Autosave
This commit is contained in:
parent
47235ac506
commit
e68f3d4134
@ -227,6 +227,7 @@ Der durch IPsec geschützte Datenverkehr lässt sich daran erkennen, dass in den
|
||||
Für die Freigabe von IPsec-Datenverkehr in einer Firewall sind somit mehrere Regeln notwendig, während die Freigabe von OpenVPN-Verkehr über UDP-Port 1194 deutlich übersichtlicher ausfällt.
|
||||
|
||||
\paragraph{Benutzerfreundlichkeit}
|
||||
|
||||
Platformabhängig - bei OpenVPN eher schwach, da nur die GUI eine andere ist.
|
||||
Bei Strongswan ... Kompilieren? Ansonsten ähnlich. Betriebssystemseitige Konfiguration ist platformabhängig. -> Zertifikate installieren
|
||||
Bei Verzicht auf Strongswan ist die Benutzerfreundlichkeit definitiv platformabhängig.
|
||||
|
@ -1,50 +1,56 @@
|
||||
# This is the client configuration
|
||||
client
|
||||
|
||||
# No need to bind on specific interfaces, just send udp packets to the openvpn server
|
||||
# No need to bind on specific interfaces, just send packets to the openvpn server
|
||||
nobind
|
||||
|
||||
# Send udp packets to port 1194
|
||||
port 1194
|
||||
proto udp
|
||||
|
||||
# We're using the layer 3 tunnel device
|
||||
# We're using the virtual network interface on layer 3
|
||||
dev tun
|
||||
|
||||
# Specify vpn server
|
||||
remote vpn-test.inform.hs-hannover.de 1194
|
||||
|
||||
# Certificates (relativ path to config file, absolute paths possible if needed)
|
||||
ca vpnclient/ca.crt
|
||||
cert vpnclient/jan-philipp.timme@hs-hannover.de.crt
|
||||
key vpnclient/jan-philipp.timme@hs-hannover.de.key
|
||||
# Certificates to use. EDIT THIS SECTION to reflect your situation
|
||||
ca /etc/openvpn/vpnclient/ca.crt
|
||||
cert /etc/openvpn/vpnclient/jan-philipp.timme@stud.hs-hannover.de.crt
|
||||
key /etc/openvpn/vpnclient/jan-philipp.timme@stud.hs-hannover.de.key
|
||||
|
||||
# Assume tls client role
|
||||
# Assume client role in tls handshake
|
||||
tls-client
|
||||
|
||||
# Make sure the server presents a certificate with "server role"
|
||||
# This way people with proper client certificates are unable to impersonate the server
|
||||
remote-cert-tls server
|
||||
|
||||
# Specific settings regarding TLS, chiphers and hash algorithms
|
||||
# DO NOT CHANGE THIS unless you receive explicit instructions to do so
|
||||
cipher AES-256-GCM
|
||||
auth SHA256
|
||||
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
|
||||
tls-version-min "1.2"
