diff options
Diffstat (limited to 'doc/openvpn-examples.5.html')
| -rw-r--r-- | doc/openvpn-examples.5.html | 582 |
1 files changed, 582 insertions, 0 deletions
diff --git a/doc/openvpn-examples.5.html b/doc/openvpn-examples.5.html new file mode 100644 index 0000000..a0dac40 --- /dev/null +++ b/doc/openvpn-examples.5.html @@ -0,0 +1,582 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> +<meta name="generator" content="Docutils 0.16: http://docutils.sourceforge.net/" /> +<title>openvpn examples</title> +<style type="text/css"> + +/* +:Author: David Goodger (goodger@python.org) +:Id: $Id: html4css1.css 7952 2016-07-26 18:15:59Z milde $ +:Copyright: This stylesheet has been placed in the public domain. + +Default cascading style sheet for the HTML output of Docutils. + +See http://docutils.sf.net/docs/howto/html-stylesheets.html for how to +customize this style sheet. +*/ + +/* used to remove borders from tables and images */ +.borderless, table.borderless td, table.borderless th { + border: 0 } + +table.borderless td, table.borderless th { + /* Override padding for "table.docutils td" with "! important". + The right padding separates the table cells. */ + padding: 0 0.5em 0 0 ! important } + +.first { + /* Override more specific margin styles with "! important". */ + margin-top: 0 ! important } + +.last, .with-subtitle { + margin-bottom: 0 ! important } + +.hidden { + display: none } + +.subscript { + vertical-align: sub; + font-size: smaller } + +.superscript { + vertical-align: super; + font-size: smaller } + +a.toc-backref { + text-decoration: none ; + color: black } + +blockquote.epigraph { + margin: 2em 5em ; } + +dl.docutils dd { + margin-bottom: 0.5em } + +object[type="image/svg+xml"], object[type="application/x-shockwave-flash"] { + overflow: hidden; +} + +/* Uncomment (and remove this text!) to get bold-faced definition list terms +dl.docutils dt { + font-weight: bold } +*/ + +div.abstract { + margin: 2em 5em } + +div.abstract p.topic-title { + font-weight: bold ; + text-align: center } + +div.admonition, div.attention, div.caution, div.danger, div.error, +div.hint, div.important, div.note, div.tip, div.warning { + margin: 2em ; + border: medium outset ; + padding: 1em } + +div.admonition p.admonition-title, div.hint p.admonition-title, +div.important p.admonition-title, div.note p.admonition-title, +div.tip p.admonition-title { + font-weight: bold ; + font-family: sans-serif } + +div.attention p.admonition-title, div.caution p.admonition-title, +div.danger p.admonition-title, div.error p.admonition-title, +div.warning p.admonition-title, .code .error { + color: red ; + font-weight: bold ; + font-family: sans-serif } + +/* Uncomment (and remove this text!) to get reduced vertical space in + compound paragraphs. +div.compound .compound-first, div.compound .compound-middle { + margin-bottom: 0.5em } + +div.compound .compound-last, div.compound .compound-middle { + margin-top: 0.5em } +*/ + +div.dedication { + margin: 2em 5em ; + text-align: center ; + font-style: italic } + +div.dedication p.topic-title { + font-weight: bold ; + font-style: normal } + +div.figure { + margin-left: 2em ; + margin-right: 2em } + +div.footer, div.header { + clear: both; + font-size: smaller } + +div.line-block { + display: block ; + margin-top: 1em ; + margin-bottom: 1em } + +div.line-block div.line-block { + margin-top: 0 ; + margin-bottom: 0 ; + margin-left: 1.5em } + +div.sidebar { + margin: 0 0 0.5em 1em ; + border: medium outset ; + padding: 1em ; + background-color: #ffffee ; + width: 40% ; + float: right ; + clear: right } + +div.sidebar p.rubric { + font-family: sans-serif ; + font-size: medium } + +div.system-messages { + margin: 5em } + +div.system-messages h1 { + color: red } + +div.system-message { + border: medium outset ; + padding: 1em } + +div.system-message p.system-message-title { + color: red ; + font-weight: bold } + +div.topic { + margin: 2em } + +h1.section-subtitle, h2.section-subtitle, h3.section-subtitle, +h4.section-subtitle, h5.section-subtitle, h6.section-subtitle { + margin-top: 0.4em } + +h1.title { + text-align: center } + +h2.subtitle { + text-align: center } + +hr.docutils { + width: 75% } + +img.align-left, .figure.align-left, object.align-left, table.align-left { + clear: left ; + float: left ; + margin-right: 1em } + +img.align-right, .figure.align-right, object.align-right, table.align-right { + clear: right ; + float: right ; + margin-left: 1em } + +img.align-center, .figure.align-center, object.align-center { + display: block; + margin-left: auto; + margin-right: auto; +} + +table.align-center { + margin-left: auto; + margin-right: auto; +} + +.align-left { + text-align: left } + +.align-center { + clear: both ; + text-align: center } + +.align-right { + text-align: right } + +/* reset inner alignment in figures */ +div.align-right { + text-align: inherit } + +/* div.align-center * { */ +/* text-align: left } */ + +.align-top { + vertical-align: top } + +.align-middle { + vertical-align: middle } + +.align-bottom { + vertical-align: bottom } + +ol.simple, ul.simple { + margin-bottom: 1em } + +ol.arabic { + list-style: decimal } + +ol.loweralpha { + list-style: lower-alpha } + +ol.upperalpha { + list-style: upper-alpha } + +ol.lowerroman { + list-style: lower-roman } + +ol.upperroman { + list-style: upper-roman } + +p.attribution { + text-align: right ; + margin-left: 50% } + +p.caption { + font-style: italic } + +p.credits { + font-style: italic ; + font-size: smaller } + +p.label { + white-space: nowrap } + +p.rubric { + font-weight: bold ; + font-size: larger ; + color: maroon ; + text-align: center } + +p.sidebar-title { + font-family: sans-serif ; + font-weight: bold ; + font-size: larger } + +p.sidebar-subtitle { + font-family: sans-serif ; + font-weight: bold } + +p.topic-title { + font-weight: bold } + +pre.address { + margin-bottom: 0 ; + margin-top: 0 ; + font: inherit } + +pre.literal-block, pre.doctest-block, pre.math, pre.code { + margin-left: 2em ; + margin-right: 2em } + +pre.code .ln { color: grey; } /* line numbers */ +pre.code, code { background-color: #eeeeee } +pre.code .comment, code .comment { color: #5C6576 } +pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold } +pre.code .literal.string, code .literal.string { color: #0C5404 } +pre.code .name.builtin, code .name.builtin { color: #352B84 } +pre.code .deleted, code .deleted { background-color: #DEB0A1} +pre.code .inserted, code .inserted { background-color: #A3D289} + +span.classifier { + font-family: sans-serif ; + font-style: oblique } + +span.classifier-delimiter { + font-family: sans-serif ; + font-weight: bold } + +span.interpreted { + font-family: sans-serif } + +span.option { + white-space: nowrap } + +span.pre { + white-space: pre } + +span.problematic { + color: red } + +span.section-subtitle { + /* font-size relative to parent (h1..h6 element) */ + font-size: 80% } + +table.citation { + border-left: solid 1px gray; + margin-left: 1px } + +table.docinfo { + margin: 2em 4em } + +table.docutils { + margin-top: 0.5em ; + margin-bottom: 0.5em } + +table.footnote { + border-left: solid 1px black; + margin-left: 1px } + +table.docutils td, table.docutils th, +table.docinfo td, table.docinfo th { + padding-left: 0.5em ; + padding-right: 0.5em ; + vertical-align: top } + +table.docutils th.field-name, table.docinfo th.docinfo-name { + font-weight: bold ; + text-align: left ; + white-space: nowrap ; + padding-left: 0 } + +/* "booktabs" style (no vertical