User Tools

Site Tools


doc:howto:openvpn-streamlined-server-setup
This wiki is read only and for archival purposes only. >>>>>>>>>> Please use the new OpenWrt wiki at https://openwrt.org/ <<<<<<<<<<

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:openvpn-streamlined-server-setup [2016/12/03 11:07]
tmomas [VPN Wikis] Cleanup
doc:howto:openvpn-streamlined-server-setup [2018/02/03 14:28] (current)
ssdnvv alte Version wiederhergestellt (2018/01/18 05:21)
Line 1: Line 1:
 ====== OpenVPN Server HowTo (Streamlined) ====== ====== OpenVPN Server HowTo (Streamlined) ======
 +
 +<WRAP centeralign>​
 +<​sup><​color #​7D0000>​**To prevent discombobulation,​ please follow the format already in place within this Wiki when editing**</​color></​sup>​\\
 +<​sup><​color #​7D0000>//​(incl. the Table of Contents)//</​color></​sup>​
 +</​WRAP>​
 +
  
 ===== Introduction ===== ===== Introduction =====
  
-==== VPN Requirements ====+<WRAP box 78em lo>
  
-Five requirements ​for SSL VPNs: +<tabbox Purpose>​ 
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​encryption|Encryption ​Certificates]] +<color #​508CAA>​**VPN Server Purpose**</​color>​ 
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​network|Network VPN Interface]+ 
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​firewall|Firewall Traffic Rules]+  * Provides an encrypted remote connection over WAN to router and downstream devices 
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_server|Server ​Config]] + 
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​clients|Clients Config]]+  * If Gateway Redirect is utilized, it provides an encrypted connection ​for local traffic 
 + 
 +<tabbox Requirements>​ 
 +<color #​508CAA>​**SSL VPN Requirements**</​color>​ 
 + 
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​encryption|Encryption]] [Certificates
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​network|Network]] [VPN Interface] 
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​firewall|Firewall]] [Traffic Rules] 
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_server|Server]] [Config
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​clients|Clients]] [Config]\\ \\ 
 + 
 +<tabbox Editing>​ 
 +<wrap right button>​[[https://​github.com/​JW0914/​Wikis/​blob/​master/​Scripts%2BConfigs/​Vim/​.vimrc|VimRC]]  [[http://​vim.wikia.com/​wiki/​Tutorial|Vim Tutorial]]</​wrap>​ 
 +<color #​508CAA>​**Editing Configs**</​color>​ 
 + 
 +  * Vim is the default command line text editor\\ \\ 
 +  * If you've never utilized Vim before, please see the Vim Tutorial 
 +    * Save the VimRC to ''<​color #​C86400>​~/​.vimrc</​color>''​ 
 +</​tabbox>​ 
 +</​WRAP>​
  
  
Line 16: Line 41:
 ===== Encryption ===== ===== Encryption =====
  
-<WRAP centeralign>​ +<WRAP centeralign ​78.25em lo
-<wrap warning><​color #​FFFFFF>​Easy-RSA //does not// create secure enough certs & has too many limitations,​ therefore OpenSSL should be utilized directly via an openssl.cnf</​color></​wrap> ​[citation needed]+<wrap warning><​color #​FFFFFF>​Easy-RSA //does not// create secure enough certs & has too many limitations,​ therefore OpenSSL should be utilized directly via an openssl.cnf</​color></​wrap>​
 </​WRAP>​ </​WRAP>​
  
 +
 +<WRAP indent>
  
 ==== Prerequisites ==== ==== Prerequisites ====
  
-<WRAP box> +<WRAP box lo
-<wrap right button>​[[https://​github.com/​JW0914/​Wikis/​blob/​master/​Scripts%2BConfigs/​OpenSSL/​OpenSSL.cnf|openssl.cnf]]</​wrap>​+<wrap right button>​[[https://​github.com/​JW0914/​Wikis/​blob/​master/​Scripts%2BConfigs/​OpenSSL/​openssl.cnf|openssl.cnf]]</​wrap>​
  
 <tabbox Prerequisites>​ <tabbox Prerequisites>​
Line 31: Line 58:
  
   - **Install Packages:**   - **Install Packages:**
-    - //''<​color #​647D00>​opkg update ; opkg install openvpn-openssl luci-app-openvpn</​color>''//​\\ \\+    - //''<​color #​647D00>​opkg update ; opkg install openvpn-openssl luci-app-openvpn ​openssl-util</​color>''//​\\ \\
   - **Download openssl.cnf:​**   - **Download openssl.cnf:​**
     - Save as ''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''​\\ \\     - Save as ''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''​\\ \\
-  - **Navigate ​to SSL directory & create required directories**+  - **Navaigate ​to SSL directory & create required directories**
     - //''<​color #​647D00>​cd /etc/ssl ; mkdir -p ca/csr crl openvpn/​clients</​color>''//​\\ \\     - //''<​color #​647D00>​cd /etc/ssl ; mkdir -p ca/csr crl openvpn/​clients</​color>''//​\\ \\
   - **Create Serial file**   - **Create Serial file**
Line 41: Line 68:
         * Serial is in hex, not dec[//​imal//​] format\\ \\         * Serial is in hex, not dec[//​imal//​] format\\ \\
   - **Create CRLnumber file**   - **Create CRLnumber file**
-    - //''<​color #​647D00>​echo 00 > crlnumber</​color>''//​+    - //''<​color #​647D00>​echo 00 > crl/crlnumber</​color>''//​
             * CRL should be generated, but will only be utilized once a cert is revoked\\ \\             * CRL should be generated, but will only be utilized once a cert is revoked\\ \\
   - **Create Index file**   - **Create Index file**
     - //''<​color #​647D00>​touch index</​color>''//​     - //''<​color #​647D00>​touch index</​color>''//​
-      * Maintains an index of all certs issued <​sup>​[lines ​698 713]</​sup>​+      * Maintains an index of all certs issued <sup><​color #646464>​[lines ​644 689]</​color>​</​sup>​
         * Keeps track of certs issued; extremely important if one has revoked a cert\\ \\         * Keeps track of certs issued; extremely important if one has revoked a cert\\ \\
   - **Create Rand file**   - **Create Rand file**
Line 75: Line 102:
   - **.key:**   - **.key:**
     * //private key//     * //private key//
-      * 4All key files, except for a server'​s,​ should be encrypted with a passphrase</​color>​\\ \\+      * 4All key files, except for a server'​s,​ should be encrypted with a passphrase\\ \\
   - **.crt:**   - **.crt:**
-    * //signed certificate//​</​color>​\\ \\+    * //signed certificate//​\\ \\
   - **.p12:**   - **.p12:**
     * //PKCS12 certificate//​     * //PKCS12 certificate//​
Line 87: Line 114:
 ==== OpenSSL ==== ==== OpenSSL ====
  
-<​WRAP>​+<​WRAP ​76.5em lo>
  
 <tabbox Synopsis>​ <tabbox Synopsis>​
Line 180: Line 207:
     - <wrap danger>​CA ONLY</​wrap>​     - <wrap danger>​CA ONLY</​wrap>​
       - Subject public key is used to verify signatures on certificates       - Subject public key is used to verify signatures on certificates
-      - //This extension must only be used for CA certificates//​\\ \\+      - <color #AF0000>//This extension must only be used for CA certificates//​</​color>​\\ \\
   - **cRLSign**   - **cRLSign**
     - <wrap danger>​CA ONLY</​wrap>​     - <wrap danger>​CA ONLY</​wrap>​
       - Subject public key is to verify signatures on revocation information,​ such as a CRL       - Subject public key is to verify signatures on revocation information,​ such as a CRL
-      - //This extension must only be used for CA certificates//​\\ \\+      - <color #AF0000>//This extension must only be used for CA certificates//​</​color>​\\ \\
   - **encipherOnly**   - **encipherOnly**
     - KU ''<​color #​009B9B>​keyAgreement</​color>''​ is required     - KU ''<​color #​009B9B>​keyAgreement</​color>''​ is required
Line 218: Line 245:
   - **ipsecEndSystem,​ ipsecTunnel,​ & ipsecUser**   - **ipsecEndSystem,​ ipsecTunnel,​ & ipsecUser**
     - <wrap danger>​SHOULD NOT BE UTILIZED</​wrap>​     - <wrap danger>​SHOULD NOT BE UTILIZED</​wrap>​
-      - Assigned in 1999, the semantics of these values were never clearly defined</​color>​ +      - Assigned in 1999, the semantics of these values were never clearly defined 
-      - **RFC 4945:** The use of these three EKU values is obsolete and explicitly deprecated by this specification <​sup><​color #7D7D7D>​[5.1.3.12]</​color></​sup>​\\ \\+      - **RFC 4945:** The use of these three EKU values is obsolete and explicitly deprecated by this specification <​sup><​color #646464>​[5.1.3.12]</​color></​sup>​\\ \\
   - **msCodeInd**   - **msCodeInd**
     - Microsoft Individual Code Signing (authenticode)\\ \\     - Microsoft Individual Code Signing (authenticode)\\ \\
Line 258: Line 285:
  
   - **ECDH_ECDSA**   - **ECDH_ECDSA**
-    - Like DH_DSA, but with elliptic curves+    - Like ''<​color #009B9B>DH_DSA</​color>''​, but with elliptic curves
       - Server public key must be an ECDH key       - Server public key must be an ECDH key
       - Server certificate must be issued by a CA utilizing an ECDSA public key\\ \\       - Server certificate must be issued by a CA utilizing an ECDSA public key\\ \\
Line 265: Line 292:
   - **ECDHE_ECDSA**   - **ECDHE_ECDSA**
     - Server sends dynamically generated EC Diffie-Hellman key, signing it via it's ECDSA key     - Server sends dynamically generated EC Diffie-Hellman key, signing it via it's ECDSA key
-      - Equivalent to DHE_DSS, but with elliptic curves for both the Diffie-Hellman & signature\\ \\+      - Equivalent to ''<​color #009B9B>DHE_DSS</​color>''​, but with elliptic curves for both the Diffie-Hellman & signature\\ \\
   - **ECDHE_RSA**   - **ECDHE_RSA**
     - Like ''<​color #​009B9B>​ECDHE_ECDSA</​color>'',​ except Server public key is an RSA key     - Like ''<​color #​009B9B>​ECDHE_ECDSA</​color>'',​ except Server public key is an RSA key
Line 277: Line 304:
 === CA Creation === === CA Creation ===
  
-<​WRAP>​+<​WRAP ​indent 75em lo>
 <tabbox Prerequisites>​ <tabbox Prerequisites>​
 <wrap right>''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''</​wrap>​ <wrap right>''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''</​wrap>​
Line 285: Line 312:
 **Modify the following SubjectAltNames & V3 Profiles** **Modify the following SubjectAltNames & V3 Profiles**
  
