Changes between Version 11 and Version 12 of GettingStartedwithOVPN


Ignore:
Timestamp:
12/15/17 12:55:58 (6 years ago)
Author:
David Sommerseth
Comment:

Use wiki: style on internal page references, point at 2.4 man pages

Legend:

Unmodified
Added
Removed
Modified

  • GettingStartedwithOVPN

    v11 v12  
    6060}}}
    6161
    62 For advanced setups, it is also possible to use <connection> blocks, read more about that in the OpenVPN man page:
    63 https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
     62For advanced setups, it is also possible to use <connection> blocks, read more about that in the [wiki:Openvpn24ManPage OpenVPN man page].
    6463
    6564If you want to run multiple VPN clients on the same host, it is advisable to also add 'nobind' to your configuration file.  This makes OpenVPN use a random client side port when connecting.  Without it, it will use the same port number as used to connect to the server.
     
    159158For most initial VPN setups, starting with Blowfish provides a fairly good security level.  But remember that once you decide to upgrade your ciphers, you need to modify all server and client configs to the same --cipher value.
    160159
    161 You can do another step to strengthen the encryption layer.  The temporary session key was already mentioned, which is used for encrypting the tunnelled network data.  This key will rotate by default every hour.  But you can also tweak how often it gets rotated by adjusting --reneg-sec, --reneg-pkts and --reneg-bytes.  See the man page for more information about these options: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
     160You can do another step to strengthen the encryption layer.  The temporary session key was already mentioned, which is used for encrypting the tunnelled network data.  This key will rotate by default every hour.  But you can also tweak how often it gets rotated by adjusting --reneg-sec, --reneg-pkts and --reneg-bytes.  See the [wiki:Openvpn24ManPage OpenVPN man page] for more information about these options.
    162161
    163162
     
    229228passes TCP/IP traffic and does not provide any broadcast traffic across the VPN tunnel.  This provides a fairly efficient tunnel with the lowest overhead.  For more advanced setups the TAP device may be used, which is also able to transport other protocols than just TCP/IP.  TAP mode transports Ethernet frames instead of just IP packets.
    230229
    231 So there are many ways to configure the network layer in OpenVPN.  The general recommendation, and the one we will cover here, is what is often called "routed tun".  That means we use a tun device and use traditional TCP/IP routing techniques.  For an overview of TAP mode and bridiging vs routing, see this wiki page: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
     230So there are many ways to configure the network layer in OpenVPN.  The general recommendation, and the one we will cover here, is what is often called "routed tun".  That means we use a tun device and use traditional TCP/IP routing techniques.  For an overview of TAP mode and bridging vs routing, see the [wiki:BridgingAndRouting Bridging and Routing] page for more information.
    232231
    233232To configure a tun device, just add this line to both client and server configurations: