Difference between revisions of "Miscellaneous openVPN issues"
m |
m |
||
Line 30: | Line 30: | ||
128.0.0.0/1 | 128.0.0.0/1 | ||
</pre> | </pre> | ||
as these routes are more specific then 0.0.0.0/0 (default route) these should get preference and most Internet traffic then should get routed via VPN connection. | as these routes are more specific then 0.0.0.0/0 (default route) these should get preference and most Internet traffic then should get routed via VPN connection. If the same is desired with client configuration instead of server configuration (ie for specific clients) then VPN gateway can be found using: | ||
<pre> | |||
ifconfig | grep '172\.16\.' | grep -o '\([0-9]\+\.\)\{3,\}[0-9]*' | head -2 | tail -1 | |||
</pre> | |||
where '172\.16\.' should be replaced with VPN network. Once gateway is known the routes can be added using scripts such as [[Script for connecting to openVPN and updating nameserver appropriately]] | |||
<yambe:breadcrumb>Openvpn_server_configuration|Openvpn server configuration</yambe:breadcrumb> | <yambe:breadcrumb>Openvpn_server_configuration|Openvpn server configuration</yambe:breadcrumb> |
Revision as of 02:54, 18 April 2014
<yambe:breadcrumb>Openvpn_server_configuration|Openvpn server configuration</yambe:breadcrumb>
Miscellaneous openvpn issues
Adding CRL (Certificate Revocation List) configuration to openvpn server
For CRL support use revoke option as specified in easy-rsa to generate CRL file. Then in server.conf use 'crl-verify <crl-file>' option
Inline certificate, keys and tls-auth configuration
If preferred then it is possible to specify CA certificate, client or server certificate, client or server key and tls-auth in the configuration file itself as follows:
<ca> -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- </ca>
For other values use tags key, cert, dh, secret and tls-auth. Refer to 'man openvpn' for more information.
Forcing all Internet traffic over VPN connection
If it makes sense for some reason to force all Internet traffic to go over VPN connection then push following routes to client:
0.0.0.0/1 128.0.0.0/1
as these routes are more specific then 0.0.0.0/0 (default route) these should get preference and most Internet traffic then should get routed via VPN connection. If the same is desired with client configuration instead of server configuration (ie for specific clients) then VPN gateway can be found using:
ifconfig | grep '172\.16\.' | grep -o '\([0-9]\+\.\)\{3,\}[0-9]*' | head -2 | tail -1
where '172\.16\.' should be replaced with VPN network. Once gateway is known the routes can be added using scripts such as Script for connecting to openVPN and updating nameserver appropriately
<yambe:breadcrumb>Openvpn_server_configuration|Openvpn server configuration</yambe:breadcrumb>