-  - **Certificate Authorities** <​sup>​[Line ​180]</​sup>​+  - **Certificate Authorities** <​sup>​[Line ​177]</​sup>​
     - //Main//     - //Main//
-      - **Line ​186:** ''<​color #​647D00>​DNS.1 = Router.1</​color>''​ +      - **Line ​183:** ''<​color #​647D00>​DNS.1 = //Router.1//</​color>''​ 
-        * //Change// ''<​color #506400>//Router.1//</​color>''​ //to what you'd like the name of your Certificate Authority to be//\\ \\ +        * //Change// ''<​color #007DC8>​Router.1</​color>''​ //to what you'd like the name of your Certificate Authority to be//\\ \\ 
-  - **Certificate Authority Clients** <​sup>​[Line 205]</​sup>​+  - **Certificate Authority Clients** <sup><​color #646464>[Line 205]</​color>​</​sup>​
     - //Servers//     - //Servers//
-      * **Lines:​** ​211 233+      * **Lines:​** ​198 220
     - //Clients//     - //Clients//
-      * **Lines:​** ​235 239\\ \\ +      * **Lines:​** ​222 226\\ \\
-  - **Change SAN & V3 profile names from** ''<​color #​647D00>​alt_ca_main</​color>''​ **to** ''<​color #​647D00>​alt_ca_openwrt</​color>''​ <​sup>​[lines 185, 306, & 310]</​sup>​ +
-    - **Line 185:** ''<​color #​647D00>​[ alt_ca_openwrt ]</​color>''​ +
-    - **Line 306:** ''<​color #​647D00>​[ v3_ca_openwrt ]</​color>''​ +
-    - **Line 310:** ''<​color #​647D00>​subjectAltName = @alt_ca_openwrt</​color>''​+
 </​WRAP>​ </​WRAP>​
  
Line 305: Line 328:
 <color #​508CAA>​**CA OpenSSL Commands**</​color>​ <color #​508CAA>​**CA OpenSSL Commands**</​color>​
  
-  - **Generate CA**\\ <code bash>​openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ca/​OpenWrt-CA.key.pem -out ca/​OpenWrt-CA.crt.pem -config ./​openssl.cnf -extensions ​v3_ca_openwrt</​code>​+  - <color #​4B4B4B4>​**Generate CA**</​color>​\\ <code bash>​openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ca/​OpenWrt-CA.key.pem -out ca/​OpenWrt-CA.crt.pem -config ./​openssl.cnf -extensions ​v3_ca</​code>​
     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\
-  - **Generate CA CRL**\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenWrt-CA.key.pem -cert ca/​OpenWrt-CA.crt.pem -out crl/​OpenWrt-CA.crl.pem -config ./​openssl.cnf</​code>​ +  - <color #​4B4B4B4>​**Generate CA CRL**</​color>​\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenWrt-CA.key.pem -cert ca/​OpenWrt-CA.crt.pem -out crl/​OpenWrt-CA.crl.pem -config ./​openssl.cnf</​code>​ 
-  - **Convert CA CRL -> DER CRL**\\ <code bash>​openssl crl -inform PEM -in crl/​OpenWrt-CA.crl.pem -outform DER -out crl/​OpenWrt-CA.crl</​code>​+  - <color #​4B4B4B4>​**Convert CA CRL -> DER CRL**</​color>​\\ <code bash>​openssl crl -inform PEM -in crl/​OpenWrt-CA.crl.pem -outform DER -out crl/​OpenWrt-CA.crl</​code>​
  
 </​tabbox>​ </​tabbox>​
Line 316: Line 339:
 === ICA Creation === === ICA Creation ===
  
-<​WRAP>​ +<​WRAP ​indent 75em lo>
 <tabbox Prerequisites>​ <tabbox Prerequisites>​
 <wrap right>''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''</​wrap>​ <wrap right>''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''</​wrap>​
Line 325: Line 347:
 **Modify the following SubjectAltNames & V3 Profiles** **Modify the following SubjectAltNames & V3 Profiles**
  
-  - **Certificate Authorities** <​sup>​[Line ​180]</​sup>​+  - **Certificate Authorities** <sup><​color #646464>​[Line ​177]</​color>​</​sup>​
     - //Router 2//     - //Router 2//
-      - **Line ​191:** ''<​color #​647D00>​DNS.1 = Router.2</​color>''​ +      - **Line ​188:** ''<​color #​647D00>​DNS.1 = //Router.2//</​color>''​ 
-        * //Change ''<​color #647D00>​Router.2</​color>''​ to what you'd like the name of your Intermediate CA to be//\\ \\ +        * //Change// ''<​color #007DC8>​Router.2</​color>'' ​//to what you'd like the name of your Intermediate CA to be//\\ \\ 
-  - **Intermediate Certificate Authority Clients** <​sup>​[Line ​242]</​sup>​ +  - **Intermediate Certificate Authority Clients** <sup><​color #646464>​[Line ​229]</​color>​</​sup>​ 
-    - //​Servers//​ +    -//​Servers//​ 
-      * **Lines:​** ​248 264+      * **Lines:​** ​235 251
     - //Clients//     - //Clients//
-      * **Lines:​** ​266 274:\\ \\ +      * **Lines:​** ​253 261:\\ \\
-  - **Change SAN & V3 profile names from** ''<​color #​647D00>​alt_ica_router2</​color>''​ **to** ''<​color #​647D00>​alt_ica_openvpn</​color>''​ <​sup>​[lines 190, 313, & 317]</​sup>​ +
-    - **Line 190:** ''<​color #​647D00>​[ alt_ica_openvpn ]</​color>''​ +
-    - **Line 313:** ''<​color #​647D00>​[ v3_ica_openvpn ]</​color>''​ +
-    - **Line 317:** ''<​color #​647D00>​subjectAltName = @alt_ica_openvpn</​color>''​+
 </​WRAP>​ </​WRAP>​
  
Line 345: Line 363:
 <color #​508CAA>​**ICA OpenSSL Commands**</​color>​ <color #​508CAA>​**ICA OpenSSL Commands**</​color>​
  
-  - **Generate Intermediate CA CSR**\\ <code bash>​openssl req -out ca/​csr/​OpenVPN-ICA.csr -new -days 3650 -sha512 -newkey rsa:4096 -keyout ca/​OpenVPN-ICA.key -config ./​openssl.cnf -extensions ​v3_ica_openvpn</​code>​+  - <color #​4B4B4B4>​**Generate Intermediate CA CSR**</​color>​\\ <code bash>​openssl req -out ca/​csr/​OpenVPN-ICA.csr -new -days 3650 -sha512 -newkey rsa:4096 -keyout ca/​OpenVPN-ICA.key -config ./​openssl.cnf -extensions ​v3_ica_router2</​code>​
     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\
-  - **Create & Sign ICA with CA**\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​OpenVPN-ICA.csr -CA ca/​OpenWrt-CA.crt.pem -CAkey ca/​OpenWrt-CA.key.pem -CAserial ./serial -out ca/​OpenVPN-ICA.crt.pem -extfile ./​openssl.cnf -extensions ​v3_ica_openvpn</​code>​ +  - <color #​4B4B4B4>​**Create & Sign ICA with CA**</​color>​\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​OpenVPN-ICA.csr -CA ca/​OpenWrt-CA.crt.pem -CAkey ca/​OpenWrt-CA.key.pem -CAserial ./serial -out ca/​OpenVPN-ICA.crt.pem -extfile ./​openssl.cnf -extensions ​v3_ica_router2</​code>​ 
-  - **Generate ICA CRL**\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenVPN-ICA.key -cert ca/​OpenVPN-ICA.crt.pem -out crl/​OpenVPN-ICA.crl.pem -config ./​openssl.cnf</​code>​ +  - <color #​4B4B4B4>​**Generate ICA CRL**</​color>​\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenVPN-ICA.key -cert ca/​OpenVPN-ICA.crt.pem -out crl/​OpenVPN-ICA.crl.pem -config ./​openssl.cnf</​code>​ 
-  - **Convert ICA CRL -> DER CRL**\\ <code bash>​openssl crl -inform PEM -in crl/​OpenVPN-ICA.crl.pem -outform DER -out crl/​OpenVPN-ICA.crl</​code>​ +  - <color #​4B4B4B4>​**Convert ICA CRL -> DER CRL**</​color>​\\ <code bash>​openssl crl -inform PEM -in crl/​OpenVPN-ICA.crl.pem -outform DER -out crl/​OpenVPN-ICA.crl</​code>​ 
-  - **Concatenate ICA -> CA Chain**\\ <code bash>cat ca/​OpenVPN-ICA.crt.pem ca/​OpenWrt-CA.crt.pem > ca/​OpenWrt-OpenVPN_ICA-Chain.crt.pem</​code>​+  - <color #​4B4B4B4>​**Concatenate ICA -> CA Chain**</​color>​\\ <code bash>cat ca/​OpenVPN-ICA.crt.pem ca/​OpenWrt-CA.crt.pem > ca/​OpenWrt-OpenVPN_ICA-Chain.crt.pem</​code>​
 </​tabbox>​ </​tabbox>​
 </​WRAP>​ </​WRAP>​
Line 357: Line 375:
 === Index File === === Index File ===
  
-<​WRAP>​+<​WRAP ​indent 75em lo>
  
 <tabbox Info> <tabbox Info>
Line 363: Line 381:
 <color #​508CAA>​**Index Info**</​color>​ <color #​508CAA>​**Index Info**</​color>​
  
-  * **If wishing to maintain the index file automatically,​** ''​openssl ca''​ **must be used to sign certs**+  * **If wishing to maintain the index file automatically,​** ''​<color #647D00>openssl ca</​color>​''​ **must be used to sign certs**
     * ''​openssl ca''​ is not used in this wiki as it requires additional steps & adds unneeded complexity\\ \\     * ''​openssl ca''​ is not used in this wiki as it requires additional steps & adds unneeded complexity\\ \\
  
