Merge pull request 'add openvpn docs' (#14) from mark22k/docs:openvpn into master

Reviewed-on: https://codeberg.org/CRXN/docs/pulls/14
This commit is contained in:
Marek Küthe 2023-01-03 10:30:47 +00:00
commit 7b00937ab8
2 changed files with 60 additions and 0 deletions

View File

@ -3,3 +3,4 @@
- [fastd](fastd) - [fastd](fastd)
- [WireGuard](wireguard) - [WireGuard](wireguard)
- [OpenVPN](openvpn)

59
docs/tunneling/openvpn.md Normal file
View File

@ -0,0 +1,59 @@
# OpenVPN
**Hint:** OpenVPN with a static key has no Perfect Forward Secrecy (PFS)!
## Configuration
```
mode p2p
remote <remote>
local <local>
proto <proto>
rport <rport>
lport <lport>
dev-type tun
dev <interface>
script-security 1
cipher aes-256-cbc
resolv-retry infinite
persist-key
persist-tun
ifconfig-ipv6 <IPv6> fe80::1000
secret <secret>
```
Replace `<remote>` with the IP address of the peer and `<local>` with your IP address.
Replace `<proto>` with `udp` for a connection over IPv4 or with `udp6` for a connection over IPv6.
Choose a port for `<lport>` and set `<rport>` to the port of your peer. `<lport>` on udp must be opened accordingly in the local firewall.
Replace `<interface>` with the appropriate interface name for your peer.
Replace `<IPv6>` with your link-local IPv6. The specification of a second link-local address is only necessary for certain functions of OpenVPN, but the specification is mandatory. Therefore the address `fe80::1000` is used here.
Replace `<secret>` with the path to the Secret Static Key.
Generate a Secret Static Key:
```
openvpn --genkey secret <filename>.key
```
## Automatic start with systemd
If you save the OpenVPN configuration under `/etc/openvpn/<filename>.conf`, you can use systemd to start the OpenVPN connection or set an automatic start:
```
systemctl start openvpn@<filename>
```
```
systemctl enable openvpn@<filename>
```
## Further links
- [Reference manual for OpenVPN 2.6](https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/)
- [dn42 OpenVPN Guide](https://dn42.dev/howto/openvpn)