-added/</​color>''​
           - <color #​789600>​**To:​**</​color>​ ''​ <color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​\\ \\           - <color #​789600>​**To:​**</​color>​ ''​ <color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​\\ \\
-  - <color #4B4B4B>​**Method 2:​**</​color>​ +  - <color #789600>​**Method 2:​**</​color>​ 
-    - <color #646464>**Save certificate with .pem extension**</​color>​\\ \\ +    - **Save certificate with** ''​.pem''​ **extension**\\ \\ 
-    - <color #646464>**Garnish subject of certificate:​**</​color>​+    - **Garnish subject of certificate:​**
       - ''//<​color #​647D00>​openssl x509 -inform PEM -subject_hash -in 0b112a89.0</​color>//''​       - ''//<​color #​647D00>​openssl x509 -inform PEM -subject_hash -in 0b112a89.0</​color>//''​
-        - <color #646464>Should be similar to:</​color> ​<color #​647D00>​0b112a89</​color>​\\ \\ +        - Should be similar to: <color #​647D00>​0b112a89</​color>​\\ \\ 
-    - <color #646464>**Save certificate as text:**</​color>​+    - **Save certificate as text:**
       - ''//<​color #​647D00>​openssl x509 -inform PEM -text -in 0b112a89.0 > 0b112a89.0.txt</​color>//''​\\ \\       - ''//<​color #​647D00>​openssl x509 -inform PEM -text -in 0b112a89.0 > 0b112a89.0.txt</​color>//''​\\ \\
-    - <color #646464>**Swap PEM section and text:**</​color>​ +    - **Swap PEM section and text:** 
-      - ''<​color #​647D00>//​-----BEGIN CERTIFICATE-----//</​color>'' ​<color #646464>must be at top of file</​color>​\\ \\ +      - ''<​color #​647D00>//​-----BEGIN CERTIFICATE-----//</​color>''​ must be at top of file\\ \\ 
-    - <color #646464>**Rename file:**</​color> ​''<​color #​647D00>​0b112a89.0</​color>''​ +    - **Rename file:** ''<​color #​647D00>​0b112a89.0</​color>''​ 
-      - <color #646464>Replace with subject from //step b//</​color>​\\ \\ +      - Replace with subject from //step b//\\ \\ 
-    - <color #646464>**Copy file to:**</​color> ​''<​color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​\\ \\ +    - **Copy file to:** ''<​color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​\\ \\ 
-    - <color #646464>**Set permissions:​**</​color>​+    - **Set permissions:​**
       - ''//<​color #​647D00>​chmod 644 0b112a89.0</​color>//''​\\ \\       - ''//<​color #​647D00>​chmod 644 0b112a89.0</​color>//''​\\ \\
-    - <color #646464>**Certificate should be listed under:**</​color>​ +    - **Certificate should be listed under:** 
-      - <color #7D7D7D>**//​Settings//​ –> //​Security//​ –> //Trusted Credentials//​ - //​System//​**</​color>​ +      - **//​Settings//​ –> //​Security//​ –> //Trusted Credentials//​ - //​System//​** 
-        - <color #646464>If it's still under</​color>​ <color #7D7D7D>**//​User//​**</​color>​+        - If it's still under **//​User//​**:​ 
-          - <color #646464>Disable/​Re-Enable certificate in Android Settings</​color>​ +          - Disable/​Re-Enable certificate in Android Settings 
-            - <color #646464>This creates a file in</​color> ​''<​color #​C86400>/​data/​misc/​keychain/​cacertsadded/</​color>''​ +            - This creates a file in ''<​color #​C86400>/​data/​misc/​keychain/​cacertsadded/</​color>''​ 
-          - <color #646464>Move that file to</​color> ​''<​color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​ +          - Move that file to ''<​color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​ 
-          - <color #646464>Delete original file from //step f//</​color>​+          - Delete original file from //step f//
  
 </​tabbox>​ </​tabbox>​
Line 1330: Line 1349:
 ==== BSD/Linux ==== ==== BSD/Linux ====
  
