dn42-wiki/howto/openvpn.html

<!DOCTYPE html>
<html lang="en">
    <head>
<meta charset="UTF-8">



<title>Example Configuration for direct peer to peer | dn42 wiki</title>

<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="robots" content="index, follow">
<meta name="keywords" content="dn42,wiki,routing,bgp">

<link rel="canonical" href="https://dn42.obl.ong/howto/openvpn.html">
<link rel="icon" type="image/x-icon" href="/favicon.ico">
<link rel="shortcut icon" type="image/x-icon" href="/favicon.ico">

<link rel="author" type="text/html" href="/docs/people">

<link rel="stylesheet" href="/css/normalize.css">
<link rel="stylesheet" href="/css/simple.min.css">
<link rel="stylesheet" href="/css/style.css">
<link rel="stylesheet" href="/css/menu.css">


</head>
    
    <body>

        <header>


<b>dn42 wiki / Example Configuration for direct peer to peer</b>

<div id="dn42_header">
    
    <p><a href="/"><img src="/dn42.png" alt="dn42" /></a></p>

</div>
</header>

        <main>
            <h1 id="example-configuration-for-direct-peer-to-peer">Example Configuration for direct peer to peer</h1>

<ul>
  <li>Replace <code class="language-plaintext highlighter-rouge">&lt;PEER_NAME&gt;</code> with a self chosen name to identify this peer</li>
  <li>Replace <code class="language-plaintext highlighter-rouge">&lt;PROTO&gt;</code> with either <code class="language-plaintext highlighter-rouge">udp</code> or <code class="language-plaintext highlighter-rouge">udp6</code>, depending if you reach your remote peer with ipv4 o ipv6</li>
  <li>Replace <code class="language-plaintext highlighter-rouge">&lt;REMOTE_HOST&gt;</code> with the public ip address of your peer</li>
  <li>Replace <code class="language-plaintext highlighter-rouge">&lt;REMOTE_PORT&gt;</code> with the port number, where your peer’s openvpn daemon listen for traffic</li>
  <li>Replace <code class="language-plaintext highlighter-rouge">&lt;LOCAL_HOST&gt;</code> with your public ip</li>
  <li>Replace <code class="language-plaintext highlighter-rouge">&lt;INTERFACE_NAME&gt;</code> with a self chosen name, this will be the name of your network interface (tun device) for this peering</li>
  <li>Replace <code class="language-plaintext highlighter-rouge">&lt;LOCAL_GATEWAY_IP&gt;</code> with your own dn42 ip address</li>
  <li>Replace <code class="language-plaintext highlighter-rouge">&lt;REMOTE_GATEWAY_IP&gt;</code> with dn42 ip address of your peer</li>
  <li><code class="language-plaintext highlighter-rouge">&lt;LOCAL_GATEWAY_IPV6&gt; &lt;REMOTE_GATEWAY_IPV6&gt;</code> same as ipv4, but both ip addresses needs to be in the same subnet. For simplicity you can always use an address from link-local ipv6 range (fe80::/64)</li>
</ul>

<div class="language-conf highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">#/etc/openvpn/&lt;PEER_NAME&gt;
</span><span class="n">proto</span>       &lt;<span class="n">PROTO</span>&gt;
<span class="n">mode</span>        <span class="n">p2p</span>
<span class="n">remote</span>      &lt;<span class="n">REMOTE_HOST</span>&gt;
<span class="n">rport</span>       &lt;<span class="n">REMOTE_PORT</span>&gt;
<span class="n">local</span>       &lt;<span class="n">LOCAL_HOST</span>&gt;
<span class="n">lport</span>       &lt;<span class="n">LOCAL_PORT</span>&gt;
<span class="n">dev</span>-<span class="n">type</span>    <span class="n">tun</span>
<span class="n">tun</span>-<span class="n">ipv6</span>
<span class="n">resolv</span>-<span class="n">retry</span> <span class="n">infinite</span>
<span class="n">dev</span>         &lt;<span class="n">INTERFACE_NAME</span>&gt;
<span class="n">comp</span>-<span class="n">lzo</span>
<span class="n">persist</span>-<span class="n">key</span>
<span class="n">persist</span>-<span class="n">tun</span>
<span class="n">cipher</span> <span class="n">aes</span>-<span class="m">256</span>-<span class="n">cbc</span>
<span class="n">ifconfig</span>-<span class="n">ipv6</span> &lt;<span class="n">LOCAL_GATEWAY_IPV6</span>&gt; &lt;<span class="n">REMOTE_GATEWAY_IPV6</span>&gt;
<span class="n">ifconfig</span> &lt;<span class="n">LOCAL_GATEWAY_IP</span>&gt;  &lt;<span class="n">REMOTE_GATEWAY_IP</span>&gt;
<span class="n">secret</span> /<span class="n">etc</span>/<span class="n">openvpn</span>/&lt;<span class="n">PEER_NAME</span>&gt;.<span class="n">key</span>