lines) */ +table.docutils.booktabs { + border: 0px; + border-top: 2px solid; + border-bottom: 2px solid; + border-collapse: collapse; +} +table.docutils.booktabs * { + border: 0px; +} +table.docutils.booktabs th { + border-bottom: thin solid; + text-align: left; +} + +h1 tt.docutils, h2 tt.docutils, h3 tt.docutils, +h4 tt.docutils, h5 tt.docutils, h6 tt.docutils { + font-size: 100% } + +ul.auto-toc { + list-style-type: none } + +</style> +</head> +<body> +<div class="document" id="openvpn-examples"> +<h1 class="title">openvpn examples</h1> +<h2 class="subtitle" id="secure-ip-tunnel-daemon">Secure IP tunnel daemon</h2> +<table class="docinfo" frame="void" rules="none"> +<col class="docinfo-name" /> +<col class="docinfo-content" /> +<tbody valign="top"> +<tr class="manual-section field"><th class="docinfo-name">Manual section:</th><td class="field-body">5</td> +</tr> +<tr class="manual-group field"><th class="docinfo-name">Manual group:</th><td class="field-body">Configuration files</td> +</tr> +</tbody> +</table> +<div class="section" id="introduction"> +<h1>INTRODUCTION</h1> +<p>This man page gives a few simple examples to create OpenVPN setups and configuration files.</p> +</div> +<div class="section" id="examples"> +<h1>EXAMPLES</h1> +<p>Prior to running these examples, you should have OpenVPN installed on +two machines with network connectivity between them. If you have not yet +installed OpenVPN, consult the INSTALL file included in the OpenVPN +distribution.</p> +<div class="section" id="firewall-setup"> +<h2>Firewall Setup:</h2> +<p>If firewalls exist between the two machines, they should be set to +forward the port OpenVPN is configured to use, in both directions. +The default for OpenVPN is 1194/udp. If you do not have control +over the firewalls between the two machines, you may still be able to +use OpenVPN by adding <tt class="docutils literal"><span class="pre">--ping</span> 15</tt> to each of the <tt class="docutils literal">openvpn</tt> commands +used below in the examples (this will cause each peer to send out a UDP +ping to its remote peer once every 15 seconds which will cause many +stateful firewalls to forward packets in both directions without an +explicit firewall rule).</p> +<p>Please see your operating system guides for how to configure the firewall +on your systems.</p> +</div> +<div class="section" id="vpn-address-setup"> +<h2>VPN Address Setup:</h2> +<p>For purposes of our example, our two machines will be called +<tt class="docutils literal">bob.example.com</tt> and <tt class="docutils literal">alice.example.com</tt>. If you are constructing a +VPN over the internet, then replace <tt class="docutils literal">bob.example.com</tt> and +<tt class="docutils literal">alice.example.com</tt> with the internet hostname or IP address that each +machine will use to contact the other over the internet.</p> +<p>Now we will choose the tunnel endpoints. Tunnel endpoints are private IP +addresses that only have meaning in the context of the VPN. Each machine +will use the tunnel endpoint of the other machine to access it over the +VPN. In our example, the tunnel endpoint for bob.example.com will be +10.4.0.1 and for alice.example.com, 10.4.0.2.</p> +<p>Once the VPN is established, you have essentially created a secure +alternate path between the two hosts which is addressed by using the +tunnel endpoints. You can control which network traffic passes between +the hosts (a) over the VPN or (b) independently of the VPN, by choosing +whether to use (a) the VPN endpoint address or (b) the public internet +address, to access the remote host. For example if you are on +bob.example.com and you wish to connect to <tt class="docutils literal">alice.example.com</tt> via +<tt class="docutils literal">ssh</tt> without using the VPN (since <strong>ssh</strong> has its own built-in security) +you would use the command <tt class="docutils literal">ssh alice.example.com</tt>. However in the same +scenario, you could also use the command <tt class="docutils literal">telnet 10.4.0.2</tt> to create a +telnet session with alice.example.com over the VPN, that would use the +VPN to secure the session rather than <tt class="docutils literal">ssh</tt>.