https://wiki.archlinux.org/api.php?action=feedcontributions&user=Altazar&feedformat=atomArchWiki - User contributions [en]2024-03-29T10:50:40ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=OpenVPN&diff=517908OpenVPN2018-04-18T22:11:31Z<p>Altazar: /* Override DNS servers using NetworkManager */ correct</p>
<hr />
<div>[[Category:Virtual Private Network]]<br />
[[de:OpenVPN]]<br />
[[ja:OpenVPN]]<br />
[[ru:OpenVPN]]<br />
[[zh-hans:OpenVPN]]<br />
{{Related articles start}}<br />
{{Related|OpenVPN (client) in Linux containers}}<br />
{{Related|OpenVPN (server) in Linux containers}}<br />
{{Related|Easy-RSA}}<br />
{{Related articles end}}<br />
<br />
This article describes a basic installation and configuration of [http://openvpn.net OpenVPN], suitable for private and small business use. For more detailed information, please see the [https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage OpenVPN 2.4 man page] and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation]. OpenVPN is a robust and highly flexible [[Wikipedia:VPN|VPN]] daemon. It supports [[Wikipedia:SSL/TLS|SSL/TLS]] security, [[Wikipedia:Bridging_(networking)|Ethernet bridging]], [[Wikipedia:Transmission_Control_Protocol|TCP]] or [[Wikipedia:User_Datagram_Protocol|UDP]] [[Wikipedia:Tunneling_protocol|tunnel transport]] through [[Wikipedia:Proxy_server|proxies]] or [[Wikipedia:Network address translation|NAT]]. Additionally it has support for dynamic IP addresses and [[Wikipedia:Dynamic_Host_Configuration_Protocol|DHCP]], scalability to hundreds or thousands of users, and portability to most major OS platforms.<br />
<br />
OpenVPN is tightly bound to the [http://www.openssl.org OpenSSL] library, and derives much of its crypto capabilities from it. It supports conventional encryption using a [[Wikipedia:Pre-shared_key|pre-shared secret key]] (Static Key mode) or [[Wikipedia:Public_key|public key security]] ([[Wikipedia:SSL/TLS|SSL/TLS]] mode) using client & server certificates. Additionally it supports unencrypted TCP/UDP tunnels.<br />
<br />
OpenVPN is designed to work with the [[Wikipedia:TUN/TAP|TUN/TAP]] virtual networking interface that exists on most platforms. Overall, it aims to offer many of the key features of [[Wikipedia:Ipsec|IPSec]] but with a relatively lightweight footprint. OpenVPN was written by James Yonan and is published under the [[Wikipedia:GNU General Public License|GNU General Public License (GPL)]].<br />
<br />
== Install OpenVPN ==<br />
<br />
[[Install]] the {{Pkg|openvpn}} package, which provides both server and client mode.<br />
<br />
== Kernel configuration ==<br />
<br />
OpenVPN requires TUN/TAP support, which is already configured in the default kernel. Users of custom kernel should make sure to enable the {{ic|tun}} module:<br />
<br />
{{hc|Kernel config file|<br />
Device Drivers<br />
--> Network device support<br />
[M] Universal TUN/TAP device driver support<br />
}}<br />
<br />
Read [[Kernel modules]] for more information.<br />
<br />
== Connect to a VPN provided by a third party ==<br />
<br />
To connect to a VPN service provided by a third party, most of the following can most likely be ignored, especially regarding server setup. Begin with [[#The client config profile]] and skip ahead to [[#Starting OpenVPN]] after that. One should use the provider certificates and instructions, see [[:Category:VPN providers]] for examples that can be adapted to other providers. [[OpenVPN (client) in Linux containers]] also has general applicable instructions, while it goes a step further by isolating an OpenVPN client process into a container.<br />
<br />
{{Note|Most free VPN providers will (often only) offer [[PPTP server|PPTP]], which is drastically easier to setup and configure, but [http://poptop.sourceforge.net/dox/protocol-security.phtml not secure].}}<br />
<br />
== Create a Public Key Infrastructure (PKI) from scratch ==<br />
<br />
When setting up an OpenVPN server, users need to create a [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]] which is detailed in the [[Easy-RSA]] article. Once the needed certificates, private keys, and associated files are created via following the steps in the separate article, one should have 5 files in {{ic|/etc/openvpn/server}} at this point:<br />
<br />
ca.crt<br />
dh.pem<br />
servername.crt<br />
servername.key<br />