Line 376: Line 394:
   * Copy & paste DN from the output of: ''​ //<color #​647D00>​openssl x509 -in certificate.crt -text -noout</​color>//''​   * Copy & paste DN from the output of: ''​ //<color #​647D00>​openssl x509 -in certificate.crt -text -noout</​color>//''​
 <code cpp> <code cpp>
-V    261231235959Z ​   0a    unknown ​   /​C=US/​ST=State/​L=Locality/​O=Sophos UTM/​OU=LAN/​CN=Cert Common Name/​emailaddress=whatever@whichever.com +V    261231235959Z ​           0a    unknown ​   /​C=US/​ST=State/​L=Locality/​O=Sophos UTM/​OU=LAN/​CN=Cert Common Name/​emailaddress=whatever@whichever.com 
-1    2-----------> ​   4-> ​  ​5-----> ​   6---------------------------------------------------------------------------------------------------></​code>​+1    2-----------> ​   ​3-> ​    4-> ​  ​5-----> ​   6---------------------------------------------------------------------------------------------------></​code>​
 </​WRAP>​ </​WRAP>​
   - **Status of Certificate**   - **Status of Certificate**
     - **''​V''​** [Valid]     - **''​V''​** [Valid]
-    - **''​R''​** [Revoked] ​+    - **''​R''​** [Revoked]
     - **''​E''​** [Expired]\\ \\     - **''​E''​** [Expired]\\ \\
   - **Expiration Date**   - **Expiration Date**
Line 397: Line 415:
         - ''<​color #​009B9B>​privilegeWithdrawn</​color>''​         - ''<​color #​009B9B>​privilegeWithdrawn</​color>''​
         - ''<​color #​009B9B>​AACompromise</​color>''​         - ''<​color #​009B9B>​AACompromise</​color>''​
-    - Empty if not revoked\\ \\ +    - Empty if not revoked 
-  - **Serial number** <​sup>​(//​hex//​ format)</​sup>​+      * Certain distros were erroring out without a whitespace for 3 in the index file, which is why it's there\\ \\ 
 +  - **Serial number** <sup><​color #646464>​(//​hex//​ format)</​color>​</​sup>​
     - **''​0a''​** is hex for 10     - **''​0a''​** is hex for 10
-      - **Windows:​** ​+      - **Windows:​**
         * Calculator has programmer feature which can convert dec <-> hex         * Calculator has programmer feature which can convert dec <-> hex
-      - **Linux/​BSD**  +      - **Linux/​BSD** 
-        * cli hex -> dec: ''​ //<color #​647D00>​printf '​%d\n'​ 0x0a</​color>//​ ''​ returns ''<​color #​647D00>​10</​color>'' ​+        * cli hex -> dec: ''​ //<color #​647D00>​printf '​%d\n'​ 0x0a</​color>//​ ''​ returns ''<​color #​647D00>​10</​color>''​
         * cli dec -> hex: ''​ //<color #​647D00>​printf '​%x\n'​ 10</​color>//​ ''​ returns ''<​color #​647D00>​0a</​color>''​ \\ \\         * cli dec -> hex: ''​ //<color #​647D00>​printf '​%x\n'​ 10</​color>//​ ''​ returns ''<​color #​647D00>​0a</​color>''​ \\ \\
   - **Certificate Filename or Literal String**   - **Certificate Filename or Literal String**
Line 413: Line 432:
 === Server Cert === === Server Cert ===
  
-<​WRAP>​ +<​WRAP ​indent 75em lo>
 <tabbox Prerequisites>​ <tabbox Prerequisites>​
 <wrap right>''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''</​wrap>​ <wrap right>''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''</​wrap>​
Line 424: Line 442:
 **__SubjectAltNames Profile__** **__SubjectAltNames Profile__**
  
-  - **Intermediate Certificate Authority Clients** <​sup>​(Line ​242)</​sup>​ +  - **Intermediate Certificate Authority Clients** <​sup>​(Line ​229)</​sup>​ 
-    - //Change the SAN alt name ''<​color #​647D00>​alt_vpn_server2</​color>''​ to ''<​color #​647D00>​alt_openvpn_server</​color>''//​ +    - //Change the server'SAN IP from// ''<​color #​647D00>​10.0.1.1</​color>'' ​//to match your VPN Server IP// 
-      - **Line 262:** ''<​color #​647D00>​[ alt_openvpn_server ]</​color>''​\\ \\ +      - **Line ​250:** ''<​color #​647D00>​IP.1 = //10.0.1.1//</​color>''​\\ \\ 
-    - //Change the SAN IP from ''<​color #​647D00>​10.0.1.1</​color>''​ to match your VPN Server IP// +    - //Change the SAN DNS from// ''<​color #​647D00>​your.ddns.com</​color>'' ​//to match your own DDNS and/or FQDN// 
-      - **Line ​263:** ''<​color #​647D00>​IP.1 = 10.0.1.1</​color>''​\\ \\ +      - **Line ​251:** ''<​color #​647D00>​DNS.1 = //your.ddns.com//</​color>''​
-    - //Change the SAN DNS from ''<​color #​647D00>​your.ddns.com</​color>''​ to match your own DDNS and/or FQDN// +
-      - **Line ​264:** ''<​color #​647D00>​DNS.1 = your.ddns.com</​color>''​+
         * //For each additional DNS or FQDN, add a new line in sequential order// (i.e. DNS.2, DNS.3, etc.)         * //For each additional DNS or FQDN, add a new line in sequential order// (i.e. DNS.2, DNS.3, etc.)
- 
-**__V3 Profile__** 
- 
-  - **Intermediate Certificate Authority Clients** <​sup>​(Line 427)</​sup>​ 
-    - //Change the V3 profile name from ''<​color #​647D00>​[ v3_vpn_server2 ]</​color>''​ to match alt name set above// 
-      - **Line 450:** ''<​color #​647D00>​[ v3_openvpn_server ]</​color>''​\\ \\ 
-    - //Change the SAN alt name from ''<​color #​647D00>​@alt_vpn_server2</​color>''​ to match alt name set above// 
-      - **Line 456:** ''<​color #​647D00>​subjectAltName = @alt_openvpn_server</​color>''​ 
 </​WRAP>​ </​WRAP>​
 </​WRAP>​ </​WRAP>​
Line 448: Line 456:
 <color #​508CAA>​**Server Cert OpenSSL Commands**</​color>​ <color #​508CAA>​**Server Cert OpenSSL Commands**</​color>​
  
-  - **Generate VPN Server CSR**\\ <code bash>​openssl req -out ca/​csr/​vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​vpn-server.key.pem -config ./​openssl.cnf -extensions ​v3_openvpn_server ​-nodes</​code>​+  - **Generate VPN Server CSR**\\ <code bash>​openssl req -out ca/​csr/​vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​vpn-server.key.pem -config ./​openssl.cnf -extensions ​v3_vpn_server ​-nodes</​code>​
     * **''​-nodes''​** creates a signing key without encryption     * **''​-nodes''​** creates a signing key without encryption
       * For server certs **//​only//​**,​ as a passphrase prevents the server from starting/​restarting without manual intervention\\ \\       * For server certs **//​only//​**,​ as a passphrase prevents the server from starting/​restarting without manual intervention\\ \\
-  - **Create & Sign Cert with CA**\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​vpn-server.csr -CA ca/​OpenVPN-ICA.crt.pem -CAkey ca/​OpenVPN-ICA.key -CAserial ./serial -out certs/​vpn-server.crt.pem -extfile ./​openssl.cnf -extensions ​v3_openvpn_server</​code>​+  - **Create & Sign Cert with CA**\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​vpn-server.csr -CA ca/​OpenVPN-ICA.crt.pem -CAkey ca/​OpenVPN-ICA.key -CAserial ./serial -out certs/​vpn-server.crt.pem -extfile ./​openssl.cnf -extensions ​v3_vpn_server</​code>​
   - **Export to PKCS12**\\ <code bash>​openssl pkcs12 -export -out openvpn/​vpn-server.p12 -inkey openvpn/​vpn-server.key.pem -in certs/​vpn-server.crt.pem -certfile ca/​OpenWrt-OpenVPN_CA-Chain.crt.pem</​code>​   - **Export to PKCS12**\\ <code bash>​openssl pkcs12 -export -out openvpn/​vpn-server.p12 -inkey openvpn/​vpn-server.key.pem -in certs/​vpn-server.crt.pem -certfile ca/​OpenWrt-OpenVPN_CA-Chain.crt.pem</​code>​
     * <color #​AF0000>​**//​Do not encrypt this PKCS12//​**</​color>​\\ \\     * <color #​AF0000>​**//​Do not encrypt this PKCS12//​**</​color>​\\ \\
Line 463: Line 471:
 === Client Certs === === Client Certs ===
  
-<​WRAP>​ +<​WRAP ​indent 75em lo
-<wrap danger>​Do not use the same Common Name (CN) on more than one certificate</​wrap>​+<WRAP centeralign>​<wrap danger>​Do not use the same Common Name (CN) on more than one certificate</​wrap></​WRAP>
  
 <tabbox Prerequisites>​ <tabbox Prerequisites>​
Line 476: Line 484:
 **__SubjectAltNames Profile__** **__SubjectAltNames Profile__**
  
-  - **Intermediate Certificate Authority Clients** <sup>(Line 242)</​sup>​ +  - **Intermediate Certificate Authority Clients** <​sup><​color #646464>(Line 229)</​color></​sup
-    - //Change the SAN alt name ''​<color #647D00>alt_vpn2_user1''​ to ''​alt_openvpn_//<​username>//​</​color>​''//​ +    - //Change the SAN DNS from// ''<​color #​647D00>​VPNserver-Client1-Device-Hostname</​color>'' ​//to match client username//​ 
-      - **Line 267:** ''​<color #​647D00>​[ alt_openvpn_//<​username>// ]</​color>''​\\ \\ +      - **Line ​255:** ''<​color #​647D00>​DNS.1 = //VPN-<​username>​-Hostname//</​color>''​
-    - //Change the SAN DNS from ''<​color #​647D00>​VPNserver-Client1-Device-Hostname</​color>''​ to match client username//​ +
-      - **Line ​268:** ''<​color #​647D00>​DNS.1 = VPN-//<​username>//​-Hostname</​color>''​+
         * //This makes configuring CCD more convenient//​\\ \\         * //This makes configuring CCD more convenient//​\\ \\
-    - //Change the SAN email from ''<​color #​647D00>​user1@email.com</​color>''​ to user's email// +    - //Change the SAN email from// ''<​color #​647D00>​user1@email.com</​color>'' ​//to user's email// 
-      - **Line ​269** ''<​color #​647D00>​email.1 = user1@email.com</​color>''​ +      - **Line ​256** ''<​color #​647D00>​email.1 = //user1@email.com//</​color>''​
- +
-**__V3 Profile__** +
- +
-  - **Intermediate Certificate Authority Clients** <​sup>​(Line 427)</​sup>​ +
-    - //Change the V3 profile name from ''<​color #​647D00>​[ v3_vpn2_user1 ]</​color>''​ to match alt name set above// +
-      - **Line 459:** ''<​color #​647D00>​[ v3_openvpn_//<​username>//​ ]</​color>''​\\ \\ +
-    - //Change the SAN alt name from ''<​color #​647D00>​@alt_vpn2_user1</​color>''​ to match alt name set above// +
-      - **Line 465:** ''<​color #​647D00>​subjectAltName = @alt_openvpn_//<​username>​//</​color>''​+
 </​WRAP>​ </​WRAP>​
 </​WRAP>​ </​WRAP>​
Line 500: Line 498:
 <color #​508CAA>​**Client Cert OpenSSL Commands**</​color>​ <color #​508CAA>​**Client Cert OpenSSL Commands**</​color>​
  