<span class="c"># The secret can also be included inline with the config by 
#   wrapping it in &lt;secret&gt;&lt;/secret&gt; tags.
# &lt;secret&gt;
# ... Key File contents go here ...
# &lt;/secret&gt;
</span></code></pre></div></div>

<p>then create a new key and share it with your peer</p>

<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>openvpn <span class="nt">--genkey</span> <span class="nt">--secret</span> /etc/openvpn/&lt;PEER_NAME&gt;.key
</code></pre></div></div>

<h1 id="example-configuration-if-one-peer-has-a-floating-ip">Example Configuration if one peer has a floating ip</h1>

<h2 id="peer-with-fixed-ip">peer with fixed ip</h2>

<div class="language-conf highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">proto</span>       &lt;<span class="n">PROTO</span>&gt;
<span class="n">mode</span>        <span class="n">p2p</span>
<span class="n">dev</span>-<span class="n">type</span>    <span class="n">tun</span>
<span class="n">comp</span>-<span class="n">lzo</span>
<span class="n">dev</span>  &lt;<span class="n">INTERFACE_NAME</span>&gt;
<span class="n">persist</span>-<span class="n">key</span>
<span class="n">persist</span>-<span class="n">tun</span>
<span class="n">tun</span>-<span class="n">ipv6</span>
<span class="n">cipher</span> <span class="n">aes</span>-<span class="m">256</span>-<span class="n">cbc</span>
<span class="n">resolv</span>-<span class="n">retry</span> <span class="n">infinite</span>
<span class="n">float</span>
<span class="n">port</span> &lt;<span class="n">LOCAL_PORT</span>&gt;
<span class="n">ifconfig</span>-<span class="n">ipv6</span> &lt;<span class="n">LOCAL_GATEWAY_IPV6</span>&gt; &lt;<span class="n">REMOTE_GATEWAY_IPV6</span>&gt;
<span class="n">ifconfig</span>  &lt;<span class="n">LOCAL_GATEWAY_IP</span>&gt;  &lt;<span class="n">REMOTE_GATEWAY_IP</span>&gt;
<span class="n">secret</span> /<span class="n">etc</span>/<span class="n">openvpn</span>/&lt;<span class="n">PEER_NAME</span>&gt;.<span class="n">key</span>
</code></pre></div></div>

<h2 id="peer-with-floating-ip">peer with floating ip</h2>

<ul>
  <li>Notice the local gateway ip of your peer is your remote gateway ip and 
his remote gateway is your local gateway</li>
  <li><code class="language-plaintext highlighter-rouge">&lt;REMOTE_HOST&gt;</code> is the ip address of your peer</li>
  <li><code class="language-plaintext highlighter-rouge">&lt;REMOTE_PORT&gt;</code> is openvpn port, where your peer listen for traffic</li>
</ul>

<div class="language-conf highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">proto</span>       &lt;<span class="n">PROTO</span>&gt;
<span class="n">mode</span>        <span class="n">p2p</span>
<span class="n">remote</span>      &lt;<span class="n">REMOTE_HOST</span>&gt;
<span class="n">rport</span>       &lt;<span class="n">REMOTE_PORT</span>&gt;
<span class="n">lport</span>       <span class="n">float</span>
<span class="n">dev</span>-<span class="n">type</span>    <span class="n">tun</span>
<span class="n">tun</span>-<span class="n">ipv6</span>
<span class="n">dev</span>         &lt;<span class="n">INTERFACE_NAME</span>&gt;
<span class="n">comp</span>-<span class="n">lzo</span>
<span class="n">persist</span>-<span class="n">key</span>
<span class="n">persist</span>-<span class="n">tun</span>
<span class="n">cipher</span> <span class="n">aes</span>-<span class="m">256</span>-<span class="n">cbc</span>
<span class="n">resolv</span>-<span class="n">retry</span> <span class="n">infinite</span>
<span class="n">ifconfig</span>  &lt;<span class="n">LOCAL_GATEWAY_IP</span>&gt;  &lt;<span class="n">REMOTE_GATEWAY_IP</span>&gt;
<span class="n">ifconfig</span>-<span class="n">ipv6</span> &lt;<span class="n">LOCAL_GATEWAY_IPV6</span>&gt; &lt;<span class="n">LOCAL_GATEWAY_IPV6</span>&gt;
<span class="n">secret</span> /<span class="n">etc</span>/<span class="n">openvpn</span>/&lt;<span class="n">PEER_NAME</span>&gt;.<span class="n">key</span>
</code></pre></div></div>