ta.key<br />
<br />
Alternatively, as of OpenVPN 2.4, one can use Easy-RSA to generate certificates and keys using elliptic curves. See the OpenVPN documentation for details.<br />
<br />
== A basic L3 IP routing configuration ==<br />
<br />
{{Note|Unless otherwise explicitly stated, the rest of this article assumes a basic L3 IP routing configuration.}}<br />
<br />
OpenVPN is an extremely versatile piece of software and many configurations are possible, in fact machines can be both servers and clients.<br />
<br />
With the release of v2.4, server configurations are stored in {{ic|/etc/openvpn/server}} and client configurations are stored in {{ic|/etc/openvpn/client}} and each mode has its own respective systemd unit, namely, {{ic|openvpn-client@.service}} and {{ic|openvpn-server@.service}}.<br />
<br />
=== Example configuration ===<br />
<br />
The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:<br />
<br />
* Uses [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]] for authentication.<br />
* Creates a VPN using a virtual TUN network interface (OSI L3 IP routing).<br />
* Listens for client connections on UDP port 1194 (OpenVPN's official IANA port number[https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=openvpn]).<br />
* Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.<br />
<br />
For more advanced configurations, please see the {{man|8|openvpn}} man page and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation].<br />
<br />
=== The server configuration file ===<br />
<br />
{{Note|Note that if the server is behind a firewall or a NAT translating router, the OpenVPN port must be forwarded on to the server.}}<br />
<br />
Copy the example server configuration file {{ic|/usr/share/openvpn/examples/server.conf}} to {{ic|/etc/openvpn/server/server.conf}}.<br />
<br />
Edit the file making a minimum of the following changes:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
ca ca.crt<br />
cert servername.crt<br />
key servername.key # This file should be kept secret<br />
dh dh.pem<br />
.<br />
tls-crypt ta.key # Replaces ''tls-auth ta.key 0''<br />
.<br />
user nobody<br />
group nobody<br />
}}<br />
<br />
==== Hardening the server ====<br />
<br />
If security is a priority, additional configuration is recommended including: limiting the server to use a strong cipher/auth method and (optionally) limiting the set of enabled TLS ciphers to the newer ciphers.<br />
<br />
Add the following to {{ic|/etc/openvpn/server/server.conf}}:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
.<br />
cipher AES-256-CBC<br />
auth SHA512<br />
tls-version-min 1.2<br />
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA<br />
.<br />
}}<br />
<br />
{{Note|<br />
*The .ovpn client profile '''must''' contain a matching cipher and auth line to work properly (at least with the iOS and Android client).<br />
*Using {{ic|tls-cipher}} incorrectly may cause difficulty with debugging connections and may not be necessary. See [https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher OpenVPN’s community wiki] for more information.}}<br />
<br />
==== Enabling compression ====<br />
<br />
Since OpenVPN v2.4 it is possible to use LZ4 compression over lzo. LZ4 generally offering the best performance with least CPU usage. For backwards compatibility with OpenVPN versions before v2.4, use lzo {{ic|comp-lzo}}. Do '''not''' enable both compression options at the same time.<br />
<br />
To do so, configure {{ic|/etc/openvpn/server/server.conf}} as such:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
.<br />
compress lz4-v2<br />
push "compress lz4-v2"<br />
.<br />
}}<br />
<br />
On the client set {{ic|--compress lz4}} [https://community.openvpn.net/openvpn/wiki/DeprecatedOptions], although this may be deprecated in the near future.<br />
<br />
==== Deviating from the standard port and/or protocol ====<br />
<br />
Some public/private network admins may not allow OpenVPN connections on its default port and/or protocol. One strategy to circumvent this is to mimic https/SSL traffic which is very likely unobstructed.<br />
<br />
To do so, configure {{ic|/etc/openvpn/server/server.conf}} as such:<br />
{{hc|/etc/openvpn/server/server.conf|<br />
.<br />
port 443<br />
proto tcp<br />
.<br />
}}<br />
<br />
