{{>toc}}

h1. OpenVPN

h2. Port sharing

Apache and nginx

http://www.davidwesterfield.net/2012/08/openvpn-sharing-a-tcp-port-with-ssl-on-nginx-and-apache-yeah-its-possible/

port-share 127.0.0.1 4443

http://www.greenie.net/ipv6/openvpn.html

https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23

h2. Certificats

Via mherrb : la page de man 'ssl(8)' d'OpenBSD explique bien comment faire un certificat auto-signé qui marchera pour OpenVPN: 

http://www.openbsd.org/cgi-bin/man.cgi?query=ssl&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html

h2. Server

<pre>

# cat /etc/default/openvpn

...

AUTOSTART="ttnn-tap ttnn-tap6 ttnn-tap-tcp ttnn-tap-tcp6"

...

# cat /etc/openvpn/ttnn-tap.conf 

dev tap0udp

port 11195

proto udp

ca ttnn/ca.crt

cert ttnn/h1.crt

key ttnn/h1.key  # This file should be kept secret

dh ttnn/dh1024.pem

mode server

tls-server

persist-key

persist-tun

client-config-dir ccd

client-to-client

comp-lzo yes

keepalive 10 60

verb 3

log-append  log/openvpn-tap.log

status status/openvpn-tap.txt

# cat /etc/openvpn/ttnn-tap6.conf 

dev tap6udp

port 11196

proto udp6

ca ttnn/ca.crt

cert ttnn/h1.crt

key ttnn/h1.key  # This file should be kept secret

dh ttnn/dh1024.pem

mode server

tls-server

persist-key

persist-tun

client-config-dir ccd

client-to-client

comp-lzo yes

keepalive 10 60

verb 3

log-append  log/openvpn-tap6.log

status status/openvpn-tap6.txt

# cat /etc/openvpn/ttnn-tap-tcp.conf 

dev tap0tcp

port 443

proto tcp-server

ca ttnn/ca.crt

cert ttnn/h1.crt

key ttnn/h1.key  # This file should be kept secret

dh ttnn/dh1024.pem

mode server

tls-server

persist-key

persist-tun

client-config-dir ccd

client-to-client

comp-lzo yes

keepalive 10 60

verb 3

log-append  log/openvpn-tap-tcp.log

status status/openvpn-tap-tcp.txt

# keys generated with id ip-X-Y-Z-T, files:

# ip-91-224-149-165.crt

# ip-91-224-149-165.csr

# ip-91-224-149-165.key

# cat /etc/openvpn/ccd/ip-91-224-149-165

ifconfig-push 91.224.149.165 255.255.255.0

push "route-gateway 91.224.149.254"

push "redirect-gateway def1"

push "dhcp-option DNS 8.8.8.8"

# bridge

brctl addbr br0

brctl addif br0 eth0

ip link set br0 up

ip link set br0 address 52:54:10:00:00:11 #force MAC to avoid MAC changes

openvpn --mktun --dev tap0udp

openvpn --mktun --dev tap0tcp

openvpn --mktun --dev tap6udp

brctl addif br0 tap0udp

ip link set tap0udp up

brctl addif br0 tap0tcp

ip link set tap0tcp up

brctl addif br0 tap6udp

ip link set tap6udp up

</pre>

Pour ignorer les push IP et route du serveur coté client openvpn il suffit de mettre "tls-client" a la place de "client" l'option --client est un raccourci pour --tls-client  --pull et --pull est ce qui accepte les directives serveur.

h2. Client

<pre>

# cat /etc/openvpn/ttnn.conf

client

dev tap

### from outside with UDP available

#proto udp

#remote openvpn.tetaneutral.net 11195

### from outside with no UDP

proto tcp

remote openvpn.tetaneutral.net 443

# 91.224.149.211 443

# from outside using IPv6 over UDP

#proto udp6

#remote openvpn6.tetaneutral.net 11196

ca ttnn/ca.crt

cert ttnn/ip-91-224-149-165.crt

key ttnn/ip-91-224-149-165.key

persist-key

persist-tun

script-security 2

comp-lzo yes

keepalive 10 60

verb 3

log-append log/openvpn.log

</pre>

h2. point a point

<pre>

openvpn --genkey --secret tst.key

#server

openvpn --mktun --dev-type tap --dev taptst

ip link set taptst up

openvpn --dev-type tap --dev tapstg --comp-lzo yes --cipher none --proto udp --daemon --keepalive 10 30 --secret tst.key --port 1234

#client

openvpn --mktun --dev-type tap --dev taptst

ip link set taptst up

openvpn --dev-type tap --dev tapstg --comp-lzo yes --cipher none --proto udp --daemon --keepalive 10 30 --secret tst.key --remote A.B.C.D 1234

</pre>

h2. Point-à-point avec routage d'un bloc d'IP.

[[Partage ADSL OpenVPN]]

h2. Performances

[[Benchmark VPN]]

h2. Proxmox

http://www.nedproductions.biz/wiki/configuring-a-proxmox-ve-2.x-cluster-running-over-an-openvpn-intranet

http://blog.developpeur-neurasthenique.fr/auto-hebergement-configurer-un-cluster-proxmox-2-sans-multicast.html

h2. Links

* https://community.openvpn.net/openvpn/changeset/150fb45047c5482858b32a669de4097e66dec1c7 "Allow 'lport 0' setup for random port binding"

* https://vador.fdn.fr/wiki/travaux:vpn_misc:doc#configurer_sa_machine_pour_utiliser_l_offre_vpn_de_fdn

* https://wiki.ldn-fai.net/wiki/Tuto_Serveur_OpenVPN