merge current master

Signed-off-by: Marek Küthe <m.k@mk16.de>
This commit is contained in:
Marek Küthe 2023-01-03 11:34:00 +01:00
commit b1858767d0
No known key found for this signature in database
GPG Key ID: 7E869146699108C7
4 changed files with 104 additions and 0 deletions

View File

@ -0,0 +1,43 @@
# Create a dummy interface
For routes to be installed into the kernel, the source IP must be bound to an interface. Often the CRXN address is not on any interface. Therefore one creates a dummy interface. Alternatively, you can bind the CRXN IP address to the loopback interface. If the CRXN IP address is not bound to an interface, the `Netlink: Invalid argument` error can occur at bird.
You can create a dummy interface with the following command:
```
ip link add crxn type dummy
ip link set dev crxn up
```
Here `crxn` is the name of the interface.
To bind the CRXN IP address to the interface you can use the following command:
```
ip addr add dev crxn <ip>/128
```
Replace `<ip>` with the CRXN IP address.
To delete the dummy interface you can use the following command:
```
ip link del crxn
```
## Automatic start with ifupdown
```
auto crxn
iface crxn inet6 manual
pre-up ip link add crxn type dummy
up ip addr add dev crxn <ip>/128
post-down ip link del crxn
```
Alternatively, you can use the following configuration:
```
auto crxn
iface crxn inet6 static
address <ip>
netmask 128
pre-up ip link add crxn type dummy
post-down ip link del crxn
```
Here the assignment of the IP address is delegated to ifupdown.

View File

@ -3,3 +3,4 @@
- [Forwarding](forwarding) - [Forwarding](forwarding)
- [Setting up Bird](bird) - [Setting up Bird](bird)
- [Create a dummy interface](create-dummy-interface)

View File

@ -3,4 +3,5 @@
- [fastd](fastd) - [fastd](fastd)
- [WireGuard](wireguard) - [WireGuard](wireguard)
- [OpenVPN](openvpn)
- [IP tunnel](iptunnel) - [IP tunnel](iptunnel)

59
docs/tunneling/openvpn.md Normal file
View File

@ -0,0 +1,59 @@
# OpenVPN
**Hint:** OpenVPN with a static key has no Perfect Forward Secrecy (PFS)!
## Configuration
```
mode p2p
remote <remote>
local <local>
proto <proto>
rport <rport>
lport <lport>
dev-type tun
dev <interface>
script-security 1
cipher aes-256-cbc
resolv-retry infinite
persist-key
persist-tun
ifconfig-ipv6 <IPv6> fe80::1000
secret <secret>
```
Replace `<remote>` with the IP address of the peer and `<local>` with your IP address.
Replace `<proto>` with `udp` for a connection over IPv4 or with `udp6` for a connection over IPv6.
Choose a port for `<lport>` and set `<rport>` to the port of your peer. `<lport>` on udp must be opened accordingly in the local firewall.
Replace `<interface>` with the appropriate interface name for your peer.
Replace `<IPv6>` with your link-local IPv6. The specification of a second link-local address is only necessary for certain functions of OpenVPN, but the specification is mandatory. Therefore the address `fe80::1000` is used here.
Replace `<secret>` with the path to the Secret Static Key.
Generate a Secret Static Key:
```
openvpn --genkey secret <filename>.key
```
## Automatic start with systemd
If you save the OpenVPN configuration under `/etc/openvpn/<filename>.conf`, you can use systemd to start the OpenVPN connection or set an automatic start:
```
systemctl start openvpn@<filename>
```
```
systemctl enable openvpn@<filename>
```
## Further links
- [Reference manual for OpenVPN 2.6](https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/)
- [dn42 OpenVPN Guide](https://dn42.dev/howto/openvpn)