{{Note|The .ovpn client profile '''must''' contain a matching port and proto line to work properly!}}<br />
<br />
===== TCP vs UDP =====<br />
<br />
There are subtle differences between TCP and UDP.<br />
<br />
TCP<br />
<br />
* So-called "stateful protocol."<br />
* High reliability due to error correction (i.e. waits for packet acknowledgment).<br />
* Potentially slower than UDP.<br />
<br />
UDP<br />
<br />
* So-called "stateless protocol."<br />
* Less reliable than TCP as no error correction is in use.<br />
* Potentially faster than TCP.<br />
<br />
{{Note|It is generally a bad idea to use TCP for VPN unless your connection to the server is very stable. High reliability sounds great in theory but any disruption (packet drop, lag spikes, etc...) to the connection will potentially snowball into a [http://sites.inka.de/bigred/devel/tcp-tcp.html TCP Meltdown][http://adsabs.harvard.edu/abs/2005SPIE.6011..138H].}}<br />
<br />
=== The client config profile ===<br />
<br />
Copy the example client configuration file {{ic|/usr/share/openvpn/examples/client.conf}} to {{ic|/etc/openvpn/client/}}.<br />
<br />
Edit the following:<br />
<br />
* The {{ic|remote}} directive to reflect either the server's [[Wikipedia:Fully qualified domain name|Fully Qualified Domain Name]], hostname (as known to the client), or its IP address.<br />
* Uncomment the {{ic|user}} and {{ic|group}} directives to drop privileges.<br />
* The {{ic|ca}}, {{ic|cert}}, and {{ic|key}} parameters to reflect the path and names of the keys and certificates.<br />
* Enable the TLS HMAC handshake protection ({{ic|--tls-crypt}} or {{ic|--tls-auth}}).<br />
<br />
{{hc|/etc/openvpn/client/client.conf|<br />
client<br />
remote elmer.acmecorp.org 1194<br />
.<br />
user nobody<br />
group nobody<br />
ca ca.crt<br />
cert client.crt<br />
key client.key<br />
.<br />
tls-crypt ta.key # Replaces ''tls-auth ta.key 1''<br />
}}<br />
<br />
==== Run as unprivileged user ====<br />
<br />
Using the options {{ic|user nobody}} and {{ic|group nobody}} in the configuration file makes ''OpenVPN'' drop its {{ic|root}} privileges after establishing the connection. The downside is that upon VPN disconnect the daemon is unable to delete its set network routes again. If one wants to limit transmitting traffic without the VPN connection, then lingering routes may be considered beneficial. It can also happen, however, that the OpenVPN server pushes updates to routes at runtime of the tunnel. A client with dropped privileges will be unable to perform the update and exit with an error.<br />
<br />
As it could seem to require manual action to manage the routes, the options {{ic|user nobody}} and {{ic|group nobody}} might seem undesirable. Depending on setup, however, there are different ways to handle these situations: <br />
<br />
* For errors of the unit, a simple way is to [[edit]] it and add a {{ic|1=Restart=on-failure}} to the {{ic|[Service]}} section. Though, this alone will not delete any obsoleted routes, so it may happen that the restarted tunnel is not routed properly. <br />
* The package contains the {{ic|/usr/lib/openvpn/plugins/openvpn-plugin-down-root.so}}, which can be used to let ''openvpn'' fork a process with root privileges with the only task to execute a custom script when receiving a down signal from the main process, which is handling the tunnel with dropped privileges (see also its [https://community.openvpn.net/openvpn/browser/plugin/down-root/README?rev=d02a86d37bed69ee3fb63d08913623a86c88da15 README]).<br />
<br />
The OpenVPN HowTo's linked below go further by creating a dedicated non-privileged user/group, instead of the already existing {{ic|nobody}}. The advantage is that this avoids potential risks when sharing a user among daemons:<br />
* The [https://openvpn.net/index.php/open-source/documentation/howto.html#security OpenVPN HowTo] explains another way how to create an unprivileged user mode and wrapper script to have the routes restored automatically.<br />
* It is possible to let OpenVPN start as a non-privileged user in the first place, without ever running as root, see [https://community.openvpn.net/openvpn/wiki/UnprivilegedUser this OpenVPN wiki] (howto). The howto assumes the presence of System V init, rather than [[Systemd]] and does not cover the handling of {{ic|--up}}/{{ic|--down}} scripts - those should be handled the same way as the ''ip'' command, with additional attention to access rights.<br />