<h1 id="example-configuration-for-connecting-roaming-clients-to-dn42">Example configuration for connecting roaming clients to dn42</h1>

<p>Clients connect using certificates, and simply get attributed dn42 IPs in the order they connect.  This is useful for roaming clients, where you don’t really care which IP you have.  Note that once a client has connected for the first time, it will keep the same IP on subsequent connections (option <code class="language-plaintext highlighter-rouge">ifconfig-pool-persist</code>).</p>

<h2 id="server-configuration">Server configuration</h2>

<p>Replace <code class="language-plaintext highlighter-rouge">&lt;PORT&gt;</code> with the UDP port you want OpenVPN to listen to, and change the IP ranges (<code class="language-plaintext highlighter-rouge">ifconfig</code> and <code class="language-plaintext highlighter-rouge">route-gateway</code> options).</p>

<div class="language-conf highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">mode</span> <span class="n">server</span>
<span class="n">tls</span>-<span class="n">server</span>

<span class="n">dh</span> <span class="n">dh2048</span>.<span class="n">pem</span>
<span class="n">cipher</span> <span class="n">aes</span>-<span class="m">256</span>-<span class="n">cbc</span>

<span class="n">ca</span> <span class="n">keys</span>/<span class="n">ca</span>.<span class="n">crt</span>
<span class="n">cert</span> <span class="n">keys</span>/<span class="n">roaming</span>-<span class="n">dn42</span>.<span class="n">crt</span>
<span class="n">key</span> <span class="n">keys</span>/<span class="n">roaming</span>-<span class="n">dn42</span>.<span class="n">key</span>

<span class="n">client</span>-<span class="n">config</span>-<span class="n">dir</span> /<span class="n">etc</span>/<span class="n">openvpn</span>/<span class="n">roaming</span>

<span class="n">dev</span> <span class="n">tun</span>-<span class="n">roaming</span>
<span class="n">persist</span>-<span class="n">tun</span>
<span class="n">tun</span>-<span class="n">ipv6</span>
<span class="n">tun</span>-<span class="n">mtu</span> <span class="m">1500</span>
<span class="n">fragment</span> <span class="m">1300</span>
<span class="n">mssfix</span>
<span class="n">log</span> /<span class="n">var</span>/<span class="n">log</span>/<span class="n">openvpn</span>-<span class="n">dn42</span>-<span class="n">roaming</span>.<span class="n">log</span>
<span class="n">status</span> /<span class="n">var</span>/<span class="n">log</span>/<span class="n">openvpn</span>-<span class="n">dn42</span>-<span class="n">roaming</span>-<span class="n">status</span>.<span class="n">log</span> <span class="m">60</span>

<span class="c"># Should work for both IPv4 and IPv6
</span><span class="n">proto</span> <span class="n">udp6</span>
<span class="n">port</span> &lt;<span class="n">PORT</span>&gt;

<span class="c"># IPv6
###tun-ipv6
###push tun-ipv6
###ifconfig-ipv6 2001:db8:42:42::1 2001:db8:42:42::2
###ifconfig-ipv6-pool 2001:db8:42:42::3/64
</span>
<span class="n">topology</span> <span class="n">subnet</span>
<span class="n">push</span> <span class="s2">"topology subnet"</span>

<span class="n">keepalive</span> <span class="m">10</span> <span class="m">60</span>

<span class="c"># That's 172.22.X.144/28 (172.22.X.144 to 172.22.X.159)
</span><span class="n">ifconfig</span> <span class="m">172</span>.<span class="m">22</span>.<span class="n">X</span>.<span class="m">145</span> <span class="m">255</span>.<span class="m">255</span>.<span class="m">255</span>.<span class="m">240</span>
<span class="n">ifconfig</span>-<span class="n">pool</span> <span class="m">172</span>.<span class="m">22</span>.<span class="n">X</span>.<span class="m">146</span> <span class="m">172</span>.<span class="m">22</span>.<span class="n">X</span>.<span class="m">158</span> <span class="m">255</span>.<span class="m">255</span>.<span class="m">255</span>.<span class="m">240</span>

<span class="n">ifconfig</span>-<span class="n">pool</span>-<span class="n">persist</span> <span class="n">pool</span>-<span class="n">persist</span>.<span class="n">txt</span>

