LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
23436 Commits
1 Branch
46 MiB
Tree: 69cdbb9980
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '69cdbb9980'
${ noResults }
openwrt-packages-dist/net/openvpn/files/openvpn.config

500 lines
16 KiB
Raw Normal View History

openvpn: import from base Signed-off-by: Rosen Penev <rosenp@gmail.com>
4 years ago
openvpn: Support username and password options Some VPN providers require username and password for client to connect. This commit adds an option to specify username, password and cert_password directly in uci config which then gets expanded during start of openpvn client. Signed-off-by: Michal Hrusecky <michal.hrusecky@turris.com>
4 years ago
openvpn: import from base Signed-off-by: Rosen Penev <rosenp@gmail.com>
4 years ago
openvpn: update to 2.5.0 New features: * Per client tls-crypt keys * ChaCha20-Poly1305 can be used to encrypt the data channel * Routes are added/removed via Netlink instead of ifconfig/route (unless iproute2 support is enabled). * VLAN support when using a TAP device Significant changes: * Server support can no longer be disabled. * Crypto support can no longer be disabled, remove nossl variant. * Blowfish (BF-CBC) is no longer implicitly the default cipher. OpenVPN peers prior to 2.4, or peers with data cipher negotiation disabled, will not be able to connect to a 2.5 peer unless option data_fallback_ciphers is set on the 2.5 peer and it contains a cipher supported by the client. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
4 years ago
openvpn: import from base Signed-off-by: Rosen Penev <rosenp@gmail.com>
4 years ago
openvpn: disable LZO support by default OpenVPN recommends disabling compression, as it may weaken the security of the connection. For users who need compression, we build with LZ4 support by default. LZO in OpenVPN pulls in liblzo at approx. 32 kB. OpenWrt users will no longer be able to connect to OpenVPN peers that require LZO compression, unless they build the OpenVPN package themselves. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
4 years ago
openvpn: update to 2.5.0 New features: * Per client tls-crypt keys * ChaCha20-Poly1305 can be used to encrypt the data channel * Routes are added/removed via Netlink instead of ifconfig/route (unless iproute2 support is enabled). * VLAN support when using a TAP device Significant changes: * Server support can no longer be disabled. * Crypto support can no longer be disabled, remove nossl variant. * Blowfish (BF-CBC) is no longer implicitly the default cipher. OpenVPN peers prior to 2.4, or peers with data cipher negotiation disabled, will not be able to connect to a 2.5 peer unless option data_fallback_ciphers is set on the 2.5 peer and it contains a cipher supported by the client. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
4 years ago
openvpn: import from base Signed-off-by: Rosen Penev <rosenp@gmail.com>
4 years ago
openvpn: update to 2.5.0 New features: * Per client tls-crypt keys * ChaCha20-Poly1305 can be used to encrypt the data channel * Routes are added/removed via Netlink instead of ifconfig/route (unless iproute2 support is enabled). * VLAN support when using a TAP device Significant changes: * Server support can no longer be disabled. * Crypto support can no longer be disabled, remove nossl variant. * Blowfish (BF-CBC) is no longer implicitly the default cipher. OpenVPN peers prior to 2.4, or peers with data cipher negotiation disabled, will not be able to connect to a 2.5 peer unless option data_fallback_ciphers is set on the 2.5 peer and it contains a cipher supported by the client. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
4 years ago
openvpn: import from base Signed-off-by: Rosen Penev <rosenp@gmail.com>
4 years ago
 
  1. package openvpn
  2. 

  3. #################################################
  4. # Sample to include a custom config file.       #
  5. #################################################
  6. 

  7. config openvpn custom_config
  8. 

  9. 	# Set to 1 to enable this instance:
  10. 	option enabled 0
  11. 

  12. 	# Credentials to login
  13. 	#option username 'login'
  14. 	#option password 'password'
  15. 

  16. 	# Password for client certificate
  17. 	#option cert_password 'cert_password'
  18. 

  19. 	# Include OpenVPN configuration
  20. 	option config /etc/openvpn/my-vpn.conf
  21. 

  22. 