<br />
{{Note|Due to a [https://community.openvpn.net/openvpn/ticket/812 bug] in OpenVPN 2.4.0, the {{ic|persist-tun}} option mentioned in the howtos should '''not''' be used, otherwise new routes/IPs pushed on reconnect will be ignored by the client.}}<br />
<br />
{{Tip|[[#openvpn-unroot]] describes a tool to automate above setup.}}<br />
<br />
=== Converting certificates to encrypted .p12 format ===<br />
<br />
Some software will only read VPN certificates that are stored in a password-encrypted .p12 file. These can be generated with the following command:<br />
{{bc|# openssl pkcs12 -export -inkey keys/bugs.key -in keys/bugs.crt -certfile keys/ca.crt -out keys/bugs.p12}}<br />
<br />
=== Testing the OpenVPN configuration ===<br />
<br />
Run {{ic|# openvpn /etc/openvpn/server/server.conf}} on the server, and {{ic|# openvpn /etc/openvpn/client/client.conf}} on the client. Example output should be similar to the following:<br />
<br />
{{hc|# openvpn /etc/openvpn/server/server.conf|2=<br />
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011<br />
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables<br />
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key<br />
.<br />
.<br />
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6<br />
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'<br />
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 SENT CONTROL [bugs]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)<br />
}}<br />
<br />
{{hc|# openvpn /etc/openvpn/client/client.conf|2=<br />
Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011<br />
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables<br />
Wed Dec 28 14:41:50 2011 LZO compression initialized<br />
.<br />
.<br />
Wed Dec 28 14:41:57 2011 GID set to nobody<br />
Wed Dec 28 14:41:57 2011 UID set to nobody<br />
Wed Dec 28 14:41:57 2011 Initialization Sequence Completed<br />
}}<br />
<br />
On the server, find the IP address assigned to the tunX device:<br />
<br />
{{hc|# ip addr show|2=<br />
.<br />
.<br />
40: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100<br />
link/none<br />
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0<br />
}}<br />
<br />
Here we see that the server end of the tunnel has been given the IP address 10.8.0.1.<br />
<br />
Do the same on the client:<br />
<br />
{{hc|# ip addr show|2=<br />
.<br />
.<br />
37: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100<br />
link/none<br />
inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0<br />
}}<br />
<br />
And the client side has been given the IP address 10.8.0.6.<br />
<br />
Now try pinging the interfaces.<br />
<br />
On the server:<br />
<br />
{{hc|# ping -c3 10.8.0.6|2=<br />
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.<br />
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms<br />
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=237 ms<br />
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=205 ms<br />
<br />
--- 10.8.0.6 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2002ms<br />
rtt min/avg/max/mdev = 205.862/227.266/238.788/15.160 ms<br />
}}<br />
<br />
On the client:<br />
<br />
{{hc|# ping -c3 10.8.0.1|2=<br />
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.<br />
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=158 ms<br />
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=158 ms<br />
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=157 ms<br />
<br />
--- 10.8.0.1 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2001ms<br />
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms<br />
}}<br />
<br />
{{Note|If using a firewall, make sure that IP packets on the TUN device are not blocked.}}<br />
<br />
=== Configure the MTU with Fragment and MSS ===<br />
<br />
If experiencing issues when using (remote) services over OpenVPN (e.g. web browsing, [[DNS]], [[NFS]]), it may be needed to set a MTU value manually.<br />
<br />
The following message may indicate the MTU value should be adjusted:<br />
<br />
read UDPv4 [EMSGSIZE Path-MTU=1407]: Message too long (code=90)<br />
<br />
