OpenVPN
From Whitespace (Hackerspace Gent)
(Difference between revisions)
(→Client config Linux) |
(→Client config Linux) |
||
| Line 51: | Line 51: | ||
mute 20 | mute 20 | ||
| − | === Client config | + | === Client config Wintendo === |
| + | <code> | ||
| + | client | ||
| + | remote members.0x20.be 1194 | ||
| + | proto udp | ||
| + | dev tun | ||
| + | |||
| + | resolv-retry infinite | ||
| + | nobind | ||
| + | |||
| + | user nobody | ||
| + | group nogroup | ||
| + | |||
| + | persist-key | ||
| + | persist-tun | ||
| + | |||
| + | ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca-0x20-cert.pem" | ||
| + | cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\0x20-vpn-hansf.cert" | ||
| + | key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\0x20-vpn-hansf.key" | ||
| + | |||
| + | |||
| + | ns-cert-type server | ||
| + | |||
| + | # If a tls-auth key is used on the server | ||
| + | # then every client must also have the key. | ||
| + | ;tls-auth ta.key 1 | ||
| + | |||
| + | cipher AES-256-CBC | ||
| + | comp-lzo | ||
| + | |||
| + | verb 3 | ||
| + | mute 20 | ||
| + | </code> | ||
== Server == | == Server == | ||
Revision as of 17:10, 5 November 2011
Contents |
Client
Create a new key
$ openssl genrsa -aes256 -out 0x20-vpn-your_name_here.key 2048
Create a Certificate signing request
$ openssl req -new -key 0x20-vpn-your_name_here.key -out 0x20-vpn-your_name_here.csr
countryName = BE
stateOrProvinceName = Ghent
organizationName = 0x20
organizationalUnitName = members
commonName = your_name_here
Get your certificate signed
Mail your CSR(certificate signing request) to someone who has access to the 0x20 CA. Best is being physically present in the space.
Sign cert:
$ openssl ca -in ../0x20-vpn-your_name_here.csr -cert ca-0x20-cert.pem -keyfile private/ca-0x20-key.pem -out 0x20-vpn-your_name_here.cert -config ./openssl.cnf
Client config Linux
- apt-get install openvpn
- create following config file: /etc/openvpn/0x20-vpn.conf and change values in bold
client
remote members.0x20.be 1194
proto udp
dev tun
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca certs/ca-0x20-cert.pem
cert certs/0x20-vpn-<name>.cert
key certs/0x20-vpn-<name>.key
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
mute 20
Client config Wintendo
client
remote members.0x20.be 1194
proto udp
dev tun
resolv-retry infinite nobind
user nobody group nogroup
persist-key persist-tun
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca-0x20-cert.pem" cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\0x20-vpn-hansf.cert" key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\0x20-vpn-hansf.key"
ns-cert-type server
- If a tls-auth key is used on the server
- then every client must also have the key.
- tls-auth ta.key 1
cipher AES-256-CBC comp-lzo
verb 3 mute 20
Server
The virtual network exist out of two parts: 1) a point-to-point vpn that connects the big pipe server at the ibbt with the the whitespace network 2) a server-client vpn that allows users to