  23. #################################################
  24. # Sample OpenVPN 2.0 uci config for             #
  25. # multi-client server.                          #
  26. #################################################
  27. 

  28. config openvpn sample_server
  29. 

  30. 	# Set to 1 to enable this instance:
  31. 	option enabled 0
  32. 

  33. 	# Which local IP address should OpenVPN
  34. 	# listen on? (optional)
  35. #	option local 0.0.0.0
  36. 

  37. 	# Which TCP/UDP port should OpenVPN listen on?
  38. 	# If you want to run multiple OpenVPN instances
  39. 	# on the same machine, use a different port
  40. 	# number for each one.  You will need to
  41. 	# open up this port on your firewall.
  42. 	option port 1194
  43. 

  44. 	# TCP or UDP server?
  45. #	option proto tcp
  46. 	option proto udp
  47. 

  48. 	# "dev tun" will create a routed IP tunnel,
  49. 	# "dev tap" will create an ethernet tunnel.
  50. 	# Use "dev tap0" if you are ethernet bridging
  51. 	# and have precreated a tap0 virtual interface
  52. 	# and bridged it with your ethernet interface.
  53. 	# If you want to control access policies
  54. 	# over the VPN, you must create firewall
  55. 	# rules for the the TUN/TAP interface.
  56. 	# On non-Windows systems, you can give
  57. 	# an explicit unit number, such as tun0.
  58. 	# On Windows, use "dev-node" for this.
  59. 	# On most systems, the VPN will not function
  60. 	# unless you partially or fully disable
  61. 	# the firewall for the TUN/TAP interface.
  62. #	option dev tap
  63. 	option dev tun
  64. 

  65. 	# SSL/TLS root certificate (ca), certificate
  66. 	# (cert), and private key (key).  Each client
  67. 	# and the server must have their own cert and
  68. 	# key file.  The server and all clients will
  69. 	# use the same ca file.
  70. 	#
  71. 	# See the "easy-rsa" directory for a series
  72. 	# of scripts for generating RSA certificates
  73. 	# and private keys.  Remember to use
  74. 	# a unique Common Name for the server
  75. 	# and each of the client certificates.
  76. 	#
  77. 	# Any X509 key management system can be used.
  78. 	# OpenVPN can also use a PKCS #12 formatted key file
  79. 	# (see "pkcs12" directive in man page).
  80. 	option ca /etc/openvpn/ca.crt
  81. 	option cert /etc/openvpn/server.crt
  82. 	# This file should be kept secret:
  83. 	option key /etc/openvpn/server.key
  84. 

  85. 	# Diffie hellman parameters.
  86. 	# Generate your own with:
  87. 	#   openssl dhparam -out dh2048.pem 2048
  88. 	# Substitute 2048 for 1024 if you are using
  89. 	# 1024 bit keys.
  90. 	option dh /etc/openvpn/dh2048.pem
  91. 

  92. 	# Configure server mode and supply a VPN subnet
  93. 	# for OpenVPN to draw client addresses from.
  94. 	# The server will take 10.8.0.1 for itself,
  95. 	# the rest will be made available to clients.
  96. 	# Each client will be able to reach the server
  97. 	# on 10.8.0.1. Comment this line out if you are
  98. 	# ethernet bridging. See the man page for more info.
  99. 	option server "10.8.0.0 255.255.255.0"
  100. 

  101. 	# Maintain a record of client <-> virtual IP address
  102. 	# associations in this file.  If OpenVPN goes down or
  103. 	# is restarted, reconnecting clients can be assigned
  104. 	# the same virtual IP address from the pool that was
  105. 	# previously assigned.
  106. 	option ifconfig_pool_persist /tmp/ipp.txt
  107. 

  108. 	# Configure server mode for ethernet bridging.
  109. 	# You must first use your OS's bridging capability
  110. 	# to bridge the TAP interface with the ethernet
  111. 	# NIC interface.  Then you must manually set the
  112. 	# IP/netmask on the bridge interface, here we
  113. 	# assume 10.8.0.4/255.255.255.0.  Finally we
  114. 	# must set aside an IP range in this subnet
  115. 	# (start=10.8.0.50 end=10.8.0.100) to allocate
  116. 	# to connecting clients.  Leave this line commented
  117. 	# out unless you are ethernet bridging.
  118. #	option server_bridge "10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100"
  119. 