In order to get the maximum segment size (MSS), the client needs to discover the smallest MTU along the path to the server. In order to do this ping the server and disable fragmentation, then specify the maximum packet size [https://www.sonassi.com/help/troubleshooting/setting-correct-mtu-for-openvpn]:<br />
<br />
# ping -M do -s 1500 -c 1 example.com<br />
<br />
Decrease the 1500 value by 10 each time, until the ping succeeds.<br />
<br />
{{Note|Clients that do not support the 'fragment' directive (e.g. OpenELEC, [https://forums.openvpn.net/topic13201.html#p31156 iOS app]) are not able to connect to a server that uses the {{ic|fragment}} directive. See {{ic|mtu-test}} as alternative solution.}}<br />
<br />
Update the client configuration to use the succeeded MTU value, e.g.:<br />
<br />
{{hc|/etc/openvpn/client/client.conf|<br />
remote example.com 1194<br />
...<br />
tun-mtu 1400 <br />
mssfix 1360<br />
}}<br />
<br />
OpenVPN may be instructed to test the MTU every time on client connect. Be patient, since your client may not inform about the test being run and the connection may appear as nonfunctional until finished. The following will add about 3 minutes to OpenVPN start time. It is advisable to configure the fragment size unless a client will be connecting over many different networks and the bottle neck is not on the server side:<br />
<br />
{{hc|/etc/openvpn/client/client.conf|<br />
remote example.com 1194<br />
...<br />
mtu-test<br />
...<br />
}}<br />
<br />
=== IPv6 ===<br />
<br />
==== Connect to the server via IPv6 ====<br />
<br />
In order to enable Dual Stack for OpenVPN, you have to change {{ic|proto udp}} to {{ic|proto udp6}} in both server.conf and client.conf. Afterwards both IPv4 and IPv6 are enabled.<br />
<br />
==== Provide IPv6 inside the tunnel ====<br />
<br />
In order to provide IPv6 inside the tunnel, you need to have a IPv6 prefix routed to your OpenVPN server. Either set up a static route on your gateway (if you have a static block assigned), or use a DHCPv6 client to get a prefix with DHCPv6 Prefix delegation (see [[IPv6#Prefix delegation (DHCPv6-PD)|IPv6 Prefix delegation]] for details). You can also use a unique local address from the address block fc00::/7. Both methods have advantages and disadvantages:<br />
<br />
* Many ISPs only provide dynamically changing IPv6 prefixes. OpenVPN does not support prefix changes, so you need to change your server.conf every time the prefix is changed (Maybe can be automated with a script).<br />
* ULA addresses are not routed to the Internet, and setting up NAT is not as straightforward as with IPv4. So you cannot route the entire traffic over the tunnel. If you only want to connect two sites via IPv6, without the need to connect to the Internet over the tunnel, the ULA addresses may be easier to use.<br />
<br />
After you have received a prefix (a /64 is recommended), append the following to the server.conf:<br />
<br />
server-ipv6 2001:db8:0:123::/64<br />
<br />
This is the IPv6 equivalent to the default 10.8.0.0/24 network of OpenVPN and needs to be taken from the DHCPv6 client. Or use for example fd00:1234::/64.<br />
<br />
If you want to push a route to your home network (192.168.1.0/24 equivalent), also append:<br />
<br />
push "route-ipv6 2001:db8:0:abc::/64"<br />
<br />
OpenVPN does not yet include DHCPv6, so there is no method to e.g. push DNS server over IPv6. This needs to be done with IPv4. The [https://community.openvpn.net/openvpn/wiki/IPv6 OpenVPN Wiki] provides some other configuration options.<br />
<br />
== Starting OpenVPN ==<br />
<br />
=== Manual startup ===<br />
<br />
To troubleshoot a VPN connection, start the client's daemon manually with {{ic|openvpn /etc/openvpn/client/client.conf}} as root. The server can be started the same way using its own configuration file (e.g., {{ic|openvpn /etc/openvpn/server/server.conf}}).<br />
<br />
=== systemd service configuration ===<br />
<br />
To start the OpenVPN server automatically at system boot, [[enable]] {{ic|openvpn-server@''<configuration>''.service}} on the applicable machine. For a client, [[enable]] {{ic|openvpn-client@''<configuration>''.service}} instead. (Leave {{ic|.conf}} out of the {{ic|<configuration>}} string.)<br />
<br />
For example, if the client configuration file is {{ic|/etc/openvpn/client/''client''.conf}}, the service name is {{ic|openvpn-client@''client''.service}}. Or, if the server configuration file is {{ic|/etc/openvpn/server/''server''.conf}}, the service name is {{ic|openvpn-server@''server''.service}}.<br />