<span class="n">push</span> <span class="s2">"route-gateway 172.22.X.145"</span>
<span class="n">push</span> <span class="s2">"route 172.22.0.0 255.254.0.0"</span> 
<span class="c">###push "route 172.31.0.0 255.255.0.0" 
###push "route 10.0.0.0 255.0.0.0" 
</span></code></pre></div></div>

<h2 id="client-configuration">Client configuration</h2>

<p>Change <code class="language-plaintext highlighter-rouge">&lt;SERVER&gt;</code> and <code class="language-plaintext highlighter-rouge">&lt;PORT&gt;</code>.</p>

<div class="language-conf highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">client</span>

<span class="n">ca</span>   <span class="n">ca</span>.<span class="n">crt</span>
<span class="n">cert</span> <span class="n">myclient</span>.<span class="n">crt</span>
<span class="n">key</span>  <span class="n">myclient</span>.<span class="n">key</span>

<span class="n">dev</span> <span class="n">tun</span>
<span class="n">proto</span> <span class="n">udp6</span>
<span class="n">cipher</span> <span class="n">aes</span>-<span class="m">256</span>-<span class="n">cbc</span>

<span class="n">remote</span> &lt;<span class="n">SERVER</span>&gt; &lt;<span class="n">PORT</span>&gt;

<span class="n">tun</span>-<span class="n">mtu</span> <span class="m">1500</span>
<span class="n">fragment</span> <span class="m">1300</span>
<span class="n">mssfix</span>

<span class="n">route</span>-<span class="n">delay</span> <span class="m">2</span>
<span class="n">nobind</span>
<span class="n">persist</span>-<span class="n">key</span>
<span class="n">persist</span>-<span class="n">tun</span>
<span class="n">resolv</span>-<span class="n">retry</span> <span class="n">infinite</span>

<span class="n">verb</span> <span class="m">3</span>
</code></pre></div></div>

<h2 id="certificate-management">Certificate management</h2>

<p>Use easy-rsa, it’s easy to use.  Below is a very short description, find a real tutorial if you don’t know how it works.</p>

<p>Build the CA: <code class="language-plaintext highlighter-rouge">. vars</code>, <code class="language-plaintext highlighter-rouge">./build-ca</code>, then generate the server key: <code class="language-plaintext highlighter-rouge">./build-key-server roaming-dn42</code>.</p>

<p>Then, for each client, generate a private key and a certificate: <code class="language-plaintext highlighter-rouge">./build-key myclient</code>.  The Common Name is the only important information (it will be used to identify the client, for instance in the logs).</p>

<h1 id="see-also">See also</h1>
<ul>
  <li><a href="/howto/networksettings">Network settings</a></li>
</ul>

<h1 id="external-links">External Links</h1>
<ul>
  <li>multicast:</li>
  <li><strong>OpenVPN</strong></li>
  <li><a href="https://community.openvpn.net/openvpn/ticket/79">Optimizations for multicast over TAP w/ OpenVPN</a></li>
  <li>
    <p><a href="http://forums.openvpn.net/topic8036.html">Sending multicast over a openvpn tunnel</a></p>
  </li>
  <li><strong>RFC</strong></li>
  <li><a href="https://tools.ietf.org/html/rfc3306">IPv6 - RFC3306</a></li>
  <li><a href="https://en.wikipedia.org/wiki/Multicast_address#GLOP_addressing">IPv4 - multicast</a></li>
  <li><a href="http://labs.spritelink.net/glop">IPv4 - GLOB calculator</a></li>
  <li><a href="http://tools.ietf.org/html/rfc3180">RFC3108 GLOP Addressing in 233/8</a></li>
  <li><a href="https://tools.ietf.org/html/rfc3138">RFC3138 Extended Assignments in 233/8</a></li>
</ul>



            <div id="menu-container" class="menu-container">
                <hr>
                <div id="menu" class="menu">
                    