-  - **Generate VPN Client Certs**\\ <code bash>​openssl req -out ca/​csr/​vpn-client1.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.key.pem -config ./​openssl.cnf -extensions ​v3_openvpn_<​username>​</​code>​ +  - **Generate VPN Client Certs**\\ <code bash>​openssl req -out ca/​csr/​vpn-client1.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.key.pem -config ./​openssl.cnf -extensions ​v3_vpn2_user1</​code>​ 
-    * Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//\\ \\ +    * <color #AF0000>Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\ 
-  - **Sign Cert with CA**\\ <code bash>​openssl x509 req -sha512 -days 3650 -in ca/​csr/​vpn-client1.csr -CA ca/​OpenWrt-CA.crt.pem -CAkey ca/​OpenWrt-CA.key -CAserial ./serial -out openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.crt.pem -extfile ./​openssl.cnf -extensions ​v3_openvpn_<​username>​</​code>​+  - **Sign Cert with CA**\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​vpn-client1.csr -CA ca/​OpenWrt-CA.crt.pem -CAkey ca/​OpenWrt-CA.key -CAserial ./serial -out openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.crt.pem -extfile ./​openssl.cnf -extensions ​v3_vpn2_user1</​code>​
   - **Export to PKCS12**\\ <code bash>​openssl pkcs12 -export -out openvpn/​clients/​vpn-client1.p12 -inkey openvpn/​clients/​vpn-client1.key.pem -in openvpn/​clients/​vpn-client1.crt.pem -certfile ca/​OpenWrt-OpenVPN_ICA-Chain.crt.pem</​code>​   - **Export to PKCS12**\\ <code bash>​openssl pkcs12 -export -out openvpn/​clients/​vpn-client1.p12 -inkey openvpn/​clients/​vpn-client1.key.pem -in openvpn/​clients/​vpn-client1.crt.pem -certfile ca/​OpenWrt-OpenVPN_ICA-Chain.crt.pem</​code>​
 </​tabbox>​ </​tabbox>​
Line 510: Line 508:
 === Diffie-Hellman Key === === Diffie-Hellman Key ===
  
-<​WRAP>​+<​WRAP ​indent 75em lo>
 <wrap right button>​[[https://​wiki.openssl.org/​index.php/​Diffie_Hellman|DH Wiki]] ​ [[https://​wiki.openssl.org/​index.php/​Elliptic_Curve_Cryptography|EC Wiki]]</​wrap>​ <wrap right button>​[[https://​wiki.openssl.org/​index.php/​Diffie_Hellman|DH Wiki]] ​ [[https://​wiki.openssl.org/​index.php/​Elliptic_Curve_Cryptography|EC Wiki]]</​wrap>​
 </​WRAP>​ </​WRAP>​
  
-<​WRAP>​+<​WRAP ​51.5em lo>
  
-  - **Generate DH Key** <​sup>​(executed from ''<​color #​C86400>/​etc/​ssl/</​color>''​)</​sup>​\\ <code bash>​openssl dhparam -out openvpn/​dh2048.pem 2048</​code>​+  - **Generate DH Key** <sup><​color #646464>​(executed from ''<​color #​C86400>/​etc/​ssl/</​color>''​)</​color>​</​sup>​\\ <code bash>​openssl dhparam -out openvpn/​dh2048.pem 2048</​code>​
     * **Generating DH keys takes substantial amounts of time**\\ \\    ​     * **Generating DH keys takes substantial amounts of time**\\ \\    ​
     * **You may wish to generate 3072bit and 4096bit DH keys as well**     * **You may wish to generate 3072bit and 4096bit DH keys as well**
Line 528: Line 526:
 === TLS-Auth Key === === TLS-Auth Key ===
  
-<​WRAP>​+<​WRAP ​51.5em lo>
  
-  - **Generate TLS-Auth key** <​sup>​(executed from ''<​color #​C86400>/​etc/​ssl/</​color>''​)</​sup>​\\ <code bash>​openvpn --genkey --secret openvpn/ta.key</​code>​ +  - **Generate TLS-Auth key** <​sup>​(<color #646464>executed from</​color> ​''<​color #​C86400>/​etc/​ssl/</​color>''​)</​sup>​\\ <code bash>​openvpn --genkey --secret openvpn/tls-auth.key</​code>​ 
-    ​* **This ensures ​PFS** [Perfect Forward Secrecy] ​**is maintained when utilizing a SSL cipher**\\ \\ +    * This ensures **P**erfect **F**orward **S**ecrecy ​is maintained when utilizing a SSL cipher\\ \\ 
-    * ''​tls-auth'' ​**requires a static ​pre-shared key** [PSK]**, generated in advance, and shared among all clients**+    * ''​tls-auth''​ requires a static ​**P**re-**S**hared **K**ey, generated in advance, and shared among all clients
       * This requires incoming packets to have a valid signature generated using the PSK key       * This requires incoming packets to have a valid signature generated using the PSK key
         * If key is changed, it must be changed on all clients at the same time (no support for rollover)\\ \\         * If key is changed, it must be changed on all clients at the same time (no support for rollover)\\ \\
Line 542: Line 540:
 ==== Import & Backup ==== ==== Import & Backup ====
  
-<​WRAP>​ +<​WRAP ​76.5em lo
-<wrap safety>​GnuPG is a great tool to manage CAs and client certificates</​wrap> ​ <wrap right button>​[[https://​www.gnupg.org/​|GnuPG]]</​wrap>​+<WRAP centeralign>​<wrap safety>​GnuPG is a great tool to manage CAs and client certificates</​wrap> ​ <wrap right button>​[[https://​www.gnupg.org/​|GnuPG]]</​wrap></​WRAP>
  
 <tabbox Backup> <tabbox Backup>
Line 554: Line 552:
 chmod 600 /​etc/​ssl/​ca/​* /​etc/​ssl/​ca/​csr/​* /​etc/​ssl/​crl/​* /​etc/​ssl/​openvpn/​* /​etc/​ssl/​openvpn/​clients/​* ; chmod 644 /​etc/​ssl/​ca/​*.crt* /​etc/​ssl/​openvpn/​*.crt* /​etc/​ssl/​openvpn/​clients/​*.crt* /​etc/​ssl/​crl/​*.crl</​code>​ chmod 600 /​etc/​ssl/​ca/​* /​etc/​ssl/​ca/​csr/​* /​etc/​ssl/​crl/​* /​etc/​ssl/​openvpn/​* /​etc/​ssl/​openvpn/​clients/​* ; chmod 644 /​etc/​ssl/​ca/​*.crt* /​etc/​ssl/​openvpn/​*.crt* /​etc/​ssl/​openvpn/​clients/​*.crt* /​etc/​ssl/​crl/​*.crl</​code>​
   - **Utilize GnuPG to encrypt a copy of** ''<​color #​C86400>/​etc/​ssl/</​color>''​   - **Utilize GnuPG to encrypt a copy of** ''<​color #​C86400>/​etc/​ssl/</​color>''​
-    - **Create separate encryption tars for:​** ​+    - **Create separate encryption tars for:**
       * ''<​color #​C86400>/​etc/​ssl/​ca/</​color>''​       * ''<​color #​C86400>/​etc/​ssl/​ca/</​color>''​
       * ''<​color #​C86400>/​etc/​ssl/​openvpn/</​color>''​       * ''<​color #​C86400>/​etc/​ssl/​openvpn/</​color>''​
Line 603: Line 601:
  
 **If utilizing Windows:** **If utilizing Windows:**
-    - **Download** <color #​C86400>​PEM Association.reg</​color>​**,​ then import into registry** <​sup>​(//​Right Click// -> //​Merge//​)</​sup>​+    - **Download** <color #​C86400>​PEM Association.reg</​color>​**,​ then import into registry** <sup><​color #646464>​(//​Right Click// -> //Merge//)</​color>​</​sup>​
       * //This causes Windows to associate the .pem extension as a valid certificate extension//​\\ \\       * //This causes Windows to associate the .pem extension as a valid certificate extension//​\\ \\
-    - **Add your CA cert to the //Trusted Root Certification Authorities//​** <​sup>​(user must have //​Administrator//​ privileges)</​sup>​+    - **Add your CA cert to the //Trusted Root Certification Authorities//​** <sup><​color #646464>(user must have //​Administrator//​ privileges)</​color>​</​sup>​
       - //Right click on// <color #​C86400>​OpenWrt-CA.crt.pem</​color>:​       - //Right click on// <color #​C86400>​OpenWrt-CA.crt.pem</​color>:​
-        - **//Install Certificate//​** -> **//Local Machine//** -> **//Place all certificates in the following store//** -> **//​Browse//​** -> **//Trusted Root Certification Authorities//​**\\ \\ +        - <color #7D7D7D>**//Install Certificate//​** -> **//Local Machine//** -> **//Place all certificates in the following store//** -> **//​Browse//​** -> **//Trusted Root Certification Authorities//​**</​color>​\\ \\ 
-    - **Add your ICA cert to the //​Intermediate Certification Authorities//​** <​sup>​(user must have //​Administrator//​ privileges)</​sup>​+    - **Add your ICA cert to the //​Intermediate Certification Authorities//​** <sup><​color #646464>(user must have //​Administrator//​ privileges)</​color>​</​sup>​
       - //Right click on// <color #​C86400>​OpenVPN-ICA.crt.pem</​color>:​       - //Right click on// <color #​C86400>​OpenVPN-ICA.crt.pem</​color>:​
-        - **//Install Certificate//​** -> **//Local Machine//** -> **//Place all certificates in the following store//** -> **//​Browse//​** -> **//​Intermediate Certification Authorities//​**+        - <color #7D7D7D>**//Install Certificate//​** -> **//Local Machine//** -> **//Place all certificates in the following store//** -> **//​Browse//​** -> **//​Intermediate Certification Authorities//​**</​color>​
 </​WRAP>​ </​WRAP>​
  
 </​tabbox>​ </​tabbox>​
 +</​WRAP>​
 +
 </​WRAP>​ </​WRAP>​
  
Line 621: Line 621:
 <WRAP indent> <WRAP indent>
  
-<​WRAP>​ +<​WRAP ​76.5em lo
-<wrap right button>​[[doc:​uci:​network|Network]]</​wrap>​+<wrap right button>​[[doc:​uci:​network|Network ​Wiki]]</​wrap>​
 </​WRAP>​ </​WRAP>​
  
