CRXN
/
docs
mirror of https://codeberg.org/CRXN/docs.git
1
0
Fork 0
Code Releases Activity

add docs for openvpn when one peer is not public reachable 

Signed-off-by: Marek Küthe <m.k@mk16.de>
This commit is contained in:
Marek Küthe 2023-01-03 17:53:56 +01:00
parent abebf9eb4c
commit cb26cf4001
No known key found for this signature in database
GPG Key ID: 7E869146699108C7
1 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
docs/tunneling/openvpn.md
View File

@ -32,7 +32,7 @@ ifconfig-ipv6 <IPv6> fe80::1000
secret <secret>
```
Replace `<remote>` with the IP address of the peer and `<local>` with your IP address.
Replace `<proto>` with `udp` for a connection over IPv4 or with `udp6` for a connection over IPv6.
Replace `<proto>` with `udp4` for a connection over IPv4 or with `udp6` for a connection over IPv6.
Choose a port for `<lport>` and set `<rport>` to the port of your peer. `<lport>` on udp must be opened accordingly in the local firewall.
Replace `<interface>` with the appropriate interface name for your peer.
Replace `<IPv6>` with your link-local IPv6. The specification of a second link-local address is only necessary for certain functions of OpenVPN, but the specification is mandatory. Therefore the address `fe80::1000` is used here.
@ -46,6 +46,31 @@ openvpn --genkey secret <filename>.key
### Speed optimization
To increase the speed of OpenVPN, you can use the `fast-io` flag. To use the flag, OpenVPN must run over UDP and on a non-Windows system. This option is experimental.
### A peer is not publicly reachable
It can happen that a peer is not always publicly reachable on the same IP address, for example, due to a NAT. In this case, it is sufficient if one of the peers is publicly reachable.
The configuration files are adjusted accordingly.
On the public reachable peer `remote`, `local` and `rport` are removed. The parameter `lport` remains and must be publicly reachable via UDP. Furthermore the parameter `float` and `keepalive` is added.
```
lport <lport>
float
keepalive <interval> <timeout>
```
On the non-public peer, only `lport` and `local` are removed and the `keepalive` parameter is added.
```
remote <remote>
rport <rport>
keepalive <interval> <timeout>
```
For the keepalive signal, `<interval>` is replaced with an interval in miliseconds in which ping-like signals are sent to keep the connection alive. `<timeout>` specifies the number of miliseconds since the last received ping-type signal after which the peer is considered down.
For example, if a keepalive signal is to be sent every 20ms and the peer is to be considered down after 2 minutes, the following configuration can be used:
```
keepalive 20 120
```
## Automatic start with systemd
If you save the OpenVPN configuration under `/etc/openvpn/<filename>.conf`, you can use systemd to start the OpenVPN connection or set an automatic start: