From a7e986926f317002aa29b0e8e564a44a847cd301 Mon Sep 17 00:00:00 2001 From: Christopher Howard Date: Tue, 2 Jan 2018 10:57:00 -0900 Subject: [PATCH] OpenVPN docs: tweaks and additional material - Adds introductory material and warnings - Removes references to LEDE project --- docs/OpenVPN_Layer_2_Server.md | 48 ++++++++++++++++++++++------------ 1 file changed, 31 insertions(+), 17 deletions(-) diff --git a/docs/OpenVPN_Layer_2_Server.md b/docs/OpenVPN_Layer_2_Server.md index faaabc956f..149559ff99 100644 --- a/docs/OpenVPN_Layer_2_Server.md +++ b/docs/OpenVPN_Layer_2_Server.md @@ -1,6 +1,27 @@ # OpenVPN Layer 2 Server -## Required packages +## Introduction + +Librecmc can operate as an OpenVPN server. OpenVPN technology connects +two networks via an encrypted tunnel. With proper server, network, and +client configuration, OpenVPN allows a client outside of your LAN to +see the LAN as though it were physically connected to the LAN. + +OpenVPN can run in layer 2 or layer 3 mode. In layer 3 mode, the +remote client sees your LAN as though it is on the other side of an IP +router. In layer 2 mode, the remote client sees your LAN as though +they are both on the same Data Link segment (e.g., the same Ethernet +link). Layer 3 mode is easier to set up, but layer 2 mode is sometimes +desired to give clients a more direct exposure to services on the LAN. + +## Warnings + +This information is provided for educational purposes only and is not +meant to be a guide to best network security practices. Readers are +advised to study all relevant OpenVPN and network security +documentation. + +## Required LibreCMC packages * openvpn-openssl * openvpn-easy-rsa @@ -12,10 +33,6 @@ TODO ## Certificate and Key Setup Instructions -N.B.: The LEDE community rejected easy-rsa on the grounds that it does -not crease secure enough certs.[1] But it does seem to be, well, easy to -use: - ``` cd /etc/easy-rsa source vars @@ -26,14 +43,17 @@ build-key-server myvpn openvpn --genkey --secret /etc/easy-rsa/keys/ta.key ``` +N.B.: Using easy-rsa is a straightforward approach, but it may be +possible to produce more secure certificates using openssl directly. + ## Server configuration -For server bridge option: First two parameters are the ip/netmask of -the gateway on the bridged subnet. Next two paraters indicate the -pool-start-IP and pool-end-IP, which is the part of your IP address -pool that you have reserved just for VPN clients. You have to make -sure the DHCP server on the company network is not handing those out -to on-site systems. +For the `server bridge` option: The first two parameters are the ip +and netmask of the gateway on the bridged subnet. The next two +parameters indicate the pool-start-IP and pool-end-IP, which is the +part of your IP address pool that you have reserved just for VPN +clients. You must to make sure that the DHCP server for your LAN is +not leasing out those IP addresses to local (non-vpn) clients. /etc/config/openvpn ``` @@ -73,9 +93,3 @@ config openvpn 'myvpn' ## Client setup information TODO - -## Footnotes - -[1] "OpenVPN Server", -https://lede-project.org/docs/user-guide/openvpn.server?s[]=openvpn&s[]=server, -retrieved 1 Jan 2017. -- 2.25.1