Line 628: Line 628:
 ==== Interface Creation ==== ==== Interface Creation ====
  
-<​WRAP>​+<​WRAP ​60em lo>
  
   - **Create VPN interface**\\ <code bash>uci set network.vpn0=interface ; uci set network.vpn0.ifname=tun0 ; uci set network.vpn0.proto=none</​code>​   - **Create VPN interface**\\ <code bash>uci set network.vpn0=interface ; uci set network.vpn0.ifname=tun0 ; uci set network.vpn0.proto=none</​code>​
     - You can replace ''<​color #​647800>//​network.//</​color><​color #​007DC8>​vpn0</​color>''​ with ''<​color #​647800>//​network.//</​color><​color #​007DC8><​name></​color>''​     - You can replace ''<​color #​647800>//​network.//</​color><​color #​007DC8>​vpn0</​color>''​ with ''<​color #​647800>//​network.//</​color><​color #​007DC8><​name></​color>''​
-      - If you choose to do so, ''<​color #​007DC8>​vpn</​color>''​ will need to be updated accordingly in [[:​doc:​howto:​openvpn-streamlined-server-setup#​create_rules|Firewall Rules]]\\ \\+      - If you choose to do so, ''<​color #​007DC8>​vpn</​color>''​ will need to be updated accordingly in [[:​doc:​howto:​openvpn-streamlined-server-setup#​https://​wiki.openwrt.org/​doc/​howto/​openvpn-streamlined-server-setup#​create_rules|Firewall Rules]]\\ \\
     - You can replace ''<​color #​647800>//​ifname=//</​color><​color #​007DC8>​tun0</​color>''​ with ''<​color #​647800>//​ifname=//</​color><​color #​007DC8><​name></​color>''​     - You can replace ''<​color #​647800>//​ifname=//</​color><​color #​007DC8>​tun0</​color>''​ with ''<​color #​647800>//​ifname=//</​color><​color #​007DC8><​name></​color>''​
       - If you choose to do so, ''<​color #​647800>//​option dev//</​color>​ <color #​007DC8>​tun0</​color>''​ will need to be updated accordingly in [[:​doc:​howto:​openvpn-streamlined-server-setup#​config|VPN Server Config]]\\ \\       - If you choose to do so, ''<​color #​647800>//​option dev//</​color>​ <color #​007DC8>​tun0</​color>''​ will need to be updated accordingly in [[:​doc:​howto:​openvpn-streamlined-server-setup#​config|VPN Server Config]]\\ \\
Line 642: Line 642:
 ==== Configure DDNS ==== ==== Configure DDNS ====
  
-<​WRAP>​ +<​WRAP ​76.5em lo
-<wrap right button>​[[doc:​howto:​ddns.client|DDNS]]</​wrap>​+<wrap right button>​[[doc:​howto:​ddns.client|DDNS ​Wiki]]</​wrap>​
  
 <wrap indent>​**//​Applies to connections from WAN//​**</​wrap>​ <wrap indent>​**//​Applies to connections from WAN//​**</​wrap>​
Line 651: Line 651:
       * Purchasing occurs as a service subscription fee from DDNS providers       * Purchasing occurs as a service subscription fee from DDNS providers
     - FQDN     - FQDN
-      * **F**ully **Q**ualified **D**omain **N**ame is a URL <​sup>​(google.com is a FQDN)</​sup>​ +      * **F**ully **Q**ualified **D**omain **N**ame is a URL <sup><​color #646464>​(google.com is a FQDN)</​color>​</​sup>​ 
-      * Purchasing a FQDN is for a set period of time, regulated by the non-profit IANA <​sup>​(//​Internet Assigned Numbers Authority//​)</​sup>​\\ \\+      * Purchasing a FQDN is for a set period of time, regulated by the non-profit IANA <sup><​color #646464>​(//​Internet Assigned Numbers Authority//​)</​color>​</​sup>​\\ \\
   - **Most users will likely configure DDNS**   - **Most users will likely configure DDNS**
-    * See [[doc:​howto:​ddns.client|DDNS Clients]]+    * See the [[doc:​howto:​ddns.client|DDNS Clients]] ​wiki
  
 </​WRAP>​ </​WRAP>​
Line 662: Line 662:
  
 ===== Firewall ===== ===== Firewall =====
 +
 +<WRAP indent>
  
 <WRAP 76.5em lo> <WRAP 76.5em lo>
Line 670: Line 672:
 ==== Create Rules ==== ==== Create Rules ====
  
-<​WRAP>​ +<​WRAP ​76.5em lo
-<wrap danger>A non-standard port (**//​not//​** //1194//) should be utilized for the VPN</​wrap> ​[why?]+<WRAP centeralign>​<wrap danger>A non-standard port (**//​not//​** //1194//) should be utilized for the VPN</​wrap>​</​WRAP>​
  
 <tabbox Information>​ <tabbox Information>​
Line 692: Line 694:
   - **A port >1025 but <10000 should be utilized for the VPN**   - **A port >1025 but <10000 should be utilized for the VPN**
     - If using a custom port, update [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_server|VPN Server]] & [[:​doc:​howto:​openvpn-streamlined-server-setup#​clients|VPN Client]] configs accordingly     - If using a custom port, update [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_server|VPN Server]] & [[:​doc:​howto:​openvpn-streamlined-server-setup#​clients|VPN Client]] configs accordingly
 +      - If needing to bypass a strict firewall in front of the router, utilize port 443 <​sup>​[HTTPS]</​sup>​
  
  
Line 714: Line 717:
     option ​ path            '/​etc/​firewall.user'​     option ​ path            '/​etc/​firewall.user'​
  
-# Default ​OpenWRT ​Rule #+# Default ​OpenWrt ​Rule #
 config defaults config defaults
     option ​ input           '​ACCEPT'​     option ​ input           '​ACCEPT'​
Line 857: Line 860:
  
   # These rules make the assumption the default port of 1194 is not used for the VPN   # These rules make the assumption the default port of 1194 is not used for the VPN
-   +    ​# Port 5000 is being used arbitrarily for the VPN port
-  ​# Port 5000 is being used arbitrarily for the VPN port+
     ​     ​
  
     # Establish Custom Zones #     # Establish Custom Zones #
 #​--------------------------------------------------- #​---------------------------------------------------
-iptables ​       ​-N ​ DROP-Brute +iptables ​   -N  LOG-VPN 
-iptables ​       ​-N  LOG-VPN +iptables ​   -N  Rate_Limit
-iptables ​       -N  Rate_Limit +
- +
-    # Log All Dropped # +
-#​--------------------------------------------------- +
-iptables ​       -A  DROP-Brute ​             -j  LOG     ​--log-prefix ​   "<​[[--- BRUTE DROPPED ---]]> : " ​       --log-level 4 +
-iptables ​       -A  DROP-Brute ​             -j  DROP+
  
     # Establish Rate Limit #     # Establish Rate Limit #
 #​--------------------------------------------------- #​---------------------------------------------------
-iptables ​       ​-A ​ Rate_Limit ​ -p  tcp     ​--dport ​    ​1194 ​   -m  limit   ​--limit 1/min   ​--limit-burst ​  ​1 ​  ​-j ​ DROP-Brute +iptables ​   -A  Rate_Limit ​ -p  tcp     ​--dport ​    ​5000 ​                               -j  LOG-VPN 
-iptables ​       -A  Rate_Limit ​ -p  udp     ​--dport ​    ​1194 ​   -m  limit   ​--limit 1/min   ​--limit-burst ​  ​1 ​  ​-j ​ DROP-Brute +iptables ​   -A  Rate_Limit ​ -p  udp     ​--dport ​    ​5000 ​                               -j  LOG-VPN 
-iptables ​       ​-A  Rate_Limit ​ -p  tcp     ​--dport ​    ​5000 ​                                                   -j  LOG-VPN +iptables ​   -A  Rate_Limit ​ -p  tcp                                                     ​-j  REJECT ​     --reject-with ​  ​tcp-reset 
-iptables ​       -A  Rate_Limit ​ -p  udp     ​--dport ​    ​5000 ​                                                   -j  LOG-VPN +iptables ​   -A  Rate_Limit ​ -p  udp                                                     ​-j  REJECT ​     --reject-with ​  ​icmp-port-unreachable 
-iptables ​       -A  Rate_Limit ​ -p  tcp                                                                         ​-j  REJECT ​     --reject-with ​  ​tcp-reset +iptables ​   -A  Rate_Limit ​ !   ​-p ​     ICMP                                            -j  LOG         ​--log-prefix ​   "<​[[--- Connection DROPPED ---]]>: " 
-iptables ​       -A  Rate_Limit ​ -p  udp                                                                         ​-j  REJECT ​     --reject-with ​  ​icmp-port-unreachable +iptables ​   -A  Rate_Limit ​                                                             -j  DROP
-iptables ​       -A  Rate_Limit ​ !   ​-p ​     ICMP                                                                -j  LOG         ​--log-prefix ​   "<​[[--- Connection DROPPED ---]]>: " +
-iptables ​       -A  Rate_Limit ​                                                                                 -j  DROP+
  
     # Apply Rate Limit #     # Apply Rate Limit #
 #​--------------------------------------------------- #​---------------------------------------------------
-iptables ​   ​-w  ​-I  INPUT       ​-p ​ tcp     ​--dport ​    1194    ​-m ​ state   ​--state NEW -m  recent ​ --set +iptables ​   -I  INPUT       ​-p ​ tcp     ​--dport ​    5000    ​-m ​ state   ​--state NEW     ​-j ​ Rate_Limit 
-iptables ​   -w  -I  INPUT       ​-p ​ tcp     ​--dport ​    ​1194 ​   -m  state   ​--state NEW             ​--update ​   --seconds ​  ​60 ​ --hitcount ​ 1   -j  Rate_Limit +iptables ​   -I  INPUT       ​-p ​ udp     ​--dport ​    ​5000 ​   -m  state   ​--state NEW     ​-j ​ Rate_Limit
-iptables ​   ​-w  ​-I  INPUT       ​-p ​ udp     --dport ​    ​1194 ​   -m  state   ​--state NEW -m  recent ​ --set +
-iptables ​   -w  -I  INPUT       ​-p ​ udp     ​--dport ​    ​1194 ​   -m  state   ​--state NEW             ​--update ​   --seconds ​  ​60 ​ --hitcount ​ 1   ​-j ​ Rate_Limit +
-iptables ​       -I  INPUT       ​-p ​ tcp     --dport ​    ​5000 ​   -m  state   ​--state NEW                                                         -j  Rate_Limit +
-iptables ​       -I  INPUT       ​-p ​ udp     ​--dport ​    ​5000 ​   -m  state   ​--state NEW                                                         ​-j ​ Rate_Limit +
- +
-    # Check for bans in Rate_Limit # +
-#​--------------------------------------------------- +
-iptables ​   -w  -A  INPUT       ​-p ​ tcp     ​--dport ​    ​1194 ​   ​-j  Rate_Limit+
  
     # Log VPN Traffic #     # Log VPN Traffic #
 #​--------------------------------------------------- #​---------------------------------------------------
-iptables ​       -A  LOG-VPN ​                                    ​-j  LOG         ​--log-prefix ​   "<​[[--- ​ VPN Traffic ---]]> : " ​        ​--log-level 4 +iptables ​   -A  LOG-VPN ​                                                                ​-j  LOG         ​--log-prefix ​   "<​[[--- ​ VPN Traffic ---]]> : " ​        ​--log-level 4 
-iptables ​       -A  LOG-VPN ​                                    ​-j  ACCEPT+iptables ​   -A  LOG-VPN ​                                                                ​-j  ACCEPT
  
