Miscellaneous openVPN issues

From Notes_Wiki

Home > CentOS > CentOS 6.x > Openvpn server configuration > Miscellaneous openVPN issues

Adding CRL (Certificate Revocation List) configuration to openvpn server

For CRL support use revoke option as specified in easy-rsa to generate CRL file. Then in server.conf use 'crl-verify <crl-file>' option



Inline certificate, keys and tls-auth configuration

If preferred then it is possible to specify CA certificate, client or server certificate, client or server key and tls-auth in the configuration file itself as follows:

           <ca>
           -----BEGIN CERTIFICATE-----
           [...]
           -----END CERTIFICATE-----
           </ca>

For other values use tags key, cert, dh, secret and tls-auth. Refer to 'man openvpn' for more information. Also in case tls-auth is made inline then key-direction can be provided using:

key-direction 1

in the client configuration file.


Forcing all Internet traffic over VPN connection

If it makes sense for some reason to force all Internet traffic to go over VPN connection then push following routes to client:

0.0.0.0/1
128.0.0.0/1

as these routes are more specific then 0.0.0.0/0 (default route) these should get preference and most Internet traffic then should get routed via VPN connection. If the same is desired with client configuration instead of server configuration (ie for specific clients) then VPN gateway can be found using:

ifconfig | grep '172\.16\.' | grep -o '\([0-9]\+\.\)\{3,\}[0-9]*' | head -2 | tail -1

where '172\.16\.' should be replaced with VPN network. Once gateway is known the routes can be added using scripts such as Script for connecting to openVPN and updating nameserver appropriately


Home > CentOS > CentOS 6.x > Openvpn server configuration > Miscellaneous openVPN issues