  120. 	# Push routes to the client to allow it
  121. 	# to reach other private subnets behind
  122. 	# the server.  Remember that these
  123. 	# private subnets will also need
  124. 	# to know to route the OpenVPN client
  125. 	# address pool (10.8.0.0/255.255.255.0)
  126. 	# back to the OpenVPN server.
  127. #	list push "route 192.168.10.0 255.255.255.0"
  128. #	list push "route 192.168.20.0 255.255.255.0"
  129. 

  130. 	# To assign specific IP addresses to specific
  131. 	# clients or if a connecting client has a private
  132. 	# subnet behind it that should also have VPN access,
  133. 	# use the subdirectory "ccd" for client-specific
  134. 	# configuration files (see man page for more info).
  135. 

  136. 	# EXAMPLE: Suppose the client
  137. 	# having the certificate common name "Thelonious"
  138. 	# also has a small subnet behind his connecting
  139. 	# machine, such as 192.168.40.128/255.255.255.248.
  140. 	# First, uncomment out these lines:
  141. #	option client_config_dir /etc/openvpn/ccd
  142. #	list route "192.168.40.128 255.255.255.248"
  143. 	# Then create a file ccd/Thelonious with this line:
  144. 	#   iroute 192.168.40.128 255.255.255.248
  145. 	# This will allow Thelonious' private subnet to
  146. 	# access the VPN.  This example will only work
  147. 	# if you are routing, not bridging, i.e. you are
  148. 	# using "dev tun" and "server" directives.
  149. 

  150. 	# EXAMPLE: Suppose you want to give
  151. 	# Thelonious a fixed VPN IP address of 10.9.0.1.
  152. 	# First uncomment out these lines:
  153. #	option client_config_dir /etc/openvpn/ccd
  154. #	list route "10.9.0.0 255.255.255.252"
  155. #	list route "192.168.100.0 255.255.255.0"
  156. 	# Then add this line to ccd/Thelonious:
  157. 	#   ifconfig-push "10.9.0.1 10.9.0.2"
  158. 

  159. 	# Suppose that you want to enable different
  160. 	# firewall access policies for different groups
  161. 	# of clients.  There are two methods:
  162. 	# (1) Run multiple OpenVPN daemons, one for each
  163. 	#     group, and firewall the TUN/TAP interface
  164. 	#     for each group/daemon appropriately.
  165. 	# (2) (Advanced) Create a script to dynamically
  166. 	#     modify the firewall in response to access
  167. 	#     from different clients.  See man
  168. 	#     page for more info on learn-address script.
  169. #	option learn_address /etc/openvpn/script
  170. 

  171. 	# If enabled, this directive will configure
  172. 	# all clients to redirect their default
  173. 	# network gateway through the VPN, causing
  174. 	# all IP traffic such as web browsing and
  175. 	# and DNS lookups to go through the VPN
  176. 	# (The OpenVPN server machine may need to NAT
  177. 	# the TUN/TAP interface to the internet in
  178. 	# order for this to work properly).
  179. 	# CAVEAT: May break client's network config if
  180. 	# client's local DHCP server packets get routed
  181. 	# through the tunnel.  Solution: make sure
  182. 	# client's local DHCP server is reachable via
  183. 	# a more specific route than the default route
  184. 	# of 0.0.0.0/0.0.0.0.
  185. #	list push "redirect-gateway"
  186. 

  187. 	# Certain Windows-specific network settings
  188. 	# can be pushed to clients, such as DNS
  189. 	# or WINS server addresses.  CAVEAT:
  190. 	# http://openvpn.net/faq.html#dhcpcaveats
  191. #	list push "dhcp-option DNS 10.8.0.1"
  192. #	list push "dhcp-option WINS 10.8.0.1"
  193. 

  194. 	# Uncomment this directive to allow different
  195. 	# clients to be able to "see" each other.
  196. 	# By default, clients will only see the server.
  197. 	# To force clients to only see the server, you
  198. 	# will also need to appropriately firewall the
  199. 	# server's TUN/TAP interface.
  200. #	option client_to_client 1
  201. 

