<div><br></div>Here are my current configs with the suggestions above. One thing i would like to figure out is how to have my clients hit my resolvers for my home domain but not for everything since my work network has it's own for internal machines.<div>
<br><div><br></div><div>** Server</div><div><div># Configure basic server settings, including the</div><div># subnet, protocol, and activity tracking.</div><div>port 5678</div><div>dev tun</div><div>proto udp</div>
<div>mode server</div><div>cipher aes-256-cbc</div><div>topology subnet</div><div><br></div><div>tls-server</div><div>tls-auth keys/ta.key 0</div><div>dh keys/dh2048.pem</div><div>ca keys/ca.crt</div><div>cert keys/server.crt</div>
<div>key keys/server.key</div><div><br></div><div>client-config-dir /etc/openvpn/ccd</div><div>ccd-exclusive</div><div>duplicate-cn</div><div>client-to-client</div><div>keepalive 44 180</div><div>float</div><div>tun-mtu 1500</div>
<div>push "tun-mtu 1500"</div><div>persist-tun</div><div>persist-key</div><div>comp-lzo</div><div><br></div><div>verb 1</div><div>mute 60</div><div>log-append /var/log/openvpn/openvpn-aes.log</div><div>status /var/log/openvpn/status-aes.log</div>
<div><br></div><div># Configure the server</div><div>ifconfig 172.19.0.1 255.255.255.0</div><div><br></div><div># Create a dhcp pool</div><div>ifconfig-pool 172.19.0.10 172.19.0.200</div><div><br></div><div># Tell the server to route out the tun</div>
<div>#push "route-gateway dhcp"</div><div>#route 172.19.251.0 255.255.255.0</div><div><br></div><div># Add routes to the client that point to subnets</div><div># reachable through this server.</div><div>push "route 172.19.0.0 255.255.255.0"</div>
<div>push "route 172.20.0.0 255.255.0.0"</div><div><br></div></div><div><br></div><div><br></div><div>** Client</div><div><div>dev tun</div><div>tls-client</div><div>ns-cert-type server</div><div>proto udp</div>
<div>cipher aes-256-cbc</div><div>tls-auth keys/ta.key 1</div><div>ca keys/cacert.pem</div><div>cert keys/laptop.crt</div><div>key keys/laptop.key</div><div><br></div><div># Our OpenVPN peer is the office gateway.</div>
<div>remote <a href="http://vpn.domain.com">vpn.domain.com</a> 5678</div><div><br></div><div>user nobody</div><div>group nogroup</div><div><br></div><div>pull</div><div>nobind</div><div>comp-lzo</div><div>persist-tun</div>
<div>persist-key</div><div>keepalive 44 180</div><div>log-append /var/log/openvpn/openvpn.log</div><div><br></div><div>resolv-retry infinite</div><div><br></div><div>verb 1</div><div>mute 20</div></div><div><br></div></div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Nov 9, 2012 at 12:29 PM, Robert L. Harris <span dir="ltr"><<a href="mailto:robert.l.harris@gmail.com" target="_blank">robert.l.harris@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Phil,<div> You had a couple options I hadn't found before such as the "Topology" and pushing the MTU. I'm going to clean up my configs and I'll post them. I also have 2 scripts which make and package up the client configs as well.</div>
<span class="HOEnZb"><font color="#888888">
<div><br></div><div>Robert</div><div><br></div></font></span><div class="gmail_extra"><br><br><div class="gmail_quote"><div><div class="h5">On Fri, Nov 9, 2012 at 10:50 AM, Phil Turmel <span dir="ltr"><<a href="mailto:philip@turmel.org" target="_blank">philip@turmel.org</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div>On 11/09/2012 10:54 AM, Robert L. Harris wrote:<br>
> I will look into those android apps yet, haven't found one I like.<br>
><br>
> I've been using SSH since the early 90's, no worries there. I want to<br>
> setup and play with a VPN connection for remote devices. I have OpenVPN<br>
> running out of a linux VM dedicated so i can lock it down and if need be<br>
> wipe it without loss of sleep.<br>
><br>
> As my original thread went, "Has anyone else done this? Anyone up for<br>
> sharing configs/discussing?"<br>
<br>
</div>I've been running OpenVPN on my office server to support home and road<br>
warrior usage for about eight or nine years. Using my own certificate<br>
authority for the past five years or so to minimize router configuration<br>
requirements. Works well with both windows and linux client machines.<br>
<br>
I've attached my config files for your edification (lightly sanitized).<br>
<br>
The last attachment is my personal script for managing my certificate<br>
authority<br>
<br>
HTH,<br>
<br>
Phil<br>
<br></div></div><div class="im">_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></div></blockquote></div><div class="im"><br><br clear="all"><div><br></div>-- <br>:wq!<br>---------------------------------------------------------------------------<br>Robert L. Harris<br><br>DISCLAIMER:<br> These are MY OPINIONS With Dreams To Be A King,<br>
ALONE. I speak for First One Should Be A Man<br> no-one else. - Manowar<br>
</div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>:wq!<br>---------------------------------------------------------------------------<br>Robert L. Harris<br><br>DISCLAIMER:<br> These are MY OPINIONS With Dreams To Be A King,<br>
ALONE. I speak for First One Should Be A Man<br> no-one else. - Manowar<br>
</div>