SHA256 Fingerprint=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
-3. Write a server configuration (`server.conf`):
-::
+4. Write a server configuration (`server.conf`)::
# The server certificate we created in step 1
cert server.crt
# Ping every 60s, restart if no data received for 5 minutes
keepalive 60 300
-4. Add at least one client as described in the client section.
+5. Add at least one client as described in the client section.
-5. Start the server.
+6. Start the server.
- On systemd based distributions move `server.crt`, `server.key` and
`server.conf` to :code:`/etc/openvpn/server` and start it via systemctl
Example 1: A simple tunnel without security (not recommended)
-------------------------------------------------------------
-On bob:
-::
+On bob::
openvpn --remote alice.example.com --dev tun1 \
--ifconfig 10.4.0.1 10.4.0.2 --verb 9
-On alice:
-::
+On alice::
openvpn --remote bob.example.com --dev tun1 \
--ifconfig 10.4.0.2 10.4.0.1 --verb 9
Now verify the tunnel is working by pinging across the tunnel.
-On bob:
-::
+On bob::
ping 10.4.0.2
-On alice:
-::
+On alice::
ping 10.4.0.1
-----------------------------------------------------------------
First build a self-signed certificate on bob and display its fingerprint.
+
::
openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout bob.pem -out bob.pem -nodes -sha256 -days 3650 -subj '/CN=bob'
openssl x509 -noout -sha256 -fingerprint -in bob.pem
-and the same on alice:
-::
+and the same on alice::
openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout alice.pem -out alice.pem -nodes -sha256 -days 3650 -subj '/CN=alice'
openssl x509 -noout -sha256 -fingerprint -in alice.pem
Transfer the fingerprints over a secure medium such as by using
the ``scp``\(1) or ``ssh``\(1) program.
-On bob:
-::
+On bob::
openvpn --ifconfig 10.4.0.1 10.4.0.2 --tls-server --dev tun --dh none \
--cert bob.pem --key bob.pem --cipher AES-256-GCM \
--peer-fingerprint "$fingerprint_of_alices_cert"
-On alice:
-::
+On alice::
openvpn --remote bob.example.com --tls-client --dev tun1 \
--ifconfig 10.4.0.2 10.4.0.1 --cipher AES-256-GCM \
- --cert alice.pem --key alice.pem
+ --cert alice.pem --key alice.pem \
--peer-fingerprint "$fingerprint_of_bobs_cert"
Now verify the tunnel is working by pinging across the tunnel.
-On bob:
-::
+On bob::
ping 10.4.0.2
-On alice:
-::
+On alice::
ping 10.4.0.1
and keys included in the OpenVPN distribution are totally
insecure and should be used for testing only.
-On bob:
-::
+On bob::
openvpn --remote alice.example.com --dev tun1 \
--ifconfig 10.4.0.1 10.4.0.2 \
--cert client.crt --key client.key \
--reneg-sec 60 --verb 5
-On alice:
-::
+On alice::
openvpn --remote bob.example.com --dev tun1 \
--ifconfig 10.4.0.2 10.4.0.1 \
Now verify the tunnel is working by pinging across the tunnel.
-On bob:
-::
+On bob::
ping 10.4.0.2
-On alice:
-::
+On alice::
ping 10.4.0.1
alice's is *10.0.1.0/24*.
First, ensure that IP forwarding is enabled on both peers. On Linux,
-enable routing:
-::
+enable routing::
echo 1 > /proc/sys/net/ipv4/ip_forward
allow traffic coming from and going to the tun/tap adapter OpenVPN is
configured to use.
-On bob:
-::
+On bob::
route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2
-On alice:
-::
+On alice::
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1
```````````````````````
Create VRF :code:`vrf_external` and map it to routing table :code:`1023`
+
::
ip link add vrf_external type vrf table 1023
Move :code:`eth0` into :code:`vrf_external`
+
::
ip link set master vrf_external dev eth0
For Debian based Distributions :code:`ifupdown2` provides an almost drop-in
replacement for :code:`ifupdown` including VRFs and other features.
A configuration for an interface :code:`eth0` being part of VRF
-code:`vrf_external` could look like this:
-::
+code:`vrf_external` could look like this::
auto eth0
iface eth0
OpenVPN configuration
`````````````````````
The OpenVPN configuration needs to contain this line:
+
::
bind-dev vrf_external
projects / thirdparty / openvpn.git / commitdiff