  202. 	# Uncomment this directive if multiple clients
  203. 	# might connect with the same certificate/key
  204. 	# files or common names.  This is recommended
  205. 	# only for testing purposes.  For production use,
  206. 	# each client should have its own certificate/key
  207. 	# pair.
  208. 	#
  209. 	# IF YOU HAVE NOT GENERATED INDIVIDUAL
  210. 	# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
  211. 	# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
  212. 	# UNCOMMENT THIS LINE OUT.
  213. #	option duplicate_cn 1
  214. 

  215. 	# The keepalive directive causes ping-like
  216. 	# messages to be sent back and forth over
  217. 	# the link so that each side knows when
  218. 	# the other side has gone down.
  219. 	# Ping every 10 seconds, assume that remote
  220. 	# peer is down if no ping received during
  221. 	# a 120 second time period.
  222. 	option keepalive "10 120"
  223. 

  224. 	# For extra security beyond that provided
  225. 	# by SSL/TLS, create an "HMAC firewall"
  226. 	# to help block DoS attacks and UDP port flooding.
  227. 	#
  228. 	# Generate with:
  229. 	#   openvpn --genkey --secret ta.key
  230. 	#
  231. 	# The server and each client must have
  232. 	# a copy of this key.
  233. 	# The second parameter should be '0'
  234. 	# on the server and '1' on the clients.
  235. 	# This file is secret:
  236. #	option tls_auth "/etc/openvpn/ta.key 0"
  237. 

  238. 	# For additional privacy, a shared secret key
  239. 	# can be used for both authentication (as in tls_auth)
  240. 	# and encryption of the TLS control channel.
  241. 	#
  242. 	# Generate a shared secret with:
  243. 	# openvpn --genkey --secret ta.key
  244. 	#
  245. 	# The server and each client must have
  246. 	# a copy of this key.
  247. 	#
  248. 	# tls_auth and tls_crypt should NOT
  249. 	# be combined, as tls_crypt implies tls_auth.
  250. 	# Use EITHER tls_crypt, tls_auth, or neither option.
  251. #	option tls_crypt "/etc/openvpn/ta.key"
  252. 

  253. 	# Set the minimum required TLS protocol version
  254. 	# for all connections.
  255. 	#
  256. 	# Require at least TLS 1.1
  257. #	option tls_version_min "1.1"
  258. 	# Require at least TLS 1.2
  259. #	option tls_version_min "1.2"
  260. 	# Require TLS 1.2, or the highest version supported
  261. 	# on the system
  262. #	option tls_version_min "1.2 'or-highest'"
  263. 

  264. 	# List the preferred ciphers to use for the data channel.
  265. 	# Run openvpn --show-ciphers to see all supported ciphers.
  266. #	list data_ciphers 'AES-256-GCM'
  267. #	list data_ciphers 'AES-128-GCM'
  268. #	list data_ciphers 'CHACHA20-POLY1305'
  269. 

  270. 	# Set a fallback cipher in order to be compatible with
  271. 	# peers that do not support cipher negotiation.
  272. 	#
  273. 	# Use AES-256-CBC as fallback
  274. #	option data_ciphers_fallback 'AES-128-CBC'
  275. 	# Use AES-128-CBC as fallback
  276. #	option data_ciphers_fallback 'AES-256-CBC'
  277. 	# Use Triple-DES as fallback
  278. #	option data_ciphers_fallback 'DES-EDE3-CBC'
  279. 	# Use BF-CBC as fallback
  280. #	option data_ciphers_fallback 'BF-CBC'
  281. 

  282. 	# OpenVPN versions 2.4 and later will attempt to
  283. 	# automatically negotiate the most secure cipher
  284. 	# between the client and server, regardless of a
  285. 	# configured "option cipher" (see below).
  286. 	# Automatic negotiation is recommended.
  287. 	#
  288. 	# Uncomment this option to disable this behavior,
  289. 	# and force all OpenVPN peers to use the configured
  290. 	# cipher option instead (not recommended).
  291. #	option ncp_disable
  292. 

