Changes between Initial Version and Version 1 of StaticKeyMiniHowto


Ignore:
Timestamp:
07/24/14 12:22:49 (4 years ago)
Author:
samuli
Comment:

Migrated content from http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html

Legend:

Unmodified
Added
Removed
Modified
  • StaticKeyMiniHowto

    v1 v1  
     1
     2[[TOC(inline, depth=1)]]
     3
     4= Introduction =
     5
     6Static key configurations offer the simplest setup, and are ideal for point-to-point VPNs or proof-of-concept testing.
     7
     8= Static Key advantages =
     9
     10 * Simple Setup
     11 * No X509 PKI (Public Key Infrastructure) to maintain
     12
     13= Static Key disadvantages =
     14
     15 * Limited scalability -- one client, one server
     16 * Lack of perfect forward secrecy -- key compromise results in total disclosure of previous sessions
     17 * Secret key must exist in plaintext form on each VPN peer
     18 * Secret key must be exchanged using a pre-existing secure channel
     19
     20= Simple Example =
     21
     22This example demonstrates a bare-bones point-to-point OpenVPN configuration. A VPN tunnel will be created with a server endpoint of 10.8.0.1 and a client endpoint of 10.8.0.2. Encrypted communication between client and server will occur over UDP port 1194, the default OpenVPN port.
     23
     24Generate a static key:
     25
     26{{{
     27$ openvpn --genkey --secret static.key
     28}}}
     29
     30Copy the static key to both client and server, over a pre-existing secure channel.
     31
     32== Server configuration file ==
     33
     34{{{
     35dev tun
     36ifconfig 10.8.0.1 10.8.0.2
     37secret static.key
     38}}}
     39
     40== Client configuration file ==
     41
     42{{{
     43remote myremote.mydomain
     44dev tun
     45ifconfig 10.8.0.2 10.8.0.1
     46secret static.key
     47}}}
     48
     49== Firewall configuration ==
     50
     51Make sure that:
     52
     53 * UDP port 1194 is open on the server, and
     54 * the virtual TUN interface used by OpenVPN is not blocked on either the client or server (on Linux, the TUN interface will probably be called tun0 while on Windows it will probably be called something like Local Area Connection n unless you rename it in the Network Connections control panel).
     55
     56Bear in mind that 90% of all connection problems encountered by new OpenVPN users are firewall-related.
     57
     58== Testing the VPN ==
     59
     60Run OpenVPN using the respective configuration files on both server and client, changing myremote.mydomain in the client configuration to the domain name or public IP address of the server.
     61
     62To verify that the VPN is running, you should be able to ping 10.8.0.2 from the server and 10.8.0.1 from the client.
     63
     64= Expanding on the Simple Example =
     65
     66== Use compression on the VPN link ==
     67
     68Add the following line to both client and server configuration files:
     69{{{
     70comp-lzo
     71}}}
     72
     73== Make the link more resistent to connection failures ==
     74
     75Deal with:
     76
     77 * keeping a connection through a NAT router/firewall alive, and
     78 * follow the DNS name of the server if it changes its IP address.
     79
     80Add the following to both client and server configuration files:
     81
     82{{{
     83keepalive 10 60
     84ping-timer-rem
     85persist-tun
     86persist-key
     87}}}
     88
     89== Run OpenVPN as a daemon (Linux/BSD/Solaris/MacOSX only) ==
     90
     91Run OpenVPN as a daemon and drop privileges to user/group nobody.
     92
     93Add to configuration file (client and/or server):
     94
     95{{{
     96user nobody
     97group nobody
     98daemon
     99}}}
     100
     101== Allow client to reach entire server subnet ==
     102
     103Suppose the OpenVPN server is on a subnet 192.168.4.0/24. Add the following to client configuration:
     104{{{
     105route 192.168.4.0 255.255.255.0
     106}}}
     107Then on the server side, add a route to the server's LAN gateway that routes 10.8.0.2 to the OpenVPN server machine (only necessary if the OpenVPN server machine is not also the gateway for the server-side LAN). Also, don't forget to enable IP Forwarding on the OpenVPN server machine.