 </​code>​\\ </​code>​\\
Line 913: Line 899:
 </​WRAP>​ </​WRAP>​
  
 +</​WRAP>​
  
  
Line 918: Line 905:
  
 <WRAP indent> <WRAP indent>
-<​WRAP>​+<​WRAP ​76.5em lo>
 <wrap right button>​[[doc:​howto:​vpn.overview|VPN Overview]]</​wrap>​ <wrap right button>​[[doc:​howto:​vpn.overview|VPN Overview]]</​wrap>​
 </​WRAP>​ </​WRAP>​
Line 925: Line 912:
 ==== Config ==== ==== Config ====
  
-<​WRAP>​ +<​WRAP ​76.5em lo
-<wrap warning><​color #​FFFFFF>​It'​s //strongly encouraged//​ to read through the OpenVPN HowTo & Man Page</​color></​wrap>​+<WRAP centeralign>​<wrap warning><​color #​FFFFFF>​It'​s //strongly encouraged//​ to read through the OpenVPN HowTo & Man Page</​color></​wrap></​WRAP>
  
 <tabbox Information>​ <tabbox Information>​
Line 933: Line 920:
  
   * **This specific configuration has been designed to give the best performance possible, via** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|MTU & Buffer]] **Tuning recommendations**   * **This specific configuration has been designed to give the best performance possible, via** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|MTU & Buffer]] **Tuning recommendations**
-    * DNS primary & secondary are [[https://developers.google.com/speed/public-dns/​docs/​using|Google's]]+    * DNS primary & secondary are [[https://www.opendns.com/setupguide/?​url=familyshield|OpenDNS']]
     * NTP is garnished from [[http://​tf.nist.gov/​tf-cgi/​servers.cgi|NIST]] (time-c) and can be updated to your NTP server of choice     * NTP is garnished from [[http://​tf.nist.gov/​tf-cgi/​servers.cgi|NIST]] (time-c) and can be updated to your NTP server of choice
       * NTP should be specified, but doesn'​t need to be NIST, as encryption handshakes, both server & client, must be accurate to within milliseconds\\ \\       * NTP should be specified, but doesn'​t need to be NIST, as encryption handshakes, both server & client, must be accurate to within milliseconds\\ \\
Line 940: Line 927:
   * **Two or more servers can be run from this config file**   * **Two or more servers can be run from this config file**
     * To add additional servers, copy & paste first config directly below itself, with a blank line separating the two\\ \\     * To add additional servers, copy & paste first config directly below itself, with a blank line separating the two\\ \\
-  * **The OpenVPN** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|HowTo & Man Page]] **provide every possible option for the Server & Client Configs**+  * **The OpenVPN** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|HowTo & Man Page]] **provide every possible option for the Server & Client Configs** ​\\ \\ 
 +  * **OpenVPN 2.4 added TLS Elliptic-Curve** ''​[EC]''​ **support** 
 +    * EC ciphers are faster & more efficient to process than SSL ciphers, resulting in higher throughput & less load 
 +    * OpenVPN on OpenWrt only supports a //maximum of 256 characters//​ for ''​ <color #​647D00>​option ​ tls_cipher</​color>''​ 
 +      * Ciphers are listed in a hierarchical,​ chronological order of most secure & efficient to least efficient 
 +      * Disabled ciphers are specified at the end with an **''<​color #​960000>​!</​color>''​** in front of the cipher\\ \\ 
 +  * **Ciphers must match the capabilities of the server & clients** 
 +    * Available TLS ciphers: ''​ <color #​647D00>​openssl --show-tls</​color>​ ''​ or ''​ <color #​647D00>​openssl ciphers -V | grep TLS</​color>''​ 
 +    * Available SSL ciphers: ''​ <color #​647D00>​openssl ciphers -V | grep SSL</​color>''​ 
 +      * For Windows client: ''​ <color #​647D00>​openssl ciphers -V | findstr /R SSL</​color>''​
  
  
Line 950: Line 946:
     - **Paste the following & edit accordingly**\\ \\ <code cpp>     - **Paste the following & edit accordingly**\\ \\ <code cpp>
 config openvpn '​VPNserver'​ config openvpn '​VPNserver'​
- 
     option ​ enabled ​            1     option ​ enabled ​            1
  
Line 977: Line 972:
     list    push                '​dhcp-option ​   DNS 192.168.1.1'​     list    push                '​dhcp-option ​   DNS 192.168.1.1'​
     list    push                '​dhcp-option ​   WINS 192.168.1.1'​     list    push                '​dhcp-option ​   WINS 192.168.1.1'​
-    list    push                '​dhcp-option ​   DNS 8.8.8.8+    list    push                '​dhcp-option ​   DNS 208.67.222.123
-    list    push                '​dhcp-option ​   DNS 8.8.4.4'+    list    push                '​dhcp-option ​   DNS 208.67.220.123'
     list    push                '​dhcp-option ​   NTP 129.6.15.30'​     list    push                '​dhcp-option ​   NTP 129.6.15.30'​
  
Line 992: Line 987:
     option ​ cipher ​             AES-256-CBC     option ​ cipher ​             AES-256-CBC
     option ​ auth                '​SHA512'​     option ​ auth                '​SHA512'​
-    option ​ tls_auth ​           '/​etc/​ssl/​openvpn/​ta.key 0'+    option ​ tls_auth ​           '/​etc/​ssl/​openvpn/​tls-auth.key 0'
     ​     ​
     # TLS:     # TLS:
     option ​ tls_server ​         1     option ​ tls_server ​         1
     option ​ tls_version_min ​    1.2     option ​ tls_version_min ​    1.2
-    option ​ tls_cipher ​         '​TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:​TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384:​TLS-RSA-WITH-AES-256-CBC-SHA256:​!aNULL:​!eNULL:​!LOW:​!3DES:​!MD5:​!SHA:​!EXP:​!PSK:​!SRP:​!DSS:​!RC4+    option ​ tls_cipher ​         '​TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:​TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:​!aNULL:​!eNULL:​!LOW:​!3DES:​!MD5:​!SHA:​!EXP:​!PSK:​!SRP:​!DSS:​!RC4:!kRSA'
-    option ​ remote-cert-eku ​    '​TLS Web Client Authentication'+
  
     # Logging #      # Logging # 
Line 1004: Line 998:
     option ​ log_append ​         '/​tmp/​openvpn.log'​     option ​ log_append ​         '/​tmp/​openvpn.log'​
     option ​ status ​             '/​tmp/​openvpn-status.log'​     option ​ status ​             '/​tmp/​openvpn-status.log'​
-    option ​ verb                ​5+    option ​ verb                ​4
  
     # Connection Options #      # Connection Options # 
Line 1042: Line 1036:
     # chroot would be ~11MB in size.     # chroot would be ~11MB in size.
  
-    ​# Modify if chroot is configured #+        ​# Modify if chroot is configured #
     #​--------------------------------------------     #​--------------------------------------------
         # option ​ ccd_exclusive ​            1         # option ​ ccd_exclusive ​            1
Line 1051: Line 1045:
         # option ​ dh                        /​var/​chroot-openvpn/​etc/​ssl/​openvpn/​dh2048.pem         # option ​ dh                        /​var/​chroot-openvpn/​etc/​ssl/​openvpn/​dh2048.pem
         # option ​ pkcs12 ​                   /​var/​chroot-openvpn/​etc/​ssl/​openvpn/​vpn-server.p12         # option ​ pkcs12 ​                   /​var/​chroot-openvpn/​etc/​ssl/​openvpn/​vpn-server.p12
-        # option ​ tls_auth ​                 '/​var/​chroot-openvpn/​etc/​ssl/​openvpn/​ta.key 0'+        # option ​ tls_auth ​                 '/​var/​chroot-openvpn/​etc/​ssl/​openvpn/​tls-auth.key 0'
 </​code>​ </​code>​
   - **Commit changes**\\ <code bash>/​etc/​init.d/​openvpn enable ; /​etc/​init.d/​openvpn start ; sleep 2 ; cat /​tmp/​openvpn.log</​code>​   - **Commit changes**\\ <code bash>/​etc/​init.d/​openvpn enable ; /​etc/​init.d/​openvpn start ; sleep 2 ; cat /​tmp/​openvpn.log</​code>​
Line 1079: Line 1073:
       - IPP File: ''<​color #​C86400>/​etc/​openvpn/​clients/​ipp.txt</​color>''​       - IPP File: ''<​color #​C86400>/​etc/​openvpn/​clients/​ipp.txt</​color>''​
         - File Output: ''<​color #​647D00>​John Doe (OpenWrt VPNserver Client),​10.1.0.6</​color>''​\\ \\         - File Output: ''<​color #​647D00>​John Doe (OpenWrt VPNserver Client),​10.1.0.6</​color>''​\\ \\
-  - **Start/​Restart OpenVPN**</​color>​+  - **Start/​Restart OpenVPN**
     - Connect with each client to test\\ <code bash>/​etc/​init.d/​openvpn stop ; /​etc/​init.d/​openvpn start ; tail -f /​tmp/​openvpn.log</​code>​     - Connect with each client to test\\ <code bash>/​etc/​init.d/​openvpn stop ; /​etc/​init.d/​openvpn start ; tail -f /​tmp/​openvpn.log</​code>​
  
Line 1088: Line 1082:
 ==== Log Output ==== ==== Log Output ====
  
-<​WRAP>​+<​WRAP ​76.5em lo>
  
 <tabbox CCD Disabled>​ <tabbox CCD Disabled>​
Line 1099: Line 1093:
 Thu Oct 20 13:35:00 2016 us=668891 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09 Thu Oct 20 13:35:00 2016 us=668891 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09
 Thu Oct 20 13:35:00 2016 us=669836 Diffie-Hellman initialized with 2048 bit key Thu Oct 20 13:35:00 2016 us=669836 Diffie-Hellman initialized with 2048 bit key
-Thu Oct 20 13:35:00 2016 us=705181 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​ta.key' as a OpenVPN static key file+Thu Oct 20 13:35:00 2016 us=705181 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​tls-auth.key' as a OpenVPN static key file
 Thu Oct 20 13:35:00 2016 us=705286 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication Thu Oct 20 13:35:00 2016 us=705286 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication
 Thu Oct 20 13:35:00 2016 us=705351 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication Thu Oct 20 13:35:00 2016 us=705351 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication
Line 1133: Line 1127:
 Thu Oct 20 13:35:30 2016 us=653403 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09 Thu Oct 20 13:35:30 2016 us=653403 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09
 Thu Oct 20 13:35:30 2016 us=654598 Diffie-Hellman initialized with 2048 bit key Thu Oct 20 13:35:30 2016 us=654598 Diffie-Hellman initialized with 2048 bit key
-Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​ta.key' as a OpenVPN static key file+Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​tls-auth.key' as a OpenVPN static key file
 Thu Oct 20 13:35:30 2016 us=706592 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication Thu Oct 20 13:35:30 2016 us=706592 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication
 Thu Oct 20 13:35:30 2016 us=706679 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication Thu Oct 20 13:35:30 2016 us=706679 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication
Line 1172: Line 1166:
 ===== Clients ===== ===== Clients =====
  
