Differences

This shows you the differences between two versions of the page.

--- userdoc:tt_openvpn_server [2014/10/22 10:50]
droemel [OpenVPN Server Configuration]
+++ userdoc:tt_openvpn_server [2018/12/01 12:26] (current)
mkeuter
@@ Line 1: / Line 1: @@
 ====== OpenVPN Configuration ======
-[[http://openvpn.net/|OpenVPN]] is arguably the easiest to use, highly secure, open source VPN available.  The addition of OpenVPN Client support for iOS and Andriod mobile devices has led to new supported features in AstLinux.  Features include a dual IPv4/IPv6 tunnel, TLS-Auth for added security, and ''client.ovpn'' file export to easily configure mobile devices and desktops.
+[[http://openvpn.net/|OpenVPN]] is an easy to use, secure, open source VPN.  The addition of OpenVPN Client support for iOS and Andriod mobile devices has led to new supported features in AstLinux.  Features include a dual IPv4/IPv6 tunnel, TLS-Auth for added security, and ''client.ovpn'' file export to easily configure mobile devices and desktops.
@@ Line 45: / Line 45: @@
     * ''mute 20''
-!!Tip ->!! If you also want to route packets to client networks: [[http://doc.astlinux.org/userdoc:tt_openvpn_client_networks|OpenVPN Client Networks]]
+!!Tip ->!! If you also want to route packets to client networks: [[userdoc:tt_openvpn_client_networks|OpenVPN Client Networks]]
 {{:userdoc:ovpn-server-auth.jpg?nolink|}}
@@ Line 55: / Line 55: @@
   * Extra TLS-Auth:  Enable a kind of "HMAC  firewall" on OpenVPN's TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped immediately without response.  "Yes" is a good choice if **all** clients support it. //[client.ovpn]//
-{{:userdoc:ovpn-server-firewall.jpg?nolink|}}
+{{:userdoc:ovpn-server-firewall.png?nolink|}}
-  * External Hosts:  Define a space separated list of allowed IPv4/IPv6 addresses via the external interface. The external firewall rules are automatically created by the [[http://doc.astlinux.org/userdoc:tt_firewall_plugins#openvpn-server|openvpn-server plugin]] .  The firewall must be enabled, see the "Enable Firewall" section below for more info.
+  * External Hosts:  Define a space separated list of allowed IPv4/IPv6 addresses via the external interface. The external firewall rules are automatically created by the [[userdoc:tt_firewall_plugins#openvpn-server|openvpn-server plugin]] .  The firewall must be enabled, see the "Enable Firewall" section below for more info.
+  * Client Isolation:  Choose to "Pass" or "Deny" Client->Client traffic. "Deny" isolates connected clients, blocking access with each other. //(AstLinux 1.3.5 and later)//
 !!Tip ->!! Allow any external IPv4/IPv6 address by defining "External Hosts:" to "0/0".
@@ Line 63: / Line 64: @@
 {{:userdoc:ovpn-server-server.jpg?nolink|}}
-  * Server Hostname:  Does not effect the OpenVPN server configuration, rather it is only used when downloading client credentials containing ''client.ovpn'' files.  It is used to define the hostname of the server from the client's point of view.  This entry can be a DNS hostname, IPv4 or IPv6 manual address.  //[client.ovpn]//
+  * Server Hostname(s):  Does not effect the OpenVPN server configuration, rather it is only used when downloading client credentials containing ''client.ovpn'' files.  It is used to define the hostname of the server from the client's point of view.  This entry can be a DNS hostname, IPv4 or IPv6 manual address.  !!AstLinux 1.2.1 and later!! this may contain a space separated list of hosts for failover. //[client.ovpn]//
   * Network IPv4 NM:  Define an IPv4 address and NetMask, space separated, which configures the server tunnel device ''tun0'' network.
@@ Line 91: / Line 92: @@
 Create new clients, then download their credentials. Keep it secure!
-!!Note ->!! Create unique credentials for each client! If 2 different clients connect with the same credentials, the second client will log out the first one, then the first one will be re-connecting automatically and again logging out the second, and so on :-).
