Difference between revisions of "Miscellaneous openVPN issues"

From Notes_Wiki
m
m
Line 30: Line 30:
128.0.0.0/1
128.0.0.0/1
</pre>
</pre>
as these routes are more specific then 0.0.0.0/0 (default route) these should get preference and most Internet traffic then should get routed via VPN connection.
as these routes are more specific then 0.0.0.0/0 (default route) these should get preference and most Internet traffic then should get routed via VPN connection. If the same is desired with client configuration instead of server configuration (ie for specific clients) then VPN gateway can be found using:
<pre>
ifconfig | grep '172\.16\.' | grep -o '\([0-9]\+\.\)\{3,\}[0-9]*' | head -2 | tail -1
</pre>
where '172\.16\.' should be replaced with VPN network.  Once gateway is known the routes can be added using scripts such as [[Script for connecting to openVPN and updating nameserver appropriately]]




<yambe:breadcrumb>Openvpn_server_configuration|Openvpn server configuration</yambe:breadcrumb>
<yambe:breadcrumb>Openvpn_server_configuration|Openvpn server configuration</yambe:breadcrumb>

Revision as of 02:54, 18 April 2014

<yambe:breadcrumb>Openvpn_server_configuration|Openvpn server configuration</yambe:breadcrumb>

Miscellaneous openvpn issues

Adding CRL (Certificate Revocation List) configuration to openvpn server

For CRL support use revoke option as specified in easy-rsa to generate CRL file. Then in server.conf use 'crl-verify <crl-file>' option



Inline certificate, keys and tls-auth configuration

If preferred then it is possible to specify CA certificate, client or server certificate, client or server key and tls-auth in the configuration file itself as follows:

           <ca>
           -----BEGIN CERTIFICATE-----
           [...]
           -----END CERTIFICATE-----
           </ca>

For other values use tags key, cert, dh, secret and tls-auth. Refer to 'man openvpn' for more information.


Forcing all Internet traffic over VPN connection

If it makes sense for some reason to force all Internet traffic to go over VPN connection then push following routes to client:

0.0.0.0/1
128.0.0.0/1

as these routes are more specific then 0.0.0.0/0 (default route) these should get preference and most Internet traffic then should get routed via VPN connection. If the same is desired with client configuration instead of server configuration (ie for specific clients) then VPN gateway can be found using:

ifconfig | grep '172\.16\.' | grep -o '\([0-9]\+\.\)\{3,\}[0-9]*' | head -2 | tail -1

where '172\.16\.' should be replaced with VPN network. Once gateway is known the routes can be added using scripts such as Script for connecting to openVPN and updating nameserver appropriately


<yambe:breadcrumb>Openvpn_server_configuration|Openvpn server configuration</yambe:breadcrumb>