                    <ul>
  <li><a href="/Home">Home</a>
    <ul>
      <li><a href="/howto/Getting-Started">Getting Started</a></li>
      <li><a href="/howto/Registry-Authentication">Registry Authentication</a></li>
      <li><a href="/howto/Address-Space">Address Space</a></li>
      <li><a href="/howto/BGP-communities">BGP communities</a></li>
      <li><a href="/FAQ">FAQ</a></li>
    </ul>
  </li>
  <li>How-To
    <ul>
      <li><a href="/howto/wireguard">Wireguard</a></li>
      <li><a href="/howto/openvpn">Openvpn</a></li>
      <li><a href="/howto/IPsec-with-PublicKeys">IPsec With Public Keys</a></li>
      <li><a href="/howto/tinc">Tinc</a></li>
      <li><a href="/howto/GRE-on-FreeBSD">GRE on FreeBSD</a></li>
      <li><a href="/howto/GRE-on-OpenBSD">GRE on OpenBSD</a></li>
      <li><a href="/howto/IPv6-Multicast">IPv6 Multicast (PIM-SM)</a></li>
      <li><a href="/howto/multicast">SSM Multicast</a></li>
      <li><a href="/howto/mpls">MPLS</a></li>
      <li><a href="/howto/Bird2">Bird2</a></li>
      <li><a href="/howto/frr">FRRouting</a></li>
      <li><a href="/howto/OpenBGPD">OpenBGPD</a></li>
      <li><a href="/howto/mikrotik">Mikrotik RouterOS</a></li>
      <li><a href="/howto/EdgeOS-Config">EdgeRouter</a></li>
      <li><a href="/howto/Static-routes-on-Windows">Static routes on Windows</a></li>
      <li><a href="/howto/networksettings">Universal Network Requirements</a></li>
      <li><a href="/howto/vyos1.4.x">VyOS</a></li>
      <li><a href="/howto/nixos">NixOS</a></li>
    </ul>
  </li>
  <li>Services
    <ul>
      <li><a href="/services/IRC">IRC</a></li>
      <li><a href="/services/Whois">Whois registry</a></li>
      <li><a href="/services/DNS">DNS</a></li>
      <li><a href="/services/IX-Collection">IX Collection</a></li>
      <li><a href="/services/Clearnet-Domains">Public DNS</a></li>
      <li><a href="/services/Looking-Glasses">Looking Glasses</a></li>
      <li><a href="/services/Automatic-Peering">Automatic Peering</a></li>
      <li><a href="/services/Repository-Mirrors">Repository Mirrors</a></li>
      <li><a href="/services/Distributed-Wiki">Distributed Wiki</a></li>
      <li><a href="/services/Certificate-Authority">Certificate Authority</a></li>
      <li><a href="/services/Route-Collector">Route Collector</a></li>
    </ul>
  </li>
  <li>Internal
    <ul>
      <li><a href="/internal/Internal-Services">Internal services</a></li>
      <li><a href="/internal/Interconnections">Interconnections</a></li>
      <li><a href="/internal/APIs">APIs</a></li>
      <li><a href="/internal/ShowAndTell">Show and Tell</a></li>
      <li><a href="/internal/Historical-Services">Historical services</a></li>
    </ul>
  </li>
  <li>Historical
    <ul>
      <li><a href="/historical/Bird">Bird 1</a></li>
      <li><a href="/historical/Quagga">Quagga</a></li>
    </ul>
  </li>
  <li>External Tools
    <ul>
      <li><a href="https://paste.dn42.us">Paste Board</a></li>
      <li><a href="https://git.dn42.dev">Git Repositories</a></li>
    </ul>
  </li>
</ul>

<hr />


                </div>
            </div>
        </main>
        
        <footer><div class="center">
    <div id="dn42_footer">
        
        <table>
  <tbody>
    <tr>
      <td>Hosted by: <a href="mailto:dn42@burble.com">BURBLE-MNT</a>, <a href="mailto:nurtic-vibe@grmml.net">GRMML-MNT</a>, <a href="mailto:xuu@dn42.us">XUU-MNT</a>, <a href="mailto:janeric@ortgies.it">JAN-MNT</a>, <a href="mailto:lare@lare.cc">LARE-MNT</a>, <a href="mailto:danny@saru.moe">SARU-MNT</a>, <a href="mailto:androw95220@gmail.com">ANDROW-MNT</a>, <a href="mailto:dn42@mk16.de">MARK22K-MNT</a></td>
      <td>Accessible via: <a href="https://wiki.dn42">dn42</a>, <a href="https://dn42.dev/">dn42.dev</a>, <a href="https://dn42.eu/">dn42.eu</a>, <a href="https://wiki.dn42.us/">wiki.dn42.us</a>, <a href="https://dn42.de/">dn42.de</a> (IPv6-only), <a href="https://dn42.cc/">dn42.cc</a> (wiki-ng), <a href="https://dn42.wiki/">dn42.wiki</a>, <a href="https://dn42.pp.ua/">dn42.pp.ua</a>, <a href="https://dn42.obl.ong/">dn42.obl.ong</a></td>
    </tr>
  </tbody>
</table>

    </div>
</div>
</footer>

        

    </body>

</html>