+!!Note ->!! Create unique credentials for each client! If 2 different clients connect with the same credentials at the same time, the second client will log out the first one, then the first one will be re-connecting automatically and again logging out the second, and so on :-).
 {{:userdoc:ovpn-credentials-files2.jpg?nolink|}}
@@ Line 118: / Line 119: @@
 Additionally, the OpenVPN server tunnel is NAT'ed via the external interface, such that if an exiting IPv4 tunnel packet is routed out through the external interface it will have a NAT'ed path back into the tunnel.
 ===== Apple iOS Client Configuration =====
@@ Line 189: / Line 189: @@
 \\
 \\
-**OpenVPN Client for Mac OS X:**  [[http://code.google.com/p/tunnelblick/wiki/DownloadsEntry|Tunnelblick]]  //(Free)//\\
+**OpenVPN Client for Mac OS X:**  [[https://tunnelblick.net|Tunnelblick]]  //(Free)//\\
 {{:userdoc:ovpn-tunnelblick-icon.png?nolink|}}
 \\
@@ Line 196: / Line 196: @@
 \\
 ===== Windows Client Configuration =====
@@ Line 207: / Line 206: @@
 \\
 \\
-**OpenVPN Client for Windows:**  [[http://openvpn.net/index.php/open-source/downloads.html|Windows Installer/GUI]]  //(Free)//\\
+**OpenVPN Client for Windows:**  [[https://openvpn.net/community-downloads/|Windows Installer/GUI]]  //(Free)//\\
 {{:userdoc:ovpn-openvpn-icon.png?nolink|}}
 \\
@@ Line 213: / Line 212: @@
 The OpenVPN folks offer a free Windows Installer and GUI for the OpenVPN package.
-Using the above link download the "Windows Installer" (32-bit) or (64-bit) for your Windows system.  This example uses Windows7. Download the latest version, and install using the default selections.
+Using the above link download the "Windows Installer". This example uses Windows7. Download the latest version, and install using the default selections.
 Next, download your credentials from the AstLinux OpenVPN server page, unzip the package, and using the **openvpn-cert-key** format ''client.ovpn'' file, place the (''win7.ovpn'' in this example) file into the following folder:
-  C:\Program Files\OpenVPN\config
+  C:\Users\<USER>\OpenVPN\config\
-On newer OpenVPN versions the "config" folder must be created manually.
-{{:userdoc:ovpn-win-gui-config.jpg?nolink|}}
+Or more simply, find the OpenVPN task in the system tray, right-click on it, select "Import file..." and select your named **openvpn-cert-key** format ''client.ovpn'' file.
-Alternatively, you could use the **openvpn-pkcs12** format ''client.ovpn'' and ''client.p12'' files, place both the (''win7.ovpn'' and ''win7.p12'' in this example) files into the folder.
+{{:userdoc:ovpn-win-gui-import.png?nolink|}}
-That's it, next start the OpenVPN-GUI service.  This procedure can vary depending on your version of Windows.  The OpenVPN-GUI service __needs to have administrator permissions__ to add and delete routes and such. For the Windows7 case, right-click the OpenVPN-GUI icon and "Run as administrator".
+Next, you are ready to connect to your OpenVPN server, right-click on the OpenVPN task in the system tray:
-!!Note ->!! Make sure you understand the security implications of running any application with administrator privileges.
+{{:userdoc:ovpn-win-gui-task.png?nolink|}}
-{{:userdoc:ovpn-win-gui-permissions.jpg?nolink|}}
+Finally, select "Connect" and a connection window will appear, then disappear when the connection is established.
-Provided that all goes well, you are ready to connect to your OpenVPN server, find the OpenVPN task in the system tray, right-click on it:
+{{:userdoc:ovpn-win-gui-connect.png?nolink|}}
-{{:userdoc:ovpn-win-gui-task.jpg?nolink|}}
-Finally, select "Connect" and a connection window will appear, then disappear when the connection is established.