<br />
=== Letting NetworkManager start a connection ===<br />
<br />
On a client you might not always need to run a VPN tunnel and/or only want to establish it for a specific NetworkManager connection. This can be done by adding a script to {{ic|/etc/NetworkManager/dispatcher.d/}}. In the following example "Provider" is the name of the NetworkManager connection:<br />
<br />
{{hc|/etc/NetworkManager/dispatcher.d/10-openvpn|2=<br />
#!/bin/bash<br />
<br />
case "$2" in<br />
up)<br />
if [ "$CONNECTION_ID" == "Provider" ]; then<br />
systemctl start openvpn-client@''<configuration>''<br />
fi<br />
;;<br />
down)<br />
systemctl stop openvpn-client@''<configuration>''<br />
;;<br />
esac}}<br />
<br />
See [[NetworkManager#Network services with NetworkManager dispatcher]] for more details.<br />
<br />
=== Gnome configuration ===<br />
<br />
If you would like to connect a client to an OpenVPN server through Gnome's built-in network configuration do the following. First, install {{pkg|networkmanager-openvpn}}. Then go to the Settings menu and choose Network. Click the plus sign to add a new connection and choose VPN. From there you can choose OpenVPN and manually enter the settings. You can also choose to import [[#The client config profile]], if you have already created one. Yet, be aware NetworkManager does not show error messages for options it does not import. To connect to the VPN simply turn the connection on and check the options are applied as you configured (e.g. via {{ic|journalctl -b -u NetworkManager}}).<br />
<br />
== Routing client traffic through the server ==<br />
<br />
By default only traffic directly to and from an OpenVPN server passes through the VPN. To have all traffic (including web traffic) pass through the VPN, [[append]] {{ic|push "redirect-gateway def1 bypass-dhcp"}} to the configuration file (i.e. {{ic|/etc/openvpn/server/server.conf}}) [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect] of the server. Note this is not a requirement and may even give performance issue:<br />
<br />
push "redirect-gateway def1 bypass-dhcp"<br />
<br />
Use the {{ic|push "route <address pool> <subnet>"}} option to allow clients reaching other subnets/devices behind the server:<br />
<br />
push "route 192.168.1.0 255.255.255.0"<br />
push "route 192.168.2.0 255.255.255.0"<br />
<br />
You may want to push local [[DNS]] settings to clients (e.g. the DNS-server of the router and domain prefix ''.internal''):<br />
<br />
{{Note|You may need to use a simple [[DNS]] forwarder like [[BIND]] and push the IP address of the OpenVPN server as DNS to clients.}}<br />
<br />
push "dhcp-option DNS 192.168.1.1"<br />
push "dhcp-option DOMAIN internal"<br />
<br />
After setting up the configuration file, [[Internet_sharing#Enable_packet_forwarding|enable packet forwarding]] on the server. Additionally, the server's [[firewall]] needs to be adjusted to allow VPN traffic, which is described below for both [[#ufw|ufw]] and [[#iptables|iptables]].<br />
<br />
{{Note|There are potential pitfalls when routing all traffic through a VPN server. Refer to the [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect OpenVPN documentation] for more information.}}<br />
<br />
=== Firewall configuration ===<br />
<br />
==== ufw ====<br />
<br />
In order to allow [[ufw]] forwarding (VPN) traffic [[append]] the following to {{ic|/etc/default/ufw}}:<br />
<br />
{{hc|/etc/default/ufw|2=<br />
DEFAULT_FORWARD_POLICY="ACCEPT"<br />
}}<br />
<br />
Change {{ic|/etc/ufw/before.rules}}, and [[append]] the following code after the header and before the "*filter" line:<br />
* Change the IP/subnet mask to match the {{ic|server}} set in the OpenVPN server configuration.<br />
* Change the [[Network_configuration#Check_the_connection|network interface]] to the connection used by OpenVPN server.<br />
<br />
{{hc|/etc/ufw/before.rules|2=<br />
# NAT (Network Address Translation) table rules<br />
*nat<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Allow traffic from clients to the interface<br />
-A POSTROUTING -s 10.8.0.0/24 -o ''interface'' -j MASQUERADE<br />
<br />
# do not delete the "COMMIT" line or the NAT table rules above will not be processed<br />
COMMIT<br />
<br />
