[ale] HomeVPN
Robert L. Harris
robert.l.harris at gmail.com
Tue Nov 13 13:47:05 EST 2012
Here are my current configs with the suggestions above. One thing i would
like to figure out is how to have my clients hit my resolvers for my home
domain but not for everything since my work network has it's own for
internal machines.
** Server
# Configure basic server settings, including the
# subnet, protocol, and activity tracking.
port 5678
dev tun
proto udp
mode server
cipher aes-256-cbc
topology subnet
tls-server
tls-auth keys/ta.key 0
dh keys/dh2048.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
client-config-dir /etc/openvpn/ccd
ccd-exclusive
duplicate-cn
client-to-client
keepalive 44 180
float
tun-mtu 1500
push "tun-mtu 1500"
persist-tun
persist-key
comp-lzo
verb 1
mute 60
log-append /var/log/openvpn/openvpn-aes.log
status /var/log/openvpn/status-aes.log
# Configure the server
ifconfig 172.19.0.1 255.255.255.0
# Create a dhcp pool
ifconfig-pool 172.19.0.10 172.19.0.200
# Tell the server to route out the tun
#push "route-gateway dhcp"
#route 172.19.251.0 255.255.255.0
# Add routes to the client that point to subnets
# reachable through this server.
push "route 172.19.0.0 255.255.255.0"
push "route 172.20.0.0 255.255.0.0"
** Client
dev tun
tls-client
ns-cert-type server
proto udp
cipher aes-256-cbc
tls-auth keys/ta.key 1
ca keys/cacert.pem
cert keys/laptop.crt
key keys/laptop.key
# Our OpenVPN peer is the office gateway.
remote vpn.domain.com 5678
user nobody
group nogroup
pull
nobind
comp-lzo
persist-tun
persist-key
keepalive 44 180
log-append /var/log/openvpn/openvpn.log
resolv-retry infinite
verb 1
mute 20
On Fri, Nov 9, 2012 at 12:29 PM, Robert L. Harris <robert.l.harris at gmail.com
> wrote:
> Phil,
> You had a couple options I hadn't found before such as the "Topology"
> and pushing the MTU. I'm going to clean up my configs and I'll post them.
> I also have 2 scripts which make and package up the client configs as well.
>
> Robert
>
>
>
> On Fri, Nov 9, 2012 at 10:50 AM, Phil Turmel <philip at turmel.org> wrote:
>
>> On 11/09/2012 10:54 AM, Robert L. Harris wrote:
>> > I will look into those android apps yet, haven't found one I like.
>> >
>> > I've been using SSH since the early 90's, no worries there. I want to
>> > setup and play with a VPN connection for remote devices. I have OpenVPN
>> > running out of a linux VM dedicated so i can lock it down and if need be
>> > wipe it without loss of sleep.
>> >
>> > As my original thread went, "Has anyone else done this? Anyone up for
>> > sharing configs/discussing?"
>>
>> I've been running OpenVPN on my office server to support home and road
>> warrior usage for about eight or nine years. Using my own certificate
>> authority for the past five years or so to minimize router configuration
>> requirements. Works well with both windows and linux client machines.
>>
>> I've attached my config files for your edification (lightly sanitized).
>>
>> The last attachment is my personal script for managing my certificate
>> authority
>>
>> HTH,
>>
>> Phil
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>>
>
>
> --
> :wq!
> ---------------------------------------------------------------------------
> Robert L. Harris
>
> DISCLAIMER:
> These are MY OPINIONS With Dreams To Be A King,
> ALONE. I speak for First One Should Be A Man
> no-one else. - Manowar
>
--
:wq!
---------------------------------------------------------------------------
Robert L. Harris
DISCLAIMER:
These are MY OPINIONS With Dreams To Be A King,
ALONE. I speak for First One Should Be A Man
no-one else. - Manowar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20121113/4a3d2aac/attachment-0001.html>
More information about the Ale
mailing list