  293. 	# Enable compression on the VPN link.
  294. 	# If you enable it here, you must also
  295. 	# enable it in the client config file.
  296. 	#
  297. 	# Compression is not recommended, as compression and
  298. 	# encryption in combination can weaken the security
  299. 	# of the connection.
  300. 	#
  301. 	# LZ4 requires OpenVPN 2.4+ client and server
  302. #	option compress lz4
  303. 	
  304. 	# Control how OpenVPN handles peers using compression
  305. 	#
  306. 	# Do not allow any connections using compression
  307. #	option allow_compression 'no'
  308. 	# Allow incoming compressed packets, but do not send compressed packets to other peers
  309. 	# This can be useful when migrating old configurations with compression activated
  310. #	option allow_compression 'asym'
  311. 	# Both incoming and outgoing packets may be compressed
  312. #	option allow_compression 'yes'
  313. 

  314. 	# The maximum number of concurrently connected
  315. 	# clients we want to allow.
  316. #	option max_clients 100
  317. 

  318. 	# The persist options will try to avoid
  319. 	# accessing certain resources on restart
  320. 	# that may no longer be accessible because
  321. 	# of the privilege downgrade.
  322. 	option persist_key 1
  323. 	option persist_tun 1
  324. 	option user nobody
  325. 

  326. 	# Output a short status file showing
  327. 	# current connections, truncated
  328. 	# and rewritten every minute.
  329. 	option status /tmp/openvpn-status.log
  330. 

  331. 	# By default, log messages will go to the syslog (or
  332. 	# on Windows, if running as a service, they will go to
  333. 	# the "\Program Files\OpenVPN\log" directory).
  334. 	# Use log or log-append to override this default.
  335. 	# "log" will truncate the log file on OpenVPN startup,
  336. 	# while "log-append" will append to it.  Use one
  337. 	# or the other (but not both).
  338. #	option log         /tmp/openvpn.log
  339. #	option log_append  /tmp/openvpn.log
  340. 

  341. 	# Set the appropriate level of log
  342. 	# file verbosity.
  343. 	#
  344. 	# 0 is silent, except for fatal errors
  345. 	# 4 is reasonable for general usage
  346. 	# 5 and 6 can help to debug connection problems
  347. 	# 9 is extremely verbose
  348. 	option verb 3
  349. 

  350. 	# Silence repeating messages.  At most 20
  351. 	# sequential messages of the same message
  352. 	# category will be output to the log.
  353. #	option mute 20
  354. 

  355. 

  356. ##############################################
  357. # Sample client-side OpenVPN 2.0 uci config  #
  358. # for connecting to multi-client server.     #
  359. ##############################################
  360. 

  361. config openvpn sample_client
  362. 

  363. 	# Set to 1 to enable this instance:
  364. 	option enabled 0
  365. 

  366. 	# Specify that we are a client and that we
  367. 	# will be pulling certain config file directives
  368. 	# from the server.
  369. 	option client 1
  370. 

  371. 	# Use the same setting as you are using on
  372. 	# the server.
  373. 	# On most systems, the VPN will not function
  374. 	# unless you partially or fully disable
  375. 	# the firewall for the TUN/TAP interface.
  376. #	option dev tap
  377. 	option dev tun
  378. 

  379. 	# Are we connecting to a TCP or
  380. 	# UDP server?  Use the same setting as
  381. 	# on the server.
  382. #	option proto tcp
  383. 	option proto udp
  384. 

  385. 	# The hostname/IP and port of the server.
  386. 	# You can have multiple remote entries
  387. 	# to load balance between the servers.
  388. 	list remote "my_server_1 1194"
  389. #	list remote "my_server_2 1194"
  390. 

  391. 	# Choose a random host from the remote
  392. 	# list for load_balancing.  Otherwise
  393. 	# try hosts in the order specified.
  394. #	option remote_random 1
  395. 

  396. 	# Keep trying indefinitely to resolve the
  397. 	# host name of the OpenVPN server.  Very useful
  398. 	# on machines which are not permanently connected
  399. 	# to the internet such as laptops.
  400. 	option resolv_retry infinite
  401. 

