From 7591a42f68c4a5d05d7cdadae45c3c9b8aa2c786 Mon Sep 17 00:00:00 2001 From: Christopher Howard Date: Wed, 28 Feb 2018 08:09:21 -0900 Subject: [PATCH] Expansion of L2 VPN doc and renaming of doc file --- docs/OpenVPN_Layer_2_Server.md | 103 --------------------------------- 1 file changed, 103 deletions(-) delete mode 100644 docs/OpenVPN_Layer_2_Server.md diff --git a/docs/OpenVPN_Layer_2_Server.md b/docs/OpenVPN_Layer_2_Server.md deleted file mode 100644 index 35af86fac0..0000000000 --- a/docs/OpenVPN_Layer_2_Server.md +++ /dev/null @@ -1,103 +0,0 @@ -# OpenVPN Layer 2 Server - -## Introduction - -Librecmc can operate as an OpenVPN server. OpenVPN technology connects -two networks via an encrypted tunnel. With proper server, network, and -client configuration, OpenVPN allows a client outside of your LAN to -see the LAN as though it were physically connected to the LAN. - -OpenVPN can run in layer 2 or layer 3 mode. In layer 3 mode, the -remote client sees your LAN as though it is on the other side of an IP -router. In layer 2 mode, the remote client sees your LAN as though -they are both on the same Data Link segment (e.g., the same Ethernet -link). Layer 3 mode is easier to set up, but layer 2 mode is sometimes -desired to give clients a more direct exposure to services on the LAN. - -## Warnings - -This information is provided for educational purposes only and is not -meant to be a guide to best network security practices. Readers are -advised to study all relevant OpenVPN and network security -documentation. - -## Required LibreCMC packages - -* openvpn-openssl -* openvpn-easy-rsa -* luci-app-openvpn - -## Interface Setup - -In LuCi, select `Network` >> `Interfaces` and then `Add New Interface`. - -- Set `Name of the new interface` to `myvpn` or anything else you would like. -- Set `Protocol of the new interface` to unmanaged. -- Set `Cover the following interface` to `Custom Interface: vpn0`. -- In my current working system, the `firewall-zone` for the interface - is set to `lan`, but I don't think that really matters in this case. - -In my working configuration, I added tap0 into the LAN bridge -interface, and deleted the WAN interface. However, my vpn server is a -separate unit on my network, intended to operate in "bridge mode", -where if you server is your gateway router, a different configuration -might be necessary. - -## Certificate and Key Setup Instructions - -``` -cd /etc/easy-rsa -source vars -clean-all -build-ca -build-dh -build-key-server myvpn -openvpn --genkey --secret /etc/easy-rsa/keys/ta.key -mkdir -m 700 /etc/openvpn/keys -mv ca.crt myvpn.crt myvpn.key dh2018.pem /etc/openvpn/keys -``` - -N.B.: Using easy-rsa is a straightforward approach, but it may be -possible to produce more secure certificates using openssl directly. - -## Server configuration - -For the `server bridge` option: The first two parameters are the ip -and netmask of the gateway on the bridged subnet. The next two -parameters indicate the pool-start-IP and pool-end-IP, which is the -part of your IP address pool that you have reserved just for VPN -clients. You must to make sure that the DHCP server for your LAN is -not leasing out those IP addresses to local (non-vpn) clients. - -/etc/config/openvpn -``` -config openvpn 'myvpn' - option enabled '1' - option dev 'tap0' - option port '1194' - option proto 'udp' - option keepalive '10 120' - option persist_key '1' - option persist_tun '1' - option user 'nobody' - option group 'nogroup' - option ca '/etc/openvpn/keys/ca.crt' - option cert '/etc/openvpn/keys/myvpn.crt' - option key '/etc/openvpn/keys/myvpn.key' - option dh '/etc/openvpn/keys/dh2048.pem' - option tls_server '1' - option tls_auth '/etc/openvpn/keys/ta.key 0' - option server_bridge '10.0.0.1 255.255.255.0 10.0.0.201 10.0.0.220' - option client_to_client '1' - list push 'persist-key' - list push 'persist-tun' - list push 'redirect-gateway def1' - list push 'route 10.0.0.0 255.255.255.0' - list push 'dhcp-option DNS 10.0.0.1' - option mute '15' - option verb '3' -``` - -## Client setup information - -TODO -- 2.25.1