-# OpenVPN Layer 2 Server\r
-\r
-## Installing OpenVPN packages\r
-\r
-TODO\r
-\r
-## Interface Setup\r
-\r
-TODO\r
-\r
-## Certificate and Key Setup Instructions\r
-\r
-TODO\r
-\r
-## Server configuration\r
-\r
-For server bridge option: First two parameters are the ip/netmask of\r
-the gateway on the bridged subnet. Next two paraters indicate the\r
-pool-start-IP and pool-end-IP, which is the part of your IP address\r
-pool that you have reserved just for VPN clients. You have to make\r
-sure the DHCP server on the company network is not handing those out\r
-to on-site systems.\r
-\r
-/etc/config/openvpn\r
-```\r
-config openvpn 'myvpn'\r
- option enabled '1'\r
- option dev 'tap0'\r
- option port '1194'\r
- option proto 'udp'\r
- option status '/var/log/openvpn_status.log'\r
- option log '/tmp/openvpn.log'\r
- option verb '3'\r
- option mute '5'\r
- option keepalive '10 120'\r
- option persist_key '1'\r
- option persist_tun '1'\r
- option user 'nobody'\r
- option group 'nogroup'\r
- option ca '/etc/easy-rsa/keys/ca.crt'\r
- option cert '/etc/easy-rsa/keys/myvpn.crt'\r
- option key '/etc/easy-rsa/keys/myvpn.key'\r
- option dh '/etc/easy-rsa/keys/dh2048.pem'\r
- option tls_server '1'\r
- option tls_auth '/etc/easy-rsa/keys/ta.key 0'\r
- option server_bridge '10.0.0.1 255.255.255.0 10.0.0.201 10.0.0.220'\r
- option topology 'subnet'\r
- option client_to_client '1'\r
- list push 'persist-key'\r
- list push 'persist-tun'\r
- list push 'redirect-gateway def1'\r
- # allow your clients to access to your network\r
- list push 'route 10.0.0.0 255.255.255.0'\r
- # push DNS to your clients\r
- list push 'dhcp-option DNS 10.0.0.1'\r
- # option comp_lzo 'no'\r
-```\r
-\r
-## Client setup information\r
-\r
-TODO\r
+# OpenVPN Layer 2 Server
+
+## Introduction
+
+Librecmc can operate as an OpenVPN server. OpenVPN technology connects
+two networks via an encrypted tunnel. With proper server, network, and
+client configuration, OpenVPN allows a client outside of your LAN to
+see the LAN as though it were physically connected to the LAN.
+
+OpenVPN can run in layer 2 or layer 3 mode. In layer 3 mode, the
+remote client sees your LAN as though it is on the other side of an IP
+router. In layer 2 mode, the remote client sees your LAN as though
+they are both on the same Data Link segment (e.g., the same Ethernet
+link). Layer 3 mode is easier to set up, but layer 2 mode is sometimes
+desired to give clients a more direct exposure to services on the LAN.
+
+## Warnings
+
+This information is provided for educational purposes only and is not
+meant to be a guide to best network security practices. Readers are
+advised to study all relevant OpenVPN and network security
+documentation.
+
+## Required LibreCMC packages
+
+* openvpn-openssl
+* openvpn-easy-rsa
+* luci-app-openvpn
+
+## Interface Setup
+
+In LuCi, select `Network` >> `Interfaces` and then `Add New Interface`.
+
+- Set `Name of the new interface` to `myvpn` or anything else you would like.
+- Set `Protocol of the new interface` to unmanaged.
+- Set `Cover the following interface` to `Custom Interface: vpn0`.
+- In my current working system, the `firewall-zone` for the interface
+ is set to `lan`, but I don't think that really matters in this case.
+
+In my working configuration, I added tap0 into the LAN bridge
+interface, and deleted the WAN interface. However, my vpn server is a
+separate unit on my network, intended to operate in "bridge mode",
+where if you server is your gateway router, a different configuration
+might be necessary.
+
+## Certificate and Key Setup Instructions
+
+```
+cd /etc/easy-rsa
+source vars
+clean-all
+build-ca
+build-dh
+build-key-server myvpn
+openvpn --genkey --secret /etc/easy-rsa/keys/ta.key
+mkdir -m 700 /etc/openvpn/keys
+mv ca.crt myvpn.crt myvpn.key dh2018.pem /etc/openvpn/keys
+```
+
+N.B.: Using easy-rsa is a straightforward approach, but it may be
+possible to produce more secure certificates using openssl directly.
+
+## Server configuration
+
+For the `server bridge` option: The first two parameters are the ip
+and netmask of the gateway on the bridged subnet. The next two
+parameters indicate the pool-start-IP and pool-end-IP, which is the
+part of your IP address pool that you have reserved just for VPN
+clients. You must to make sure that the DHCP server for your LAN is
+not leasing out those IP addresses to local (non-vpn) clients.
+
+/etc/config/openvpn
+```
+config openvpn 'myvpn'
+ option enabled '1'
+ option dev 'tap0'
+ option port '1194'
+ option proto 'udp'
+ option keepalive '10 120'
+ option persist_key '1'
+ option persist_tun '1'
+ option user 'nobody'
+ option group 'nogroup'
+ option ca '/etc/openvpn/keys/ca.crt'
+ option cert '/etc/openvpn/keys/myvpn.crt'
+ option key '/etc/openvpn/keys/myvpn.key'
+ option dh '/etc/openvpn/keys/dh2048.pem'
+ option tls_server '1'
+ option tls_auth '/etc/openvpn/keys/ta.key 0'
+ option server_bridge '10.0.0.1 255.255.255.0 10.0.0.201 10.0.0.220'
+ option client_to_client '1'
+ list push 'persist-key'
+ list push 'persist-tun'
+ list push 'redirect-gateway def1'
+ list push 'route 10.0.0.0 255.255.255.0'
+ list push 'dhcp-option DNS 10.0.0.1'
+ option mute '15'
+ option verb '3'
+```
+
+## Client setup information
+
+TODO
projects / librecmc / librecmc.git / blobdiff