  402. 	# Most clients don't need to bind to
  403. 	# a specific local port number.
  404. 	option nobind 1
  405. 

  406. 	# Try to preserve some state across restarts.
  407. 	option persist_key 1
  408. 	option persist_tun 1
  409. 	option user nobody
  410. 

  411. 	# If you are connecting through an
  412. 	# HTTP proxy to reach the actual OpenVPN
  413. 	# server, put the proxy server/IP and
  414. 	# port number here.  See the man page
  415. 	# if your proxy server requires
  416. 	# authentication.
  417. 	# retry on connection failures:
  418. #	option http_proxy_retry 1
  419. 	# specify http proxy address and port:
  420. #	option http_proxy "192.168.1.100 8080"
  421. 

  422. 	# Wireless networks often produce a lot
  423. 	# of duplicate packets.  Set this flag
  424. 	# to silence duplicate packet warnings.
  425. #	option mute_replay_warnings 1
  426. 

  427. 	# SSL/TLS parms.
  428. 	# See the server config file for more
  429. 	# description.  It's best to use
  430. 	# a separate .crt/.key file pair
  431. 	# for each client.  A single ca
  432. 	# file can be used for all clients.
  433. 	option ca /etc/openvpn/ca.crt
  434. 	option cert /etc/openvpn/client.crt
  435. 	option key /etc/openvpn/client.key
  436. 

  437. 	# Verify server certificate by checking
  438. 	# that the certicate has the key usage
  439. 	# field set to "server".  This is an
  440. 	# important precaution to protect against
  441. 	# a potential attack discussed here:
  442. 	#  http://openvpn.net/howto.html#mitm
  443. 	#
  444. 	# To use this feature, you will need to generate
  445. 	# your server certificates with the nsCertType
  446. 	# field set to "server".  The build_key_server
  447. 	# script in the easy_rsa folder will do this.
  448. #	option remote_cert_tls server
  449. 

  450. 	# If a tls_auth key is used on the server
  451. 	# then every client must also have the key.
  452. #	option tls_auth "/etc/openvpn/ta.key 1"
  453. 

  454. 	# If a tls_crypt key is used on the server
  455. 	# every client must also have the key.
  456. #	option tls_crypt "/etc/openvpn/ta.key"
  457. 

  458. 	# Set the minimum required TLS protocol version
  459. 	# for all connections.
  460. 	#
  461. 	# Require at least TLS 1.1
  462. #	option tls_version_min "1.1"
  463. 	# Require at least TLS 1.2
  464. #	option tls_version_min "1.2"
  465. 	# Require TLS 1.2, or the highest version supported
  466. 	# on the system
  467. #	option tls_version_min "1.2 'or-highest'"
  468. 

  469. 	# List the preferred ciphers for the data channel.
  470. #	list data_ciphers 'AES-256-GCM'
  471. #	list data_ciphers 'AES-128-GCM'
  472. #	list data_ciphers 'CHACHA20-POLY1305'
  473. 

  474. 	# Set a fallback cipher if you connect to a peer that does
  475. 	# not support cipher negotiation.
  476. 	# Use AES-256-CBC as fallback
  477. #	option data_ciphers_fallback 'AES-128-CBC'
  478. 	# Use AES-128-CBC as fallback
  479. #	option data_ciphers_fallback 'AES-256-CBC'
  480. 	# Use Triple-DES as fallback
  481. #	option data_ciphers_fallback 'DES-EDE3-CBC'
  482. 	# Use BF-CBC as fallback
  483. #	option data_ciphers_fallback 'BF-CBC'
  484. 

  485. 	# Enable compression on the VPN link.
  486. 	# Don't enable this unless it is also
  487. 	# enabled in the server config file.
  488. 	#
  489. 	# Compression is not recommended, as compression and
  490. 	# encryption in combination can weaken the security
  491. 	# of the connection.
  492. 	#
  493. 	# LZ4 requires OpenVPN 2.4+ on server and client
  494. #	option compress lz4
  495. 

  496. 	# Set log file verbosity.
  497. 	option verb 3
  498. 

  499. 	# Silence repeating messages
  500. #	option mute 20