-<​WRAP>​ +<​WRAP ​76.5em lo
-<wrap warning><​color #​FFFFFF>​Server'​s TLS-Auth key goes within the inline XML space</​color></​wrap>​+<WRAP centeralign>​<wrap warning><​color #​FFFFFF>​Server'​s TLS-Auth key goes within the inline XML space</​color></​wrap></​WRAP>
 </​WRAP>​ </​WRAP>​
  
Line 1181: Line 1175:
 ==== Android ==== ==== Android ====
  
-<​WRAP>​+<​WRAP ​indent 76.5em lo>
  
 <tabbox Information>​ <tabbox Information>​
-<wrap right button>​[[https://​play.google.com/​store/​apps/​details?​id=de.blinkt.openvpn&​hl=en|OpenVPN ​Client]]</​wrap> ​+<wrap right button>​[[https://​play.google.com/​store/​apps/​details?​id=de.blinkt.openvpn&​hl=en|OpenVPN ​for Android]]</​wrap> ​
 <color #​508CAA>​**Android Client Information**</​color>  ​ <color #​508CAA>​**Android Client Information**</​color>  ​
 +
 +<WRAP centeralign><​color #​960000>​**For compatibility with exFAT, Android sdcards have a non-customizable 771 permission structure**\\ It's //​imperative//,​ for the security of the VPN, to ensure the certificate key is encrypted as specified under [[doc:​howto:​openvpn-streamlined-server-setup#​client_certs|Client Certs]]</​color></​WRAP>​
  
   * **//OpenVPN for Android// is the best app for VPNs on Android**\\ \\   * **//OpenVPN for Android// is the best app for VPNs on Android**\\ \\
   * **PKCS12 certs are installed into the //Android Keychain//​**   * **PKCS12 certs are installed into the //Android Keychain//​**
     * As a security feature, a warning toast will always appear in the notification area due to user installed certs     * As a security feature, a warning toast will always appear in the notification area due to user installed certs
-      * This toast can be removed if you have a rooted device by following Toast Removal tutorial +      * This toast can be removed if you have a rooted device by following Toast Removal tutorial ​\\ \\ 
-    * Another option is to include all certs & keys via inline XML within the client config file\\ \\ +    * Another option is to include all certs & keys via inline XML within the client config file 
-  * **If you choose to reference the ''//​ta.key//'',​ instead of utilizing inline XML**+      * //​Regardless if all certs are referenced as inline xml or not, the final generated config inlines all certs//\\ \\ 
 +  * **If you choose to reference the ''//​tlsauth.key//'',​ instead of utilizing inline XML**
     - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp>     - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp>
-# Encryption #+    ​# Encryption #
 #​------------------------------------------------ #​------------------------------------------------
 +key-direction 1
 +
 <​tls-auth>​ <​tls-auth>​
 -----BEGIN OpenVPN Static key V1----- -----BEGIN OpenVPN Static key V1-----
 #​PASTED-KEY-INLINE-HERE#​ #​PASTED-KEY-INLINE-HERE#​
 -----END OpenVPN Static key V1----- -----END OpenVPN Static key V1-----
-</​tls-auth>​ +</​tls-auth></​code>​
- +
-key-direction 1</​code>​+
     - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>     - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>
-# Encryption #+    ​# Encryption #
 #​------------------------------------------------ #​------------------------------------------------
-tls-auth ​  ​/path/to/ta.key 1 +tls-auth ​   '​/path/to/tlsauth.key' ​1</​code>​ 
-</​code>​ +  * <color #960000>**Some Android devices are not able to convert PKCS12 certs to x509 certs**</​color>​
-  * **Some Android devices are not able to convert PKCS12 certs to x509 certs**+
     * If your device is affected, you will need to reference your individual certs in your Server Config     * If your device is affected, you will need to reference your individual certs in your Server Config
-      - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp> 
-# Encryption # 
-#​------------------------------------------------ 
-pkcs12 ​    '/​sdcard/​openvpn/​vpn-client1.p12'</​code>​ 
       - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>       - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>
-# Encryption #+    ​# Encryption #
 #​------------------------------------------------ #​------------------------------------------------
-ca         ​'/​sdcard/​openvpn/​OpenWrt-OpenVPN_ICA-Chain.crt.pem'​ +ca      '/​sdcard/​openvpn/​OpenWrt-OpenVPN_ICA-Chain.crt.pem'​ 
-cert       ​'/​sdcard/​openvpn/​vpn-client1.crt.pem'​ +cert    '/​sdcard/​openvpn/​vpn-client1.crt.pem'​ 
-key        '/​sdcard/​openvpn/​vpn-client1.key.pem'</​code>​ +key     ​'/​sdcard/​openvpn/​vpn-client1.key.pem'</​code>​
-<WRAP centeralign><​wrap danger>​For compatibility with exFAT, Android sdcards have a non-customizable 664 permission structure</​wrap>​\\ <color #​AF0000>​Therefore it's //crucial// to the security of the VPN to ensure the certificate key is encrypted as specified under [[doc:​howto:​openvpn-streamlined-server-setup#​client_certs|Client Certs]]</​color></​WRAP>​ +
  
 <tabbox Config> <tabbox Config>
Line 1228: Line 1218:
  
 <code cpp> <code cpp>
-# Config Type #+    ​# Config Type #
 #​------------------------------------------------ #​------------------------------------------------
 client client
  
-# Connection ​ #+    ​# Connection ​ #
 #​------------------------------------------------ #​------------------------------------------------
 dev tun dev tun
Line 1238: Line 1228:
 remote your.ddns.com 5000 remote your.ddns.com 5000
  
-# Speed #+    ​# Speed #
 #​------------------------------------------------ #​------------------------------------------------
 +mssfix 0
 fragment 0 fragment 0
-mssfix 0 
 tun-mtu 48000 tun-mtu 48000
  
-# Reliability #+    ​# Reliability #
 #​------------------------------------------------ #​------------------------------------------------
-comp-lzo 
 float float
 nobind nobind
 +comp-lzo
 +
 persist-key persist-key
 persist-tun persist-tun
 resolv-retry infinite resolv-retry infinite
  
-# Encryption #+    ​# Encryption #
 #​------------------------------------------------ #​------------------------------------------------
 auth SHA512 auth SHA512
 auth-nocache auth-nocache
 +
 +# --- SSL --- #
 cipher AES-256-CBC cipher AES-256-CBC
-remote-cert-eku ​"TLS Web Server Authentication"+ 
 +# --- TLS --- # 
 +key-direction 1 
 +tls-version-min 1.2 
 + 
 +remote-cert-eku ​'TLS Web Server Authentication'
  
 <​tls-auth>​ <​tls-auth>​
Line 1266: Line 1264:
 </​tls-auth>​ </​tls-auth>​
  
-key-direction 1 +    ​# Logging #
- +
-# Logging #+
 #​------------------------------------------------ #​------------------------------------------------
 verb 5 verb 5
 </​code>​ </​code>​
 +
 +<tabbox Inline XML>
 +<color #​508CAA>​**Referencing certs via Inline XML**</​color>​
 +
 +  - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp>
 +    # Encryption #
 +#​------------------------------------------------
 +ca        '/​sdcard/​openvpn/​OpenWrt-OpenVPN_ICA-Chain.crt.pem'​
 +cert      '/​sdcard/​openvpn/​vpn-client1.crt.pem'​
 +key       '/​sdcard/​openvpn/​vpn-client1.key.pem'​
 +tls-auth ​ '/​path/​to/​tlsauth.key'​ 1</​code>​
 +  - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>
 +    # Encryption #
 +#​------------------------------------------------
 +
 +# --- TLS --- #
 +key-direction 1
 +
 +<ca>
 +#​PASTE-CA-CERT-INLINE-HERE#​
 +</ca>
 +
 +<​cert>​
 +#​PASTE-VPN-SERVER-CERT-INLINE-HERE#​
 +</​cert>​
 +
 +<key>
 +#​PASTE-VPN-SERVER-KEY-INLINE-HERE#​
 +</​key>​
 +
 +<​tls-auth>​
 +-----BEGIN OpenVPN Static key V1-----
 +#​PASTE-KEY-INLINE-HERE#​
 +-----END OpenVPN Static key V1-----
 +</​tls-auth></​code>​
  
 <tabbox Toast Removal> <tabbox Toast Removal>
Line 1277: Line 1308:
 <color #​508CAA>​**Certificate Warning Toast Removal**</​color>​ <color #​508CAA>​**Certificate Warning Toast Removal**</​color>​
  
-<wrap indent>​If ''<​color #​C86400>/​system/​etc/​security/​cacerts.bks</​color>''​ exists on your device, refer to CAcert, then continue</​wrap>​ +<wrap indent>​If ''<​color #​C86400>/​system/​etc/​security/​cacerts.bks</​color>''​ exists on your device, refer to CAcert ​wiki, then continue</​wrap>​ 
-  - **Method 1:**+  - <color #789600>**Method 1:**</​color>​
     - **Add certificate to Android Keychain**     - **Add certificate to Android Keychain**
       - **//​Settings//​ –> //​Security//​ –> //Install from Storage//​**\\ \\       - **//​Settings//​ –> //​Security//​ –> //Install from Storage//​**\\ \\
Line 1284: Line 1315:
       - **Android < 5.0:**       - **Android < 5.0:**
         - Move new file         - Move new file
-          - **From:** ''​ <color #​C86400>/​data/​misc/​keychain/​cacertsadded/</​color>''​ +          - <color #960000>**From:**</​color> ​''​ <color #​C86400>/​data/​misc/​keychain/​cacertsadded/</​color>''​ 
-          - **To:** ''​ <color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​\\ \\+          - <color #789600>**To:**</​color> ​''​ <color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​\\ \\
       - **Android > 5.0:**       - **Android > 5.0:**
         - Move new file         - Move new file
-          - **From:** ''​ <color #​C86400>/​data/​misc/​user/​0/​cacerts-added/</​color>''​ +          - <color #960000>**From:**</​color> ​''​ <color #​C86400>/​data/​misc/​user/​0/​cacerts-added/</​color>''​ 
-          - **To:** ''​ <color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​\\ \\ +          - <color #789600>**To:**</​color> ​''​ <color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​\\ \\ 
-  - **Method 2:** +  - <color #789600>**Method 2:**</​color>​ 
-    - **Save certificate with .pem extension**\\ \\+    - **Save certificate with** ''​.pem''​ **extension**\\ \\
     - **Garnish subject of certificate:​**     - **Garnish subject of certificate:​**
       - ''//<​color #​647D00>​openssl x509 -inform PEM -subject_hash -in 0b112a89.0</​color>//''​       - ''//<​color #​647D00>​openssl x509 -inform PEM -subject_hash -in 0b112a89.0</​color>//''​
Line 1307: Line 1338:
       - **//​Settings//​ –> //​Security//​ –> //Trusted Credentials//​ - //​System//​**       - **//​Settings//​ –> //​Security//​ –> //Trusted Credentials//​ - //​System//​**
         - If it's still under **//​User//​**:​         - If it's still under **//​User//​**:​
-          - Disable/​Re-Enable certificate in Android Settings</​color>​+          - Disable/​Re-Enable certificate in Android Settings
             - This creates a file in ''<​color #​C86400>/​data/​misc/​keychain/​cacertsadded/</​color>''​             - This creates a file in ''<​color #​C86400>/​data/​misc/​keychain/​cacertsadded/</​color>''​
           - Move that file to ''<​color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​           - Move that file to ''<​color #​C86400>/​system/​etc/​security/​cacerts/</​color>''​
Line 1318: Line 1349:
 ==== BSD/Linux ==== ==== BSD/Linux ====
  
