Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
install_24_4_openvpn [2025/11/18 15:30] systeminstall_24_4_openvpn [2025/11/19 04:44] (current) system
Line 185: Line 185:
 </code> </code>
   * When tls-crypt-v2 is specified in the OpenVPN config file, each client connecting will also be required to have this item defined in its config file. The client's key needs to generated using the server key.   * When tls-crypt-v2 is specified in the OpenVPN config file, each client connecting will also be required to have this item defined in its config file. The client's key needs to generated using the server key.
-  * This is an extra obfuscation on OpenVPN's control channel to hide metadata which can be used to gain more insights on the OpenVPN instance running on the server. +  * This is an extra obfuscation on OpenVPN's control channel to hide metadata which can be used to gain more insights on the OpenVPN instance running on the server. 
 +  * All the required items are now present to have a working OpenVPN server. 
 + 
 +---------------- 
 + 
 +===== Server Config File ===== 
 +  * This is how our **/etc/openvpn/server.conf** file looks: 
 +<code bash> 
 +port 1194 
 +proto udp 
 +dev tun 
 + 
 +# --- PKI / TLS (ECC only, no DH) --- 
 +ca ca.crt 
 +cert server.crt 
 +key server.key 
 + 
 +# No "dh none" when using EC certificates 
 +dh none 
 + 
 +# Optional but recommended: match your Easy-RSA curve (if you set EASYRSA_CURVE) 
 +# ecdh-curve prime256v1 
 + 
 +# Protect and hide the control channel 
 +tls-crypt-v2 tls-crypt-v2-server.key 
 + 
 +# Only allow modern TLS 
 +tls-version-min 1.2 
 +remote-cert-eku "TLS Web Client Authentication" 
 + 
 +# --- VPN network --- 
 +topology subnet 
 +server 10.8.0.0 255.255.255.0 
 + 
 +# Push default route + DNS to clients (adjust if you want split tunnel) 
 +push "redirect-gateway def1 bypass-dhcp" 
 +push "dhcp-option DNS 1.1.1.1" 
 +push "dhcp-option DNS 9.9.9.9" 
 + 
 +# --- Encryption (data channel) --- 
 +data-ciphers AES-256-GCM:CHACHA20-POLY1305 
 +data-ciphers-fallback AES-256-GCM 
 + 
 +# --- Misc hardening / behavior --- 
 +user nobody 
 +group nogroup 
 +persist-key 
 +persist-tun 
 +keepalive 10 120 
 +verb 3 
 + 
 +</code> 
 +  * We also have to make sure the all the files from our PKI location is copied to the /etc/openvpn directory: 
 +<code bash> 
 +sudo cp pki/ca.crt pki/issued/server.crt pki/private/server.key tls-crypt-v2-server.key /etc/openvpn/ 
 +</code> 
 + 
 +---------------- 
 + 
 +===== Start and Enable OpenVPN ===== 
 +<code bash> 
 +sudo systemctl start openvpn@server 
 +sudo systemctl enable openvpn@server 
 +sudo systemctl status openvpn@server 
 +</code> 
  • install_24_4_openvpn.1763472638.txt.gz
  • Last modified: 2025/11/18 15:30
  • by system