Autosave

MA-Inhalt.tex

@@ -227,6 +227,7 @@ Der durch IPsec geschützte Datenverkehr lässt sich daran erkennen, dass in den
 Für die Freigabe von IPsec-Datenverkehr in einer Firewall sind somit mehrere Regeln notwendig, während die Freigabe von OpenVPN-Verkehr über UDP-Port 1194 deutlich übersichtlicher ausfällt.
 
 \paragraph{Benutzerfreundlichkeit}
+
 Platformabhängig - bei OpenVPN eher schwach, da nur die GUI eine andere ist.
 Bei Strongswan ... Kompilieren? Ansonsten ähnlich. Betriebssystemseitige Konfiguration ist platformabhängig. -> Zertifikate installieren
 Bei Verzicht auf Strongswan ist die Benutzerfreundlichkeit definitiv platformabhängig.

openvpn-config/client.conf

@@ -1,50 +1,56 @@
 # This is the client configuration
 client
 
-# No need to bind on specific interfaces, just send udp packets to the openvpn server
+# No need to bind on specific interfaces, just send packets to the openvpn server
 nobind
 
 # Send udp packets to port 1194
 port 1194
 proto udp
 
-# We're using the layer 3 tunnel device
+# We're using the virtual network interface on layer 3
 dev tun
 
 # Specify vpn server
 remote vpn-test.inform.hs-hannover.de 1194
 
-# Certificates (relativ path to config file, absolute paths possible if needed)
+# Certificates to use. EDIT THIS SECTION to reflect your situation
-ca vpnclient/ca.crt
+ca /etc/openvpn/vpnclient/ca.crt
-cert vpnclient/jan-philipp.timme@hs-hannover.de.crt
+cert /etc/openvpn/vpnclient/jan-philipp.timme@stud.hs-hannover.de.crt
-key vpnclient/jan-philipp.timme@hs-hannover.de.key
+key /etc/openvpn/vpnclient/jan-philipp.timme@stud.hs-hannover.de.key
 
-# Assume tls client role
+# Assume client role in tls handshake
 tls-client
 
 # Make sure the server presents a certificate with "server role"
+# This way people with proper client certificates are unable to impersonate the server
 remote-cert-tls server
 
 # Specific settings regarding TLS, chiphers and hash algorithms
+# DO NOT CHANGE THIS unless you receive explicit instructions to do so
 cipher AES-256-GCM
 auth SHA256
 tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
 tls-version-min "1.2"
 
-# Make sure to detect broken sessions
+# Reduce connection timeout so connection problems are visible sooner
+connect-timeout 20
+
+# Notify server on client shutdown/restart events, so old sessions get terminated immediately
+# Try to send notification 3 times (because we're using UDP)
+explicit-exit-notify 3
+
+# Send ping message every ten seconds, expect session loss after 30 seconds of no response
 keepalive 10 30
 
-# Use this option to prevent OpenVPN from caching the password of your private key
+# Enable these if you plan to enable running on reduced privileges
-#auth-nocache
+# These options allow to keep the private key and the virtual network device handle in memory
+#persist-key
+#persist-tun
 
-# These are needed if running with reduced privileges
+# Reduce privileges after launch (uncomment and adapt on unix/linux system)
-persist-key
-persist-tun
-
-# Reduced privileges if possible (uncomment and adapt on unix/linux system)
-# Note: On some systems, the group is "nobody" instead of "nogroup".
 #user nobody
-#group nogroup
+#group nobody
 
 # Logging settings
 verb 3

openvpn-config/server.conf

@@ -3,50 +3,51 @@ port 1194
 proto udp
 proto udp6
 
-# Since we have more than one ip address, this makes openvpn respond with sender addresses
+# Since we have more than one ip address, this makes openvpn respond
+# with the right sender address
 multihome
 
-# We're using the layer 3 tunnel device
+# We're using the virtual network interface on layer 3
 dev tun
 