</p> +<p>You can use any address you wish for the tunnel endpoints but make sure +that they are private addresses (such as those that begin with 10 or +192.168) and that they are not part of any existing subnet on the +networks of either peer, unless you are bridging. If you use an address +that is part of your local subnet for either of the tunnel endpoints, +you will get a weird feedback loop.</p> +</div> +<div class="section" id="example-1-a-simple-tunnel-without-security"> +<h2>Example 1: A simple tunnel without security</h2> +<p>On bob:</p> +<pre class="literal-block"> +openvpn --remote alice.example.com --dev tun1 \ + --ifconfig 10.4.0.1 10.4.0.2 --verb 9 +</pre> +<p>On alice:</p> +<pre class="literal-block"> +openvpn --remote bob.example.com --dev tun1 \ + --ifconfig 10.4.0.2 10.4.0.1 --verb 9 +</pre> +<p>Now verify the tunnel is working by pinging across the tunnel.</p> +<p>On bob:</p> +<pre class="literal-block"> +ping 10.4.0.2 +</pre> +<p>On alice:</p> +<pre class="literal-block"> +ping 10.4.0.1 +</pre> +<p>The <tt class="docutils literal"><span class="pre">--verb</span> 9</tt> option will produce verbose output, similar to the +<tt class="docutils literal">tcpdump</tt>(8) program. Omit the <tt class="docutils literal"><span class="pre">--verb</span> 9</tt> option to have OpenVPN run +quietly.</p> +</div> +<div class="section" id="example-2-a-tunnel-with-static-key-security-i-e-using-a-pre-shared-secret"> +<h2>Example 2: A tunnel with static-key security (i.e. using a pre-shared secret)</h2> +<p>First build a static key on bob.</p> +<pre class="literal-block"> +openvpn --genkey --secret key +</pre> +<p>This command will build a key file called <tt class="docutils literal">key</tt> (in ascii format). Now +copy <tt class="docutils literal">key</tt> to <tt class="docutils literal">alice.example.com</tt> over a secure medium such as by using +the <tt class="docutils literal">scp</tt>(1) program.</p> +<p>On bob:</p> +<pre class="literal-block"> +openvpn --remote alice.example.com --dev tun1 \ + --ifconfig 10.4.0.1 10.4.0.2 --verb 5 \ + --secret key +</pre> +<p>On alice:</p> +<pre class="literal-block"> +openvpn --remote bob.example.com --dev tun1 \ + --ifconfig 10.4.0.2 10.4.0.1 --verb 5 \ + --secret key +</pre> +<p>Now verify the tunnel is working by pinging across the tunnel.</p> +<p>On bob:</p> +<pre class="literal-block"> +ping 10.4.0.2 +</pre> +<p>On alice:</p> +<pre class="literal-block"> +ping 10.4.0.1 +</pre> +</div> +<div class="section" id="example-3-a-tunnel-with-full-tls-based-security"> +<h2>Example 3: A tunnel with full TLS-based security</h2> +<p>For this test, we will designate <tt class="docutils literal">bob</tt> as the TLS client and <tt class="docutils literal">alice</tt> +as the TLS server.</p> +<dl class="docutils"> +<dt><em>Note:</em></dt> +<dd>The client or server designation only has +meaning for the TLS subsystem. It has no bearing on OpenVPN's +peer-to-peer, UDP-based communication model.