2015-05-20 23:49 GMT+02:00 David Sommerseth <openvpn.l...@topphemmelig.net>:
> On 20 May 2015 14:34:22 CEST, Josu Lazkano <josu.lazk...@gmail.com> wrote:
>>Thanks Mathias!
>>
>>Your configuration works perfect. I can ping to any host in any
>>network.
>>
>>That is great.
>>
>>Thank you very much for your help. Now I have a good VPN system.
>>
>>Best regards.
>>
>>2015-05-20 0:05 GMT+02:00 Mathias Jeschke <openvpn-us...@0xaffe.de>:
>>> Hi all,
>>>
>>> On 2015-05-19 on 23:36 Jan Just Keijser wrote:
>>>
>>>> yeah, it would simply be a matter of
>>>>
>>>> host1# openvpn --dev tun --secret static.key --ifconfig
>>10.200.0.1
>>>> 10.200.0.2
>>>>
>>>> host2# openvpn --dev tun --secret static.key --ifconfig
>>10.200.0.2
>>>> 10.200.0.1 --remote host1
>>>>
>>>> After the connection has come up, add static routes:
>>>>
>>>> host1# route add -net 192.168.2.0/24 gw 10.200.0.2
>>>>
>>>> host2# route add -net 192.168.1.0/24 gw 10.200.0.1
>>>>
>>>>
>>>> the trick is: how do you get this into an OpenWRT config file? I
>>have no
>>>> clue
>>>
>>> It is actually quite equivalent:
>>>
>>> Just paste the config below for
>>> - Alice (is connected to lan 192.168.1.0/24) and
>>> - Bob (is connected to lan 192.168.1.0/24)
>>> to /etc/config/openvpn and run "/etc/init.d/openvpn restart":
>>>
>>> # --- Config for "Alice" ----
>>> config 'openvpn' 'alice_bob'
>>> option 'enable' '1'
>>> option 'dev' 'tun'
>>> option 'secret' '/etc/openvpn/static.key'
>>> option 'ifconfig' '10.200.0.1 10.200.0.2'
>>> option 'route' '192.168.2.0 255.255.255.0'
>>>
>>>
>>> # --- Config for "Bob" ----
>>> config 'openvpn' 'bob_alice'
>>> option 'enable' '1'
>>> option 'dev' 'tun'
>>> option 'secret' '/etc/openvpn/static.key'
>>> option 'ifconfig' '10.200.0.2 10.200.0.1'
>>> option 'route' '192.168.1.0 255.255.255.0'
>>> option 'remote' 'host1'
>>>
>>>
>>> Probably you also want to add some additional options on both ends:
>>>
>>> ....
>>> option 'keepalive' '10 180'
>>> option 'comp_lzo' 'yes'
>>>
>>>
>>> HTH,
>>> Mathias.
>
>
> I'll admit I haven't paid attention to all details in this discussion. Static
> encrypted VPN tunnels can work very well, but I just want to emphasize one
> security aspect of static encrypted VPN tunnels. This configuration will not
> give you PFS (Perfect Forward Secrecy). That means that if someone saves all
> your VPN traffic and either manages to bruteforce the encryption key or
> manags to get a copy of your static encryption key, all the saved traffic can
> be decrypted.
>
> That is one of the key reasons it is adviseable to use the TLS mode with
> client/server certificates. Using this method, the encryption keys used for
> the VPN tunnel are negotiated upon connection *and* can be renegotiated after
> a certain time (default is every hour, but you can modify that and add
> renegotiation after X number of network packets and/or Y transferred bytes).
> This provides a very good protection when it comes replay attaks and it
> provides PFS. TLS mode also adds possibility to further protect you against
> MITM attacks from unkown attackers, using --tls-auth. The --tls-auth feature
> has also proved to be a very good protection against many OpenSSL bugs as
> well. If you combine UDP with --tls-auth, the OpenVPN server port will also
> be hidden for port scanners.
>
> If these things are not of any concern to you, then static tunnels can indeed
> be a good alternative.
>
>
> kind regards,
>
> David Sommerseth
Thanks David,
I started with static key just to start with a simple configuration.
Now I want to secure my connection, would it work just adding
"--tls-auth" option?
This is my configuration:
server:
config 'openvpn' 'server'
option 'enable' '1'
option 'dev' 'tun'
option 'secret' '/etc/openvpn/static.key'
option 'ifconfig' '10.200.0.1 10.200.0.2'
option 'route' '192.168.2.0 255.255.255.0'
option 'log' '/tmp/openvpn.log'
option 'keepalive' '10 180'
option 'comp_lzo' 'yes'
client:
config 'openvpn' 'client'
option 'enable' '1'
option 'dev' 'tun'
option 'secret' '/etc/openvpn/static.key'
option 'ifconfig' '10.200.0.2 10.200.0.1'
option 'route' '192.168.1.0 255.255.255.0'
option 'remote' 'SERVER_IP'
option 'log' '/tmp/openvpn.log'
option 'keepalive' '10 180'
option 'comp_lzo' 'yes'
Both networks have 30mbps/3mbps WAN connection, I want to secure my
VPN link and have a good latency, is this possible? Which is the best
configuration for this?
I am new in OpenVPN, so I will appreciate your replies.
Thanks for your help.
Regards.
--
Josu Lazkano
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
