From 7dbe58aeda0a1ef456791d6e905ec9d28abdb306 Mon Sep 17 00:00:00 2001 From: Jan Philipp Timme Date: Wed, 19 Sep 2018 21:48:08 +0200 Subject: [PATCH] Minor fixups in config --- openvpn-config/vpnclient.conf | 3 ++- openvpn-config/vpnserver.conf | 15 ++++++++++----- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/openvpn-config/vpnclient.conf b/openvpn-config/vpnclient.conf index d5bb8e2..0370458 100644 --- a/openvpn-config/vpnclient.conf +++ b/openvpn-config/vpnclient.conf @@ -14,7 +14,7 @@ dev tun # Specify vpn server remote vpn-test.inform.hs-hannover.de 1194 -# Certificates +# Certificates (relative paths work, too) ca /etc/openvpn/vpnclient/ca.crt cert /etc/openvpn/vpnclient/jan-philipp.timme@hs-hannover.de.crt key /etc/openvpn/vpnclient/jan-philipp.timme@hs-hannover.de.key @@ -39,6 +39,7 @@ persist-key persist-tun # Reduced privileges if possible (uncomment and adapt on unix/linux system) +# Note: On some systems, the group is "nobody" instead of "nogroup". user nobody group nogroup diff --git a/openvpn-config/vpnserver.conf b/openvpn-config/vpnserver.conf index cc5dd44..80db76d 100644 --- a/openvpn-config/vpnserver.conf +++ b/openvpn-config/vpnserver.conf @@ -1,13 +1,15 @@ # Listen on 1194 for both IPv4 and IPv6 port 1194 -multihome proto udp proto udp6 +# Since we have more than one ip address, this makes openvpn respond with sender addresses +multihome + # We're using the layer 3 tunnel device dev tun -# Certificates +# Certificates (relative paths work, too) ca /etc/openvpn/vpnserver/ca.crt cert /etc/openvpn/vpnserver/aither.inform.hs-hannover.de.crt key /etc/openvpn/vpnserver/aither.inform.hs-hannover.de.key @@ -25,7 +27,8 @@ crl-verify /etc/openvpn/vpnserver/crl.pem remote-cert-tls client # Allow multiple connections using the same certificate? -#duplicate-cn +# Currently, we do. +duplicate-cn # We're using subnet topology topology subnet @@ -37,7 +40,7 @@ server 10.2.0.0 255.255.0.0 server-ipv6 2001:638:614:1750::/64 # Do we need persistence here? -# No, not yet. +# No, not yet. Probably never. #ifconfig-pool-persist /etc/openvpn/vpnserver/ipp.txt # Make sure the client can still reach the OpenVPN server via its default gateway @@ -50,7 +53,8 @@ push "route 10.3.1.0 255.255.255.0 vpn_gateway" push "route 10.0.0.0 255.255.255.0 vpn_gateway" # Push the whole /56 block for IPv6 -push "route-ipv6 2003:638:614:1700::/56" +# (The vpn_gateway placeholder does not work here.) +push "route-ipv6 2003:638:614:1700::/56 2001:638:614:1750::1" # Specific settings regarding TLS, chiphers and hash algorithms cipher AES-256-GCM @@ -74,4 +78,5 @@ verb 3 mute 5 # Have a status log if needed. +# We do not need it. # status /etc/openvpn/vpnserver/status.log