Versions Compared

Old Version 2

changes.mady.by.user Unknown User (emils)

Saved on

compared with

New Version 3

changes.mady.by.user Artūrs C.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: added TOC

Table of Contents
Overview

The OpenVPN security model is based on SSL, the industry standard for secure communications via the internet. OpenVPN implements OSI layer 2 or 3 secure network extension extensions using the SSL/TLS protocol. 

...

OpenVPN has been ported to various platforms, including Linux and Windows, and its configuration is likewise on each of these systems, so it makes it easier to support and maintain. OpenVPN can run over User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) transports, multiplexing created SSL tunnels on a single TCP/UDP port. OpenVPN is one of the few VPN protocols that can make use of a proxy, which might be handy sometimes.

Limitations

Currently, unsupported OpenVPN features:

  • LZO compression
  • TLS authentication
  • authentication without username/password

OVPN Client

PropertyDescription
add-default-route (yes | no; Default: no)Whether to add OVPN remote address as a default route.
auth (md5 | sha1; Default: sha1)Allowed authentication methods.
certificate (string | none; Default: none)Name of the client certificate
cipher (aes128 | aes192 | aes256 | blowfish128; Default: blowfish128)Allowed ciphers.
comment (string; Default: )Descriptive name of an item
connect-to (IP; Default: )Remote address of the OVPN server.
disabled (yes | no; Default: yes)Whether interface is disabled or not. By default it is disabled.
mac-address (MAC; Default: )Mac address of OVPN interface. Will be auto generated if not specified.
max-mtu (integer; Default: 1500)Maximum Transmission Unit. Max packet size that OVPN interface will be able to send without packet fragmentation.
mode (ip | ethernet; Default: ip)Layer3 or layer2 tunnel mode (alternatively tun, tap)
name (string; Default: )Descriptive name of the interface.
password (string; Default: "")Password used for authentication.
port (integer; Default: 1194)Port to connect to.
profile (name; Default: default)
user (string; Default: )User name used for authentication.

OVPN Server

An interface is created for each tunnel established to the given server. There are two types of interfaces in OVPN server's configuration

...

Note

In both cases PPP users must be configured properly - static entries do not replace PPP configuration.

Properties

PropertyDescription
auth (sha1 | md5; Default: sha1,md5)Authentication methods that server will accept.
certificate (name | none; Default: none)Name of the certificate that OVPN server will use.
cipher (aes128 | aes192 | aes256 | blowfish128; Default: aes128,blowfish128)Allowed ciphers.
default-profile (name; Default: default)Default profile to use.
enabled (yes | no; Default: no)Defines whether OVPN server is enabled or not.
keepalive-timeout (integer | disabled; Default: 60)Defines the time period (in seconds) after which the router is starting to send keepalive packets every second. If no traffic and no keepalive responses has came for that period of time (i.e. 2 * keepalive-timeout), not responding client is proclaimed disconnected
mac-address (MAC; Default: )Auto Generated MAC address of the server.
max-mtu (integer; Default: 1500)Maximum Transmission Unit. Max packet size that OVPN interface will be able to send without packet fragmentation.
mode (ip | ethernet; Default: ip)Layer3 or layer2 tunnel mode (alternatively tun, tap)
netmask (integer; Default: 24)Subnet mask to be applied to client.
port (integer; Default: 1194)Port to run server on.
require-client-certificate (yes | no; Default: no)If set to yes, then server checks whether client's certificate belongs to the same certificate chain.


Warning

It is very important that the date on the router is within the range of the installed certificate's date of expiration. To overcome any certificate verification problems, enable NTP date synchronization on both server and client.

...