|
||||
|
||||
# Make sure to detect broken sessions
|
||||
# Reduce connection timeout so connection problems are visible sooner
|
||||
connect-timeout 20
|
||||
|
||||
# Notify server on client shutdown/restart events, so old sessions get terminated immediately
|
||||
# Try to send notification 3 times (because we're using UDP)
|
||||
explicit-exit-notify 3
|
||||
|
||||
# Send ping message every ten seconds, expect session loss after 30 seconds of no response
|
||||
keepalive 10 30
|
||||
|
||||
# Use this option to prevent OpenVPN from caching the password of your private key
|
||||
#auth-nocache
|
||||
# Enable these if you plan to enable running on reduced privileges
|
||||
# These options allow to keep the private key and the virtual network device handle in memory
|
||||
#persist-key
|
||||
#persist-tun
|
||||
|
||||
# These are needed if running with reduced privileges
|
||||
persist-key
|
||||
persist-tun
|
||||
|
||||
# Reduced privileges if possible (uncomment and adapt on unix/linux system)
|
||||
# Note: On some systems, the group is "nobody" instead of "nogroup".
|
||||
# Reduce privileges after launch (uncomment and adapt on unix/linux system)
|
||||
#user nobody
|
||||
#group nogroup
|
||||
#group nobody
|
||||
|
||||
# Logging settings
|
||||
verb 3
|
||||
|
@ -3,50 +3,51 @@ port 1194
|
||||
proto udp
|
||||
proto udp6
|
||||
|
||||
# Since we have more than one ip address, this makes openvpn respond with sender addresses
|
||||
# Since we have more than one ip address, this makes openvpn respond
|
||||
# with the right sender address
|
||||
multihome
|
||||
|
||||
# We're using the layer 3 tunnel device
|
||||
# We're using the virtual network interface on layer 3
|
||||
dev tun
|
||||
|
||||
# Certificates (relative paths work, too)
|
||||
# Certificates to use. Paths are relative to config file location.
|
||||
ca inform/ca.crt
|
||||
cert inform/aither.inform.hs-hannover.de.crt
|
||||
key inform/aither.inform.hs-hannover.de.key
|
||||
|
||||
# Assume tls server role
|
||||
# Assume server role in tls handshake
|
||||
tls-server
|
||||
|
||||
# Diffie-Hellman parameters
|
||||
# Diffie-Hellman parameter file
|
||||
dh inform/dh.pem
|
||||
|
||||
# Certificate revocation list
|
||||
# Certificate revocation list location
|
||||
# Make sure this file is always valid, otherwise OpenVPN refuses to (re)start!
|
||||
crl-verify inform/crl.pem
|
||||
|
||||
# Make sure the client presents a certificate with "client role"
|
||||
remote-cert-tls client
|
||||
|
||||
# Allow multiple connections using the same certificate?
|
||||
# Currently, we do.
|
||||
# There is no reason to not allow this, so it is allowed.
|
||||
duplicate-cn
|
||||
|
||||
# We're using subnet topology
|
||||
# We're using subnet topology for IPv4 tunnel connectivity
|
||||
topology subnet
|
||||
|
||||
# Use this IPv4 range for clients (/16, so we can cope with all possible clients)
|
||||
# Use this IPv4 range for clients (/16, so we can cope with potential 500 clients)
|
||||
server 10.2.0.0 255.255.0.0
|
||||
|
||||
# Use this IPv6 network for clients
|
||||
server-ipv6 2001:638:614:1750::/64
|
||||
|
||||
# Do we need persistence here?
|
||||
# No, not yet. Probably never.
|
||||
#ifconfig-pool-persist inform/ipp.txt
|
||||
|
||||
# Make sure the client can still reach the OpenVPN server via its default gateway
|
||||
# Make sure the client can still reach the OpenVPN server via its IPv4 default gateway
|
||||
# This is needed because the IPv4 route for DMZ is pushed below,
|
||||
# which overlaps the OpenVPN server IPv4 address.
|
||||
push "route remote_host 255.255.255.255 net_gateway"
|
||||
|
||||
# Push routes for local IPv4 networks
|
||||
#
|
||||
# DMZ
|
||||
push "route 141.71.38.0 255.255.255.0 vpn_gateway"
|
||||
# Inform
|
||||
@ -68,6 +69,9 @@ push "route 141.71.2.0 255.255.255.0 vpn_gateway"
|
||||
|
||||
# Push routes for local IPv6 networks
|
||||
# (The vpn_gateway placeholder does not work here.)
|
||||
# Note: IPv6 routes that overlap the IPv6 address of the OpenVPN server will
|
||||
# automatically trigger creating a direct route to the OpenVPN server on the client.
|
||||
#
|
||||
# DMZ
|
||||
push "route-ipv6 2001:638:614:1780::/64 2001:638:614:1750::1"
|
||||
# Inform
|
||||
@ -79,20 +83,31 @@ push "route-ipv6 2001:638:614:1722::/64 2001:638:614:1750::1"
|
||||
# Cluster
|
||||
push "route-ipv6 2001:638:614:1743::/64 2001:638:614:1750::1"
|
||||
|
||||
# Specific settings regarding TLS, chiphers and hash algorithms
|
||||
# Global settings regarding TLS, chiphers and hash algorithms
|
||||
# These settings MUST BE CONGRUENT with client configurations.
|
||||
# If you change these, make sure you update the provided client config file
|
||||
# and you NOTIFY ALL USERS to update their configuration!
|
||||
cipher AES-256-GCM
|
||||
auth SHA256
|
||||
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
|
||||
tls-version-min "1.2"
|
||||
|
||||
# Make sure to detect broken sessions
|
||||
# Disable cipher negotiation on server side
|
||||
ncp-disable
|
||||
|
||||
# Send ping message every ten seconds, expect session loss after 60 seconds of no response
|
||||
keepalive 10 60
|
||||
|
||||
# These are needed for reduced privileges? Probably yes.
|
||||
# Notify clients when the server restarts or shuts down.
|
||||
# Default behaviour: Tell clients to try to connect to the same server again.
|
||||
explicit-exit-notify 1
|
||||
|
||||
# Enable these if you plan to enable running on reduced privileges
|
||||
# These options allow to keep the private key and the virtual network device handle in memory
|
||||
persist-key
|
||||
persist-tun
|
||||
|
||||
# Reduced privileges
|
||||
# Reduce privileges after launch (uncomment and adapt on unix/linux system)
|
||||
user nobody
|
||||
group nogroup
|
||||
|
||||
@ -100,5 +115,6 @@ group nogroup
|
||||
verb 3
|
||||
mute 5
|
||||
|
||||
# Have a status log
|
||||
# Print a list of active sessions into this file
|
||||
# This might be helpful if you plan big maintenance
|
||||
status inform/status.log
|
||||
|
Loading…
Reference in New Issue
Block a user