-<WRAP 76.5em lo>+<​WRAP ​indent ​76.5em lo>
  
 <tabbox Information>​ <tabbox Information>​
Line 1336: Line 1355:
 <color #​508CAA>​**BSD/​Linux Client Information**</​color>​ <color #​508CAA>​**BSD/​Linux Client Information**</​color>​
  
-  * <color #4B4B4B>Due to the sheer number of distros & variances from one to the other, only the client config is being provided</​color>​+  * Due to the sheer number of distros & variances from one to the other, only the client config is being provided
  
 <tabbox Config> <tabbox Config>
Line 1355: Line 1374:
 # Speed # # Speed #
 #​------------------------------------------------ #​------------------------------------------------
-fragment 0 
 mssfix 0 mssfix 0
 +fragment 0
 tun-mtu 48000 tun-mtu 48000
  
 # Reliability # # Reliability #
 #​------------------------------------------------ #​------------------------------------------------
-comp-lzo 
 float float
 nobind nobind
 +comp-lzo
 +
 persist-key persist-key
 persist-tun persist-tun
 resolv-retry infinite resolv-retry infinite
  
-# Encryption #+    ​# Encryption #
 #​------------------------------------------------ #​------------------------------------------------
 auth SHA512 auth SHA512
 auth-nocache auth-nocache
 +
 +# --- SSL --- #
 cipher AES-256-CBC cipher AES-256-CBC
-pkcs12 /​etc/​ssl/​openvpn/​vpn-client1.p12 + 
-remote-cert-eku ​"TLS Web Server Authentication"+# --- TLS --- # 
 +key-direction 1 
 +tls-version-min 1.2 
 + 
 +pkcs12 ​'/​etc/​ssl/​openvpn/​vpn-client1.p12' 
 +remote-cert-eku ​'TLS Web Server Authentication'
  
 <​tls-auth>​ <​tls-auth>​
Line 1381: Line 1408:
 -----END OpenVPN Static key V1----- -----END OpenVPN Static key V1-----
 </​tls-auth>​ </​tls-auth>​
- 
-key-direction 1 
  
 # Logging # # Logging #
Line 1395: Line 1420:
 ==== Windows ==== ==== Windows ====
  
-<WRAP 76.5em lo>+<​WRAP ​indent ​76.5em lo>
  
 <tabbox Information>​ <tabbox Information>​
Line 1401: Line 1426:
 <color #​508CAA>​**Windows Client Information**</​color>​ <color #​508CAA>​**Windows Client Information**</​color>​
  
-  * <color #4B4B4B>**If PKCS12 cert isn't stored in the same directory as the ovpn config , the path to the PKCS12 cert must be referenced**</​color>​ +  * **If PKCS12 cert isn't stored in the same directory as the ovpn config , the path to the PKCS12 cert must be referenced** 
-    * <color #646464>You must use double backslashes for the path: ''<​color #​C86400>​C:​\\Path\\to\\PKCS12</​color>''​</​color>​+    * You must use double backslashes for the path: ''<​color #​C86400>​C:​\\Path\\to\\PKCS.p12</​color>''​
  
  
Line 1422: Line 1447:
 # Speed # # Speed #
 #​------------------------------------------------ #​------------------------------------------------
-fragment 0 
 mssfix 0 mssfix 0
 +fragment 0
 tun-mtu 48000 tun-mtu 48000
  
 # Reliability # # Reliability #
 #​------------------------------------------------ #​------------------------------------------------
-comp-lzo 
 float float
 nobind nobind
 +comp-lzo
 +
 persist-key persist-key
 persist-tun persist-tun
 resolv-retry infinite resolv-retry infinite
  
