From bc8ed874e48a2bb994e7714cc75b8aae392cb851 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20K=C3=BCthe?= <m.k@mk16.de>
Date: Mon, 2 Jan 2023 16:02:06 +0100
Subject: [PATCH 1/4] add openvpn docs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Marek Küthe <m.k@mk16.de>
---
 docs/tunneling/index.md   |  1 +
 docs/tunneling/openvpn.md | 52 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+)
 create mode 100644 docs/tunneling/openvpn.md

diff --git a/docs/tunneling/index.md b/docs/tunneling/index.md
index 9150e6f..e736e21 100644
--- a/docs/tunneling/index.md
+++ b/docs/tunneling/index.md
@@ -3,3 +3,4 @@
 
 - [fastd](fastd)
 - [WireGuard](wireguard)
+- [OpenVPN](openvpn)
diff --git a/docs/tunneling/openvpn.md b/docs/tunneling/openvpn.md
new file mode 100644
index 0000000..781fdaa
--- /dev/null
+++ b/docs/tunneling/openvpn.md
@@ -0,0 +1,52 @@
+
+# OpenVPN
+
+## Configuration
+
+```
+mode p2p
+
+remote <remote>
+local <local>
+
+proto <proto>
+
+rport <rport>
+lport <lport>
+
+dev-type tun
+dev <interface>
+
+script-security 1
+cipher aes-256-cbc
+
+resolv-retry infinite
+
+persist-key
+persist-tun
+
+ifconfig-ipv6 <IPv6 A> <IPv6 B>
+
+secret <secret>
+```
+Replace `<remote>` with the IP address of the peer and `<local>` with your IP address.
+Replace `<proto>` with `udp` for a connection over IPv4 or with `udp6` for a connection over IPv6.
+Choose a port for `<lport>` and set `<rport>` to the port of your peer. `<lport>` on udp must be opened accordingly in the local firewall.
+Replace `<interface>` with the appropriate interface name for your peer.
+Replace `<IPv6 A>` with your link-local IPv6 and `<IPv6 B>` with the link-local IPv6 of your peer.
+Replace `<secret>` with the path to the Secret Static Key.
+
+Generate a Secret Static Key:
+```
+openvpn --genkey secret <filename>.key
+```
+
+## Automatic start with systemd
+
+If you save the OpenVPN configuration under `/etc/openvpn/<filename>.conf`, you can use systemd to start the OpenVPN connection or set an automatic start:
+```
+systemctl start openvpn@<filename>
+```
+```
+systemctl enable openvpn@<filename>
+```

From 4479cec7a9eb959325aecf61d2502246e0a3c845 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20K=C3=BCthe?= <m.k@mk16.de>
Date: Mon, 2 Jan 2023 16:25:21 +0100
Subject: [PATCH 2/4] add hint to second ll
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Marek Küthe <m.k@mk16.de>
---
 docs/tunneling/openvpn.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/tunneling/openvpn.md b/docs/tunneling/openvpn.md
index 781fdaa..ac3c3b6 100644
--- a/docs/tunneling/openvpn.md
+++ b/docs/tunneling/openvpn.md
@@ -25,7 +25,7 @@ resolv-retry infinite
 persist-key
 persist-tun
 
-ifconfig-ipv6 <IPv6 A> <IPv6 B>
+ifconfig-ipv6 <IPv6> fe80::1000
 
 secret <secret>
 ```
@@ -33,7 +33,7 @@ Replace `<remote>` with the IP address of the peer and `<local>` with your IP ad
 Replace `<proto>` with `udp` for a connection over IPv4 or with `udp6` for a connection over IPv6.
 Choose a port for `<lport>` and set `<rport>` to the port of your peer. `<lport>` on udp must be opened accordingly in the local firewall.
 Replace `<interface>` with the appropriate interface name for your peer.
-Replace `<IPv6 A>` with your link-local IPv6 and `<IPv6 B>` with the link-local IPv6 of your peer.
+Replace `<IPv6>` with your link-local IPv6. The specification of a second link-local address is only necessary for certain functions of OpenVPN, but the specification is mandatory. Therefore the address `fe80::1000` is used here.
 Replace `<secret>` with the path to the Secret Static Key.
 
 Generate a Secret Static Key:

From f52ca3d8571798866b3faa49e7f13548638c6ea5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20K=C3=BCthe?= <m.k@mk16.de>
Date: Mon, 2 Jan 2023 16:30:59 +0100
Subject: [PATCH 3/4] add links to other openvpn sites
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Marek Küthe <m.k@mk16.de>
---
 docs/tunneling/openvpn.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/tunneling/openvpn.md b/docs/tunneling/openvpn.md
index ac3c3b6..6ab4094 100644
--- a/docs/tunneling/openvpn.md
+++ b/docs/tunneling/openvpn.md
@@ -50,3 +50,8 @@ systemctl start openvpn@<filename>
 ```
 systemctl enable openvpn@<filename>
 ```
+
+## Further links
+
+- [Reference manual for OpenVPN 2.6](https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/)
+- [dn42 OpenVPN Guide](https://dn42.dev/howto/openvpn)

From a590007002c28b2ef58f4d99056b46cacd42a07a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20K=C3=BCthe?= <m.k@mk16.de>
Date: Mon, 2 Jan 2023 16:34:28 +0100
Subject: [PATCH 4/4] add hint to encryption security
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Marek Küthe <m.k@mk16.de>
---
 docs/tunneling/openvpn.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/tunneling/openvpn.md b/docs/tunneling/openvpn.md
index 6ab4094..be1a0ec 100644
--- a/docs/tunneling/openvpn.md
+++ b/docs/tunneling/openvpn.md
@@ -1,6 +1,8 @@
 
 # OpenVPN
 
+**Hint:** OpenVPN with a static key has no Perfect Forward Secrecy (PFS)!
+
 ## Configuration
 
 ```