*</dd> +</dl> +<p>First, build a separate certificate/key pair for both bob and alice (see +above where <tt class="docutils literal"><span class="pre">--cert</span></tt> is discussed for more info). Then construct +Diffie Hellman parameters (see above where <tt class="docutils literal"><span class="pre">--dh</span></tt> is discussed for +more info). You can also use the included test files <code>client.crt</code>, +<code>client.key</code>, <code>server.crt</code>, <code>server.key</code> and +<code>ca.crt</code>. The <tt class="docutils literal">.crt</tt> files are certificates/public-keys, the +<tt class="docutils literal">.key</tt> files are private keys, and <code>ca.crt</code> is a certification +authority who has signed both <code>client.crt</code> and <code>server.crt</code>. +For Diffie Hellman parameters you can use the included file +<code>dh2048.pem</code>.</p> +<dl class="docutils"> +<dt><em>WARNING:</em></dt> +<dd>All client, server, and certificate authority certificates +and keys included in the OpenVPN distribution are totally +insecure and should be used for testing only.</dd> +</dl> +<p>On bob:</p> +<pre class="literal-block"> +openvpn --remote alice.example.com --dev tun1 \ + --ifconfig 10.4.0.1 10.4.0.2 \ + --tls-client --ca ca.crt \ + --cert client.crt --key client.key \ + --reneg-sec 60 --verb 5 +</pre> +<p>On alice:</p> +<pre class="literal-block"> +openvpn --remote bob.example.com --dev tun1 \ + --ifconfig 10.4.0.2 10.4.0.1 \ + --tls-server --dh dh1024.pem --ca ca.crt \ + --cert server.crt --key server.key \ + --reneg-sec 60 --verb 5 +</pre> +<p>Now verify the tunnel is working by pinging across the tunnel.</p> +<p>On bob:</p> +<pre class="literal-block"> +ping 10.4.0.2 +</pre> +<p>On alice:</p> +<pre class="literal-block"> +ping 10.4.0.1 +</pre> +<p>Notice the <tt class="docutils literal"><span class="pre">--reneg-sec</span> 60</tt> option we used above. That tells OpenVPN +to renegotiate the data channel keys every minute. Since we used +<tt class="docutils literal"><span class="pre">--verb</span> 5</tt> above, you will see status information on each new key +negotiation.</p> +<p>For production operations, a key renegotiation interval of 60 seconds is +probably too frequent. Omit the <tt class="docutils literal"><span class="pre">--reneg-sec</span> 60</tt> option to use +OpenVPN's default key renegotiation interval of one hour.</p> +</div> +<div class="section" id="routing"> +<h2>Routing:</h2> +<p>Assuming you can ping across the tunnel, the next step is to route a +real subnet over the secure tunnel. Suppose that bob and alice have two +network interfaces each, one connected to the internet, and the other to +a private network. Our goal is to securely connect both private +networks. We will assume that bob's private subnet is <em>10.0.0.0/24</em> and +alice's is <em>10.0.1.0/24</em>.</p> +<p>First, ensure that IP forwarding is enabled on both peers. On Linux, +enable routing:</p> +<pre class="literal-block"> +echo 1 > /proc/sys/net/ipv4/ip_forward +</pre> +<p>This setting is not persistent. Please see your operating systems +documentation how to properly configure IP forwarding, which is also +persistent through system boots.</p> +<p>If your system is configured with a firewall. Please see your operating +systems guide on how to configure the firewall. You typically want to +allow traffic coming from and going to the tun/tap adapter OpenVPN is +configured to use.</p> +<p>On bob:</p> +<pre class="literal-block"> +route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2 +</pre> +<p>On alice:</p> +<pre class="literal-block"> +route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1 +</pre> +<p>Now any machine on the <em>10.0.0.0/24</em> subnet can access any machine on the +<em>10.0.1.0/24</em> subnet over the secure tunnel (or vice versa).</p> +<p>In a production environment, you could put the route command(s) in a +script and execute with the <tt class="docutils literal"><span class="pre">--up</span></tt> option.</p> +</div> +</div> +</div> +</body> +</html> |