diff --git a/docs/routing/create-dummy-interface.md b/docs/routing/create-dummy-interface.md new file mode 100644 index 0000000..cd811df --- /dev/null +++ b/docs/routing/create-dummy-interface.md @@ -0,0 +1,43 @@ + +# Create a dummy interface + +For routes to be installed into the kernel, the source IP must be bound to an interface. Often the CRXN address is not on any interface. Therefore one creates a dummy interface. Alternatively, you can bind the CRXN IP address to the loopback interface. If the CRXN IP address is not bound to an interface, the `Netlink: Invalid argument` error can occur at bird. + +You can create a dummy interface with the following command: +``` +ip link add crxn type dummy +ip link set dev crxn up +``` +Here `crxn` is the name of the interface. + +To bind the CRXN IP address to the interface you can use the following command: +``` +ip addr add dev crxn /128 +``` +Replace `` with the CRXN IP address. + +To delete the dummy interface you can use the following command: +``` +ip link del crxn +``` + +## Automatic start with ifupdown + +``` +auto crxn +iface crxn inet6 manual + pre-up ip link add crxn type dummy + up ip addr add dev crxn /128 + post-down ip link del crxn +``` + +Alternatively, you can use the following configuration: +``` +auto crxn +iface crxn inet6 static + address + netmask 128 + pre-up ip link add crxn type dummy + post-down ip link del crxn +``` +Here the assignment of the IP address is delegated to ifupdown. diff --git a/docs/routing/index.md b/docs/routing/index.md index 609d418..7c26bf9 100644 --- a/docs/routing/index.md +++ b/docs/routing/index.md @@ -3,3 +3,4 @@ - [Forwarding](forwarding) - [Setting up Bird](bird) +- [Create a dummy interface](create-dummy-interface) diff --git a/docs/tunneling/index.md b/docs/tunneling/index.md index 2b48962..7243490 100644 --- a/docs/tunneling/index.md +++ b/docs/tunneling/index.md @@ -3,4 +3,5 @@ - [fastd](fastd) - [WireGuard](wireguard) +- [OpenVPN](openvpn) - [IP tunnel](iptunnel) diff --git a/docs/tunneling/openvpn.md b/docs/tunneling/openvpn.md new file mode 100644 index 0000000..be1a0ec --- /dev/null +++ b/docs/tunneling/openvpn.md @@ -0,0 +1,59 @@ + +# OpenVPN + +**Hint:** OpenVPN with a static key has no Perfect Forward Secrecy (PFS)! + +## Configuration + +``` +mode p2p + +remote +local + +proto + +rport +lport + +dev-type tun +dev + +script-security 1 +cipher aes-256-cbc + +resolv-retry infinite + +persist-key +persist-tun + +ifconfig-ipv6 fe80::1000 + +secret +``` +Replace `` with the IP address of the peer and `` with your IP address. +Replace `` with `udp` for a connection over IPv4 or with `udp6` for a connection over IPv6. +Choose a port for `` and set `` to the port of your peer. `` on udp must be opened accordingly in the local firewall. +Replace `` with the appropriate interface name for your peer. +Replace `` with your link-local IPv6. The specification of a second link-local address is only necessary for certain functions of OpenVPN, but the specification is mandatory. Therefore the address `fe80::1000` is used here. +Replace `` with the path to the Secret Static Key. + +Generate a Secret Static Key: +``` +openvpn --genkey secret .key +``` + +## Automatic start with systemd + +If you save the OpenVPN configuration under `/etc/openvpn/.conf`, you can use systemd to start the OpenVPN connection or set an automatic start: +``` +systemctl start openvpn@ +``` +``` +systemctl enable openvpn@ +``` + +## Further links + +- [Reference manual for OpenVPN 2.6](https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/) +- [dn42 OpenVPN Guide](https://dn42.dev/howto/openvpn)