# OpenVPN Layer 2 Server\r
\r
-## Required packages\r
+## Introduction\r
+\r
+Librecmc can operate as an OpenVPN server. OpenVPN technology connects\r
+two networks via an encrypted tunnel. With proper server, network, and\r
+client configuration, OpenVPN allows a client outside of your LAN to\r
+see the LAN as though it were physically connected to the LAN.\r
+\r
+OpenVPN can run in layer 2 or layer 3 mode. In layer 3 mode, the\r
+remote client sees your LAN as though it is on the other side of an IP\r
+router. In layer 2 mode, the remote client sees your LAN as though\r
+they are both on the same Data Link segment (e.g., the same Ethernet\r
+link). Layer 3 mode is easier to set up, but layer 2 mode is sometimes\r
+desired to give clients a more direct exposure to services on the LAN.\r
+\r
+## Warnings\r
+\r
+This information is provided for educational purposes only and is not\r
+meant to be a guide to best network security practices. Readers are\r
+advised to study all relevant OpenVPN and network security\r
+documentation.\r
+\r
+## Required LibreCMC packages\r
\r
* openvpn-openssl\r
* openvpn-easy-rsa\r
\r
## Certificate and Key Setup Instructions\r
\r
-N.B.: The LEDE community rejected easy-rsa on the grounds that it does\r
-not crease secure enough certs.[1] But it does seem to be, well, easy to\r
-use:\r
-\r
```\r
cd /etc/easy-rsa\r
source vars\r
openvpn --genkey --secret /etc/easy-rsa/keys/ta.key\r
```\r
\r
+N.B.: Using easy-rsa is a straightforward approach, but it may be\r
+possible to produce more secure certificates using openssl directly.\r
+\r
## Server configuration\r
\r
-For server bridge option: First two parameters are the ip/netmask of\r
-the gateway on the bridged subnet. Next two paraters indicate the\r
-pool-start-IP and pool-end-IP, which is the part of your IP address\r
-pool that you have reserved just for VPN clients. You have to make\r
-sure the DHCP server on the company network is not handing those out\r
-to on-site systems.\r
+For the `server bridge` option: The first two parameters are the ip\r
+and netmask of the gateway on the bridged subnet. The next two\r
+parameters indicate the pool-start-IP and pool-end-IP, which is the\r
+part of your IP address pool that you have reserved just for VPN\r
+clients. You must to make sure that the DHCP server for your LAN is\r
+not leasing out those IP addresses to local (non-vpn) clients.\r
\r
/etc/config/openvpn\r
```\r
## Client setup information\r
\r
TODO\r
-\r
-## Footnotes\r
-\r
-[1] "OpenVPN Server",\r
-https://lede-project.org/docs/user-guide/openvpn.server?s[]=openvpn&s[]=server,\r
-retrieved 1 Jan 2017.\r
projects / librecmc / librecmc.git / commitdiff