-<​WRAP>​+<​WRAP ​indent 76.5em lo>
  
 <tabbox Information>​ <tabbox Information>​
Line 1343: Line 1374:
 # Speed # # Speed #
 #​------------------------------------------------ #​------------------------------------------------
 +mssfix 0
 fragment 0 fragment 0
-mssfix 0 
 tun-mtu 48000 tun-mtu 48000
  
 # Reliability # # Reliability #
 #​------------------------------------------------ #​------------------------------------------------
-comp-lzo 
 float float
 nobind nobind
 +comp-lzo
 +
 persist-key persist-key
 persist-tun persist-tun
 resolv-retry infinite resolv-retry infinite
  
-# Encryption #+    ​# Encryption #
 #​------------------------------------------------ #​------------------------------------------------
 auth SHA512 auth SHA512
 auth-nocache auth-nocache
 +
 +# --- SSL --- #
 cipher AES-256-CBC cipher AES-256-CBC
-pkcs12 /​etc/​ssl/​openvpn/​vpn-client1.p12 + 
-remote-cert-eku ​"TLS Web Server Authentication"+# --- TLS --- # 
 +key-direction 1 
 +tls-version-min 1.2 
 + 
 +pkcs12 ​'/​etc/​ssl/​openvpn/​vpn-client1.p12' 
 +remote-cert-eku ​'TLS Web Server Authentication'
  
 <​tls-auth>​ <​tls-auth>​
Line 1369: Line 1408:
 -----END OpenVPN Static key V1----- -----END OpenVPN Static key V1-----
 </​tls-auth>​ </​tls-auth>​
- 
-key-direction 1 
  
 # Logging # # Logging #
Line 1383: Line 1420:
 ==== Windows ==== ==== Windows ====
  
-<​WRAP>​+<​WRAP ​indent 76.5em lo>
  
 <tabbox Information>​ <tabbox Information>​
Line 1390: Line 1427:
  
   * **If PKCS12 cert isn't stored in the same directory as the ovpn config , the path to the PKCS12 cert must be referenced**   * **If PKCS12 cert isn't stored in the same directory as the ovpn config , the path to the PKCS12 cert must be referenced**
-    * You must use double backslashes for the path: ''<​color #​C86400>​C:​\\Path\\to\\PKCS12</​color>''​+    * You must use double backslashes for the path: ''<​color #​C86400>​C:​\\Path\\to\\PKCS.p12</​color>''​
  
  
Line 1410: Line 1447:
 # Speed # # Speed #
 #​------------------------------------------------ #​------------------------------------------------
-fragment 0 
 mssfix 0 mssfix 0
 +fragment 0
 tun-mtu 48000 tun-mtu 48000
  
 # Reliability # # Reliability #
 #​------------------------------------------------ #​------------------------------------------------
-comp-lzo 
 float float
 nobind nobind
 +comp-lzo
 +
 persist-key persist-key
 persist-tun persist-tun
 resolv-retry infinite resolv-retry infinite
  
-# Encryption #+    ​# Encryption #
 #​------------------------------------------------ #​------------------------------------------------
 auth SHA512 auth SHA512
 auth-nocache auth-nocache
 +
 +# --- SSL --- #
 cipher AES-256-CBC cipher AES-256-CBC
 +
 +# --- TLS --- #
 +key-direction 1
 +tls-version-min 1.2
 +
 pkcs12 vpn-client1.p12 pkcs12 vpn-client1.p12
 remote-cert-eku "TLS Web Server Authentication"​ remote-cert-eku "TLS Web Server Authentication"​
Line 1436: Line 1481:
 -----END OpenVPN Static key V1----- -----END OpenVPN Static key V1-----
 </​tls-auth>​ </​tls-auth>​
- 
-key-direction 1 
  
 # Logging # # Logging #
Line 1447: Line 1490:
  
 </​WRAP>​ </​WRAP>​
 +----
  
 +----
  
  
Line 1457: Line 1502:
 ==== Redirect Gateway (Same Subnet) ==== ==== Redirect Gateway (Same Subnet) ====
  
-<​WRAP>​+<​WRAP ​76.5em lo>
  
 <wrap warning><​color #​FFFFFF>​It'​s recommended to read Gateway Redirect **//prior to//** continuing</​color></​wrap> ​ <wrap right button>​[[https://​openvpn.net/​index.php/​open-source/​documentation/​howto.html#​redirect|Gateway Redirect]]</​wrap>​ <wrap warning><​color #​FFFFFF>​It'​s recommended to read Gateway Redirect **//prior to//** continuing</​color></​wrap> ​ <wrap right button>​[[https://​openvpn.net/​index.php/​open-source/​documentation/​howto.html#​redirect|Gateway Redirect]]</​wrap>​
Line 1465: Line 1510:
 <color #​508CAA>​**LAN Zone & InterZone Forwarding**</​color>​ <color #​508CAA>​**LAN Zone & InterZone Forwarding**</​color>​
  
-  - **//​Add://​**\\ <code cpp>+  - <color #789600>**//​Add://​**</​color>​\\ <code cpp>
 #::: Zones :::# #::: Zones :::#
 # LuCI: Network - Firewall - Zones # LuCI: Network - Firewall - Zones
Line 1478: Line 1523:
     option ​ forward ​        '​DROP'​     option ​ forward ​        '​DROP'​
     option ​ masq            1</​code>​     option ​ masq            1</​code>​
-  - **//​Add://​**\\ <code cpp>+  - <color #789600>**//​Add://​**</​color>​\\ <code cpp>
 #::: InterZone Forwarding :::# #::: InterZone Forwarding :::#
 # LuCI: Network -> Firewall -> Zones -> VPN -  # LuCI: Network -> Firewall -> Zones -> VPN - 
Line 1495: Line 1540:
 <color #​508CAA>​**Pushed Routes**</​color>​ <color #​508CAA>​**Pushed Routes**</​color>​
  
-  - **//​Remove://​**\\ <code cpp> +  - <color #960000>**//​Remove://​**</​color>​\\ <code cpp> 
-    list    push                '​dhcp-option ​   DNS 8.8.8.8+    list    push                '​dhcp-option ​       DNS 208.67.222.123
-    list    push                '​dhcp-option ​   DNS 8.8.4.4'</​code>​ +    list    push                '​dhcp-option ​       DNS 208.67.220.123'</​code>​ 
-  - **//​Add://​**\\ <code cpp>+  - <color #789600>**//​Add://​**</​color>​\\ <code cpp>
     list    push                '​redirect-gateway ​  def1 local'     list    push                '​redirect-gateway ​  def1 local'
     list    push                '​dhcp-option ​       DNS 10.1.0.1'</​code>​     list    push                '​dhcp-option ​       DNS 10.1.0.1'</​code>​
Line 1506: Line 1551:
  
 </​WRAP>​ </​WRAP>​
 +----
 +
 +----
  
  
Line 1515: Line 1563:
 ==== OpenSSL ==== ==== OpenSSL ====
  
-<​WRAP>​+<​WRAP ​76.5em lo>
  
 <tabbox Guides> <tabbox Guides>
Line 1535: Line 1583:
 ==== OpenVPN ==== ==== OpenVPN ====
  
-<​WRAP>​+<​WRAP ​76.5em lo>
  
 <tabbox Android> <tabbox Android>
Line 1569: Line 1617:
 ==== OpenWrt ==== ==== OpenWrt ====
  
-<​WRAP>​+<​WRAP ​76.5em lo>
  
 <tabbox Help> <tabbox Help>
Line 1588: Line 1636:
 </​WRAP>​ </​WRAP>​
  
 +
 +----
  
  
Line 1594: Line 1644:
 <WRAP 76.5em lo> <WRAP 76.5em lo>
  
-  * <color #4B4B4B>**//Please take the time to read//**</​color>​ +  * **//Please take the time to read//** 
-    * <color #646464>//If you refuse to help yourself, don't expect someone else to help you//</​color>​\\ \\ +    * //If you refuse to help yourself, don't expect someone else to help you//\\ \\ 
-  * <color #4B4B4B>**//The answer to any question about an OpenVPN Client or Server configuration is contained within the//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_wikis|VPN Wiki]]// **//or//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​openssl|OpenSSL]]//​ **//​sections//​**</​color>​ +  * **//The answer to any question about an OpenVPN Client or Server configuration is contained within the//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_wikis|VPN Wiki]]// **//or//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​openssl|OpenSSL]]//​ **//​sections//​** 
-    * <color #646464>//If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the [[:​doc:​howto:​openvpn-streamlined-server-setup#​openwrt|OpenWRT]] or [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|OpenVPN]] forums//</​color>​\\ \\ +    * //If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the [[:​doc:​howto:​openvpn-streamlined-server-setup#​openwrt|OpenWrt]] or [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|OpenVPN]] forums//\\ \\ 
-  * <color #4B4B4B>​**//​Please do not publish questions directly to this Wiki, as://​**</​color>​ +  * <color #960000>​**//​Please do not publish questions directly to this Wiki, as://​**</​color>​ 
-    * <color #646464>//Most importantly,​ it's __not__ monitored for questions//</​color>​ +    * //Most importantly,​ it's __not__ monitored for questions//​ 
-    * <color #646464>//It clutters the Wiki, possibly making it more difficult for others to navigate//</​color>​+    * //It clutters the Wiki, possibly making it more difficult for others to navigate//
 </​WRAP>​ </​WRAP>​
doc/howto/openvpn-streamlined-server-setup.1480759675.txt.bz2 · Last modified: 2016/12/03 11:07 by tmomas