Changes between Version 17 and Version 18 of Openvpn23ManPage


Ignore:
Timestamp:
01/04/16 12:36:57 (4 years ago)
Author:
Samuli Seppänen
Comment:

Update man-page to 2.3.10

Legend:

Unmodified
Added
Removed
Modified
  • Openvpn23ManPage

    v17 v18  
    79937993For purposes
    79947994of our example, our two machines will be called
    7995 <B>may.kg</B>
     7995<B>bob.example.com</B>
    79967996
    79977997and
    7998 <B>june.kg.</B>
     7998<B>alice.example.com.</B>
    79997999
    80008000If you are constructing a VPN over the internet, then replace
    8001 <B>may.kg</B>
     8001<B>bob.example.com</B>
    80028002
    80038003and
    8004 <B>june.kg</B>
     8004<B>alice.example.com</B>
    80058005
    80068006with the internet hostname or IP address that each machine will use
     
    80118011the VPN.  Each machine will use the tunnel endpoint of the other
    80128012machine to access it over the VPN.  In our example,
    8013 the tunnel endpoint for may.kg
    8014 will be 10.4.0.1 and for june.kg, 10.4.0.2.
     8013the tunnel endpoint for bob.example.com
     8014will be 10.4.0.1 and for alice.example.com, 10.4.0.2.
    80158015<P>
    80168016Once the VPN is established, you have essentially
     
    80218021(a) over the VPN or (b) independently of the VPN, by choosing whether to use
    80228022(a) the VPN endpoint address or (b) the public internet address,
    8023 to access the remote host. For example if you are on may.kg and you wish to connect to june.kg
     8023to access the remote host. For example if you are on bob.example.com and you wish to connect to alice.example.com
    80248024via
    80258025<B>ssh</B>
     
    80298029
    80308030has its own built-in security) you would use the command
    8031 <B>ssh june.kg.</B>
     8031<B>ssh alice.example.com.</B>
    80328032
    80338033However in the same scenario, you could also use the command
    80348034<B>telnet 10.4.0.2</B>
    80358035
    8036 to create a telnet session with june.kg over the VPN, that would
     8036to create a telnet session with alice.example.com over the VPN, that would
    80378037use the VPN to secure the session rather than
    80388038<B>ssh.</B>
     
    80538053<P>
    80548054
    8055 On may:
     8055On bob:
    80568056<DL COMPACT>
    80578057<DT><DD>
    8058 <B>openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 9</B>
     8058<B>openvpn --remote alice.example.com --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 9</B>
    80598059
    80608060</DL>
    80618061<P>
    80628062
    8063 On june:
     8063On alice:
    80648064<DL COMPACT>
    80658065<DT><DD>
    8066 <B>openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 9</B>
     8066<B>openvpn --remote bob.example.com --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 9</B>
    80678067
    80688068</DL>
     
    80728072<P>
    80738073
    8074 On may:
     8074On bob:
    80758075<DL COMPACT>
    80768076<DT><DD>
     
    80808080<P>
    80818081
    8082 On june:
     8082On alice:
    80838083<DL COMPACT>
    80848084<DT><DD>
     
    81028102<H3>Example 2: A tunnel with static-key security (i.e. using a pre-shared secret)</H3>
    81038103
    8104 First build a static key on may.
     8104First build a static key on bob.
    81058105<DL COMPACT>
    81068106<DT><DD>
     
    81178117<B>key</B>
    81188118
    8119 to june over a secure medium such as by
     8119to alice over a secure medium such as by
    81208120using the
    81218121<B><A HREF="/man/man2html?1+scp">scp</A></B>(1)
     
    81248124<P>
    81258125
    8126 On may:
     8126On bob:
    81278127<DL COMPACT>
    81288128<DT><DD>
    8129 <B>openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 5 --secret key</B>
     8129<B>openvpn --remote alice.example.com --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 5 --secret key</B>
    81308130
    81318131</DL>
    81328132<P>
    81338133
    8134 On june:
     8134On alice:
    81358135<DL COMPACT>
    81368136<DT><DD>
    8137 <B>openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 5 --secret key</B>
     8137<B>openvpn --remote bob.example.com --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 5 --secret key</B>
    81388138
    81398139</DL>
     
    81438143<P>
    81448144
    8145 On may:
     8145On bob:
    81468146<DL COMPACT>
    81478147<DT><DD>
     
    81518151<P>
    81528152
    8153 On june:
     8153On alice:
    81548154<DL COMPACT>
    81558155<DT><DD>
     
    81628162
    81638163For this test, we will designate
    8164 <B>may</B>
     8164<B>bob</B>
    81658165
    81668166as the TLS client and
    8167 <B>june</B>
     8167<B>alice</B>
    81688168
    81698169as the TLS server.
     
    81728172<P>
    81738173First, build a separate certificate/key pair
    8174 for both may and june (see above where
     8174for both bob and alice (see above where
    81758175<B>--cert</B>
    81768176
     
    81918191<P>
    81928192
    8193 On may:
     8193On bob:
    81948194<DL COMPACT>
    81958195<DT><DD>
    8196 <B>openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --tls-client --ca ca.crt --cert client.crt --key client.key --reneg-sec 60 --verb 5</B>
     8196<B>openvpn --remote alice.example.com --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --tls-client --ca ca.crt --cert client.crt --key client.key --reneg-sec 60 --verb 5</B>
    81978197
    81988198</DL>
    81998199<P>
    82008200
    8201 On june:
     8201On alice:
    82028202<DL COMPACT>
    82038203<DT><DD>
    8204 <B>openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --tls-server --dh dh1024.pem --ca ca.crt --cert server.crt --key server.key --reneg-sec 60 --verb 5</B>
     8204<B>openvpn --remote bob.example.com --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --tls-server --dh dh1024.pem --ca ca.crt --cert server.crt --key server.key --reneg-sec 60 --verb 5</B>
    82058205
    82068206</DL>
     
    82108210<P>
    82118211
    8212 On may:
     8212On bob:
    82138213<DL COMPACT>
    82148214<DT><DD>
     
    82188218<P>
    82198219
    8220 On june:
     8220On alice:
    82218221<DL COMPACT>
    82228222<DT><DD>
     
    82478247Assuming you can ping across the tunnel,
    82488248the next step is to route a real subnet over
    8249 the secure tunnel.  Suppose that may and june have two network
     8249the secure tunnel.  Suppose that bob and alice have two network
    82508250interfaces each, one connected
    82518251to the internet, and the other to a private
    82528252network.  Our goal is to securely connect
    8253 both private networks.  We will assume that may's private subnet
    8254 is 10.0.0.0/24 and june's is 10.0.1.0/24.
     8253both private networks.  We will assume that bob's private subnet
     8254is 10.0.0.0/24 and alice's is 10.0.1.0/24.
    82558255<P>
    82568256
     
    82728272<P>
    82738273
    8274 On may:
     8274On bob:
    82758275<DL COMPACT>
    82768276<DT><DD>
     
    82808280<P>
    82818281
    8282 On june:
     8282On alice:
    82838283<DL COMPACT>
    82848284<DT><DD>
     
    85308530<A HREF="/man/man2html">man2html</A>,
    85318531using the manual pages.<BR>
    8532 Time: 13:43:58 GMT, December 16, 2015
     8532Time: 12:35:03 GMT, January 04, 2016
    85338533}}}