# Don't delete these required lines, otherwise there will be errors<br />
*filter<br />
..<br />
}}<br />
<br />
Make sure to open the chosen OpenVPN port (default 1194/udp):<br />
<br />
# ufw allow 1194 udp<br />
<br />
To apply the changes. [[reload]]/[[restart]] ufw:<br />
<br />
# ufw reload<br />
<br />
==== iptables ====<br />
<br />
In order to allow VPN traffic through your [[iptables]] firewall of your server, first create an iptables rule for NAT forwarding [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect] on the server, assuming the interface you want to forward to is named {{ic|eth0}}:<br />
<br />
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE<br />
<br />
If you have difficulty pinging the server through the VPN, you may need to add explicit rules to open up TUN/TAP interfaces to all traffic. If that is the case, do the following [https://community.openvpn.net/openvpn/wiki/255-qconnection-initiated-with-xxxxq-but-i-cannot-ping-the-server-through-the-vpn]:<br />
<br />
{{Warning|There are security implications for the following rules if you do not trust all clients which connect to the server. Refer to the [https://community.openvpn.net/openvpn/wiki/255-qconnection-initiated-with-xxxxq-but-i-cannot-ping-the-server-through-the-vpn OpenVPN documentation on this topic] for more details.}}<br />
<br />
iptables -A INPUT -i tun+ -j ACCEPT<br />
iptables -A FORWARD -i tun+ -j ACCEPT<br />
iptables -A INPUT -i tap+ -j ACCEPT<br />
iptables -A FORWARD -i tap+ -j ACCEPT<br />
<br />
Additionally be sure to accept connections from the OpenVPN port (default 1194) and through the physical interface.<br />
<br />
When you are satisfied make the changes permanent as shown in [[iptables#Configuration and usage]].<br />
<br />
If you have multiple {{ic|tun}} or {{ic|tap}} interfaces, or more than one VPN configuration, you can "pin" the name of your interface by specifying it in the OpenVPN config file, e.g. {{ic|tun22}} instead of {{ic|tun}}. This is advantageous if you have different firewall rules for different interfaces or OpenVPN configurations.<br />
<br />
=== Prevent leaks if VPN goes down ===<br />
<br />
The idea is simple: prevent all traffic through our default interface (enp3s0 for example) and only allow tun0.<br />
If the OpenVPN connection drops, your computer will lose its internet access and therefore, avoid your programs to continue connecting through an insecure network adapter.<br />
<br />
Be sure to set up a script to restart OpenVPN if it goes down if you do not want to manually restart it.<br />
<br />
==== ufw ====<br />
<br />
# Default policies<br />
ufw default deny incoming<br />
ufw default deny outgoing<br />
<br />
# Openvpn interface (adjust interface accordingly to your configuration)<br />
ufw allow in on tun0<br />
ufw allow out on tun0<br />
<br />
# Local Network (adjust ip accordingly to your configuration)<br />
ufw allow in on enp3s0 from 192.168.1.0/24<br />
ufw allow out on enp3s0 to 192.168.1.0/24<br />
<br />
# Openvpn (adjust port accordingly to your configuration)<br />
ufw allow in on enp3s0 from any port 1194<br />
ufw allow out on enp3s0 to any port 1194<br />
<br />
<br />
{{Warning| DNS '''will not''' work '''unless''' you run your own DNS server like [[BIND]]<br />
Otherwise, you will need to allow dns leak. '''Be sure to trust your DNS server!'''<br />
# DNS<br />
ufw allow in from any to any port 53<br />
ufw allow out from any to any port 53<br />
}}<br />
<br />
==== vpnfailsafe ====<br />
<br />
Alternatively, the [https://github.com/wknapik/vpnfailsafe vpnfailsafe] ({{AUR|vpnfailsafe-git}}) script can be used by the client to prevent DNS leaks and ensure that all traffic to the internet goes over the VPN. If the VPN tunnel goes down, internet access will be cut off, except for connections to the VPN server(s). The script contains the functionality of [[#Update resolv-conf script|update-resolv-conf]], so the two do not need to be combined.<br />
<br />
== L3 IPv4 routing==<br />
<br />
This section describes how to connect client/server LANs to each other using L3 IPv4 routing.<br />
<br />
=== Prerequisites for routing a LAN ===<br />
<br />
For a host to be able to forward IPv4 packets between the LAN and VPN, it must be able to forward the packets between its NIC and its tun/tap device. See [[Internet sharing#Enable packet forwarding]] for