-# Certificates (relative paths work, too)
+# Certificates to use. Paths are relative to config file location.
 ca inform/ca.crt
 cert inform/aither.inform.hs-hannover.de.crt
 key inform/aither.inform.hs-hannover.de.key
 
-# Assume tls server role
+# Assume server role in tls handshake
 tls-server
 
-# Diffie-Hellman parameters
+# Diffie-Hellman parameter file
 dh inform/dh.pem
 
-# Certificate revocation list
+# Certificate revocation list location
+# Make sure this file is always valid, otherwise OpenVPN refuses to (re)start!
 crl-verify inform/crl.pem
 
 # Make sure the client presents a certificate with "client role"
 remote-cert-tls client
 
 # Allow multiple connections using the same certificate?
-# Currently, we do.
+# There is no reason to not allow this, so it is allowed.
 duplicate-cn
 
-# We're using subnet topology
+# We're using subnet topology for IPv4 tunnel connectivity
 topology subnet
 
-# Use this IPv4 range for clients (/16, so we can cope with all possible clients)
+# Use this IPv4 range for clients (/16, so we can cope with potential 500 clients)
 server 10.2.0.0 255.255.0.0
 
 # Use this IPv6 network for clients
 server-ipv6 2001:638:614:1750::/64
 
-# Do we need persistence here?
+# Make sure the client can still reach the OpenVPN server via its IPv4 default gateway
-# No, not yet. Probably never.
+# This is needed because the IPv4 route for DMZ is pushed below,
-#ifconfig-pool-persist inform/ipp.txt
+# which overlaps the OpenVPN server IPv4 address.
-
-# Make sure the client can still reach the OpenVPN server via its default gateway
 push "route remote_host 255.255.255.255 net_gateway"
 
 # Push routes for local IPv4 networks
+#
 # DMZ
 push "route 141.71.38.0 255.255.255.0 vpn_gateway"
 # Inform
@@ -68,6 +69,9 @@ push "route 141.71.2.0 255.255.255.0 vpn_gateway"
 
 # Push routes for local IPv6 networks
 # (The vpn_gateway placeholder does not work here.)
+# Note: IPv6 routes that overlap the IPv6 address of the OpenVPN server will
+# automatically trigger creating a direct route to the OpenVPN server on the client.
+#
 # DMZ
 push "route-ipv6 2001:638:614:1780::/64 2001:638:614:1750::1"
 # Inform
@@ -79,20 +83,31 @@ push "route-ipv6 2001:638:614:1722::/64 2001:638:614:1750::1"
 # Cluster
 push "route-ipv6 2001:638:614:1743::/64 2001:638:614:1750::1"
 
-# Specific settings regarding TLS, chiphers and hash algorithms
+# Global settings regarding TLS, chiphers and hash algorithms
+# These settings MUST BE CONGRUENT with client configurations.
+# If you change these, make sure you update the provided client config file
+# and you NOTIFY ALL USERS to update their configuration!
 cipher AES-256-GCM
 auth SHA256
 tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
 tls-version-min "1.2"
 
-# Make sure to detect broken sessions
+# Disable cipher negotiation on server side
+ncp-disable
+
+# Send ping message every ten seconds, expect session loss after 60 seconds of no response
 keepalive 10 60
 
-# These are needed for reduced privileges? Probably yes.
+# Notify clients when the server restarts or shuts down.
+# Default behaviour: Tell clients to try to connect to the same server again.
+explicit-exit-notify 1
+
+# Enable these if you plan to enable running on reduced privileges
+# These options allow to keep the private key and the virtual network device handle in memory
 persist-key
 persist-tun
 
-# Reduced privileges
+# Reduce privileges after launch (uncomment and adapt on unix/linux system)
 user nobody
 group nogroup
 
@@ -100,5 +115,6 @@ group nogroup
 verb 3
 mute 5
 
-# Have a status log
+# Print a list of active sessions into this file
+# This might be helpful if you plan big maintenance
 status inform/status.log