-# Encryption #+    ​# Encryption #
 #​------------------------------------------------ #​------------------------------------------------
 auth SHA512 auth SHA512
 auth-nocache auth-nocache
 +
 +# --- SSL --- #
 cipher AES-256-CBC cipher AES-256-CBC
 +
 +# --- TLS --- #
 +key-direction 1
 +tls-version-min 1.2
 +
 pkcs12 vpn-client1.p12 pkcs12 vpn-client1.p12
 remote-cert-eku "TLS Web Server Authentication"​ remote-cert-eku "TLS Web Server Authentication"​
Line 1448: Line 1481:
 -----END OpenVPN Static key V1----- -----END OpenVPN Static key V1-----
 </​tls-auth>​ </​tls-auth>​
- 
-key-direction 1 
  
 # Logging # # Logging #
Line 1502: Line 1533:
     option ​ dest            '​wan'​     option ​ dest            '​wan'​
     option ​ src             '​vpn'</​code>​     option ​ src             '​vpn'</​code>​
-  - <color #4B4B4B>**Commit changes**</​color>​\\ <code bash>/​etc/​init.d/​firewall restart</​code>​+  - **Commit changes**\\ <code bash>/​etc/​init.d/​firewall restart</​code>​
  
  
Line 1510: Line 1541:
  
   - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp>   - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp>
-    list    push                '​dhcp-option ​   DNS 8.8.8.8+    list    push                '​dhcp-option ​       DNS 208.67.222.123
-    list    push                '​dhcp-option ​   DNS 8.8.4.4'</​code>​+    list    push                '​dhcp-option ​       DNS 208.67.220.123'</​code>​
   - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>   - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>
     list    push                '​redirect-gateway ​  def1 local'     list    push                '​redirect-gateway ​  def1 local'
     list    push                '​dhcp-option ​       DNS 10.1.0.1'</​code>​     list    push                '​dhcp-option ​       DNS 10.1.0.1'</​code>​
-  - <color #4B4B4B>**Commit changes**</​color>​\\ <code bash>/​etc/​init.d/​openvpn restart</​code>​+  - **Commit changes**\\ <code bash>/​etc/​init.d/​openvpn restart</​code>​
 </​tabbox>​ </​tabbox>​
 </​WRAP>​ </​WRAP>​
Line 1613: Line 1644:
 <WRAP 76.5em lo> <WRAP 76.5em lo>
  
-  * <color #4B4B4B>**//Please take the time to read//**</​color>​ +  * **//Please take the time to read//** 
-    * <color #646464>//If you refuse to help yourself, don't expect someone else to help you//</​color>​\\ \\ +    * //If you refuse to help yourself, don't expect someone else to help you//\\ \\ 
-  * <color #4B4B4B>**//The answer to any question about an OpenVPN Client or Server configuration is contained within the//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_wikis|VPN Wiki Section]]//</color> +  * **//The answer to any question about an OpenVPN Client or Server configuration is contained within the//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_wikis|VPN Wiki]]// ​**//or//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​openssl|OpenSSL]]//​ **//​sections//​** 
-    * <color #646464>//If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the [[:​doc:​howto:​openvpn-streamlined-server-setup#​openwrt|OpenWRT]] or [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|OpenVPN]] forums//</​color>​\\ \\ +    * //If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the [[:​doc:​howto:​openvpn-streamlined-server-setup#​openwrt|OpenWrt]] or [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|OpenVPN]] forums//\\ \\ 
-  * <color #4B4B4B>​**//​Please do not publish questions directly to this Wiki, as://​**</​color>​ +  * <color #960000>​**//​Please do not publish questions directly to this Wiki, as://​**</​color>​ 
-    * <color #646464>//Most importantly,​ it's __not__ monitored for questions//</​color>​ +    * //Most importantly,​ it's __not__ monitored for questions//​ 
-    * <color #646464>//It clutters the Wiki, possibly making it more difficult for others to navigate//</​color>​+    * //It clutters the Wiki, possibly making it more difficult for others to navigate//
 </​WRAP>​ </​WRAP>​
doc/howto/openvpn-streamlined-server-setup.1477839841.txt.bz2 · Last modified: 2016/10/30 16:04 by JW0914