OpenVPN
From Whitespace (Hackerspace Gent)
(Difference between revisions)
(→Client config Linux) |
|||
| Line 19: | Line 19: | ||
=== Client config Linux === | === Client config Linux === | ||
| − | + | client | |
| − | client | + | remote members.0x20.be 1194 |
| − | remote members.0x20.be 1194 | + | proto udp |
| − | proto udp | + | dev tun |
| − | dev tun | + | |
| − | resolv-retry infinite | + | resolv-retry infinite |
| − | nobind | + | nobind |
| − | user nobody | + | user nobody |
| − | group nogroup | + | group nogroup |
| − | persist-key | + | persist-key |
| − | persist-tun | + | persist-tun |
| − | '''ca certs/ca-0x20-cert.pem | + | '''ca certs/ca-0x20-cert.pem |
| − | cert certs/0x20-vpn-<name>.cert | + | cert certs/0x20-vpn-<name>.cert |
| − | key certs/0x20-vpn-<name>.key | + | key certs/0x20-vpn-<name>.key |
| − | ''' | + | ''' |
| − | ns-cert-type server | + | ns-cert-type server |
| − | # If a tls-auth key is used on the server | + | # If a tls-auth key is used on the server |
| − | # then every client must also have the key. | + | # then every client must also have the key. |
| − | ;tls-auth ta.key 1 | + | ;tls-auth ta.key 1 |
| − | + | ||
| − | cipher AES-256-CBC | + | cipher AES-256-CBC |
| − | comp-lzo | + | comp-lzo |
| − | + | ||
| − | verb 3 | + | verb 3 |
| − | mute 20 | + | mute 20 |
| − | + | ||
== Server == | == Server == | ||
Revision as of 16:44, 5 November 2011
Contents |
Client
Create a new key
$ openssl genrsa -aes256 -out 0x20-vpn-your_name_here.key 2048
Create a Certificate signing request
$ openssl req -new -key 0x20-vpn-your_name_here.key -out 0x20-vpn-your_name_here.csr
countryName = BE
stateOrProvinceName = Ghent
organizationName = 0x20
organizationalUnitName = members
commonName = your_name_here
Get your certificate signed
Mail your CSR(certificate signing request) to someone who has access to the 0x20 CA. Best is being physically present in the space.
Sign cert:
$ openssl ca -in ../0x20-vpn-your_name_here.csr -cert ca-0x20-cert.pem -keyfile private/ca-0x20-key.pem -out 0x20-vpn-your_name_here.cert -config ./openssl.cnf
Client config Linux
client remote members.0x20.be 1194 proto udp dev tun
resolv-retry infinite nobind
user nobody group nogroup
persist-key persist-tun
ca certs/ca-0x20-cert.pem cert certs/0x20-vpn-<name>.cert key certs/0x20-vpn-<name>.key ns-cert-type server
# If a tls-auth key is used on the server # then every client must also have the key. ;tls-auth ta.key 1 cipher AES-256-CBC comp-lzo verb 3 mute 20
Server
The virtual network exist out of two parts: 1) a point-to-point vpn that connects the big pipe server at the ibbt with the the whitespace network 2) a server-client vpn that allows users to
