diff --git a/docs/tunneling/index.md b/docs/tunneling/index.md index 9150e6f..e736e21 100644 --- a/docs/tunneling/index.md +++ b/docs/tunneling/index.md @@ -3,3 +3,4 @@ - [fastd](fastd) - [WireGuard](wireguard) +- [OpenVPN](openvpn) diff --git a/docs/tunneling/openvpn.md b/docs/tunneling/openvpn.md new file mode 100644 index 0000000..be1a0ec --- /dev/null +++ b/docs/tunneling/openvpn.md @@ -0,0 +1,59 @@ + +# OpenVPN + +**Hint:** OpenVPN with a static key has no Perfect Forward Secrecy (PFS)! + +## Configuration + +``` +mode p2p + +remote +local + +proto + +rport +lport + +dev-type tun +dev + +script-security 1 +cipher aes-256-cbc + +resolv-retry infinite + +persist-key +persist-tun + +ifconfig-ipv6 fe80::1000 + +secret +``` +Replace `` with the IP address of the peer and `` with your IP address. +Replace `` with `udp` for a connection over IPv4 or with `udp6` for a connection over IPv6. +Choose a port for `` and set `` to the port of your peer. `` on udp must be opened accordingly in the local firewall. +Replace `` with the appropriate interface name for your peer. +Replace `` with your link-local IPv6. The specification of a second link-local address is only necessary for certain functions of OpenVPN, but the specification is mandatory. Therefore the address `fe80::1000` is used here. +Replace `` with the path to the Secret Static Key. + +Generate a Secret Static Key: +``` +openvpn --genkey secret .key +``` + +## Automatic start with systemd + +If you save the OpenVPN configuration under `/etc/openvpn/.conf`, you can use systemd to start the OpenVPN connection or set an automatic start: +``` +systemctl start openvpn@ +``` +``` +systemctl enable openvpn@ +``` + +## Further links + +- [Reference manual for OpenVPN 2.6](https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/) +- [dn42 OpenVPN Guide](https://dn42.dev/howto/openvpn)