OpenVPN: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
(→PiVPN) |
||
Line 9: | Line 9: | ||
systemctl restart openvpn | systemctl restart openvpn | ||
tail -f /var/log/openvpn.log | tail -f /var/log/openvpn.log | ||
<code>nano /etc/openvpn/server.conf</code> | |||
<source lang="bash" highlight="2-4,10,12-14,21,22" line> | |||
: <<'END_COMMENT' | |||
dev tun | |||
proto udp | |||
port 1194 | |||
ca /etc/openvpn/easy-rsa/pki/ca.crt | |||
cert /etc/openvpn/easy-rsa/pki/issued/pi03_ca27deca-6db9-49de-98c8-f6d1fd57c9be.crt | |||
key /etc/openvpn/easy-rsa/pki/private/pi03_ca27deca-6db9-49de-98c8-f6d1fd57c9be.key | |||
dh /etc/openvpn/easy-rsa/pki/dh2048.pem | |||
topology subnet | |||
server 10.20.13.0 255.255.255.0 | |||
# Set your primary domain name server address for clients | |||
push "dhcp-option DOMAIN dev.shahed.biz" | |||
push "dhcp-option DNS 10.19.83.100" | |||
push "dhcp-option DNS 10.19.83.1" | |||
# Prevent DNS leaks on Windows | |||
push "block-outside-dns" | |||
# Override the Client default gateway by using 0.0.0.0/1 and | |||
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of | |||
# overriding but not wiping out the original default gateway. | |||
push "redirect-gateway def1" | |||
client-to-client | |||
client-config-dir /etc/openvpn/ccd | |||
keepalive 15 120 | |||
remote-cert-tls client | |||
tls-version-min 1.2 | |||
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0 | |||
cipher AES-256-CBC | |||
auth SHA256 | |||
user openvpn | |||
group openvpn | |||
persist-key | |||
persist-tun | |||
crl-verify /etc/openvpn/crl.pem | |||
status /var/log/openvpn-status.log 20 | |||
status-version 3 | |||
syslog | |||
verb 3 | |||
#DuplicateCNs allow access control on a less-granular, per user basis. | |||
#Remove # if you will manage access by user instead of device. | |||
#duplicate-cn | |||
# Generated for use by PiVPN.io | |||
END_COMMENT | |||
</source> | |||
==Knowledge== | ==Knowledge== |
Revision as of 18:43, 11 December 2020
Let’s say you have an old dedicated server without AES-NI and you need 200 devices connected to it, but they only route traffic for a web server and a file server on your private network, and about 50% will be actively using the connection, and 50% will be idling, at any given time. As in the previous example this will of course vary somewhat as some users are working on other tasks and alternate this with retrieving files and data through the VPN tunnel. Let’s say you want to make sure each active users will have 10Mbps available, and let’s again assume they actually have that bandwidth on their Internet connection.
100 active users times 10Mbps is 1000Mbps or 1Gbps. Most systems nowadays have this by default, even servers that are several years old. 1000Mbps time 40MHz is about 40000MHz or 40GHz. Older servers with a dual octa-core setup with 2.5GHz will be able to get you to those requirements. With 200 connected devices in this example you would need about 2GB of memory, a fairly low amount.
PiVPN
curl -L https://install.pivpn.io | bash mkdir /etc/openvpn/ccd systemctl restart openvpn tail -f /var/log/openvpn.log
nano /etc/openvpn/server.conf
: <<'END_COMMENT'
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/pi03_ca27deca-6db9-49de-98c8-f6d1fd57c9be.crt
key /etc/openvpn/easy-rsa/pki/private/pi03_ca27deca-6db9-49de-98c8-f6d1fd57c9be.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.20.13.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DOMAIN dev.shahed.biz"
push "dhcp-option DNS 10.19.83.100"
push "dhcp-option DNS 10.19.83.1"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
END_COMMENT
Knowledge
apt install ufw apt install nmap apt install telnet
ufw status netstat -a netstat -lpn nmap localhost nc -v 10.19.83.204 80 nc -uv localhost 1194 nc -v 10.19.83.204 1194 netstat -uap|grep openvpn tail -f /var/log/openvpn.log nano /etc/openvpn/server.conf
telnet localhost 1194 telnet nas0.dev.shahed.biz 80 telnet nas0.dev.shahed.biz 1194 rm -f /etc/openvpn/pki/reqs/dev.shahed.biz.req apt purge openmediavault-openvpn rm -rf /opt/EasyRSA-v3.0.6/ rm -rf /etc/openvpn/ sysctl -w net.ipv4.tcp_window_scaling=0