Changes between Version 11 and Version 12 of GettingStartedwithOVPN
- Timestamp:
- 12/15/17 12:55:58 (6 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
GettingStartedwithOVPN
v11 v12 60 60 }}} 61 61 62 For advanced setups, it is also possible to use <connection> blocks, read more about that in the OpenVPN man page: 63 https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage 62 For advanced setups, it is also possible to use <connection> blocks, read more about that in the [wiki:Openvpn24ManPage OpenVPN man page]. 64 63 65 64 If you want to run multiple VPN clients on the same host, it is advisable to also add 'nobind' to your configuration file. This makes OpenVPN use a random client side port when connecting. Without it, it will use the same port number as used to connect to the server. … … 159 158 For most initial VPN setups, starting with Blowfish provides a fairly good security level. But remember that once you decide to upgrade your ciphers, you need to modify all server and client configs to the same --cipher value. 160 159 161 You can do another step to strengthen the encryption layer. The temporary session key was already mentioned, which is used for encrypting the tunnelled network data. This key will rotate by default every hour. But you can also tweak how often it gets rotated by adjusting --reneg-sec, --reneg-pkts and --reneg-bytes. See the man page for more information about these options: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage160 You can do another step to strengthen the encryption layer. The temporary session key was already mentioned, which is used for encrypting the tunnelled network data. This key will rotate by default every hour. But you can also tweak how often it gets rotated by adjusting --reneg-sec, --reneg-pkts and --reneg-bytes. See the [wiki:Openvpn24ManPage OpenVPN man page] for more information about these options. 162 161 163 162 … … 229 228 passes TCP/IP traffic and does not provide any broadcast traffic across the VPN tunnel. This provides a fairly efficient tunnel with the lowest overhead. For more advanced setups the TAP device may be used, which is also able to transport other protocols than just TCP/IP. TAP mode transports Ethernet frames instead of just IP packets. 230 229 231 So there are many ways to configure the network layer in OpenVPN. The general recommendation, and the one we will cover here, is what is often called "routed tun". That means we use a tun device and use traditional TCP/IP routing techniques. For an overview of TAP mode and brid iging vs routing, see this wiki page: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting230 So there are many ways to configure the network layer in OpenVPN. The general recommendation, and the one we will cover here, is what is often called "routed tun". That means we use a tun device and use traditional TCP/IP routing techniques. For an overview of TAP mode and bridging vs routing, see the [wiki:BridgingAndRouting Bridging and Routing] page for more information. 232 231 233 232 To configure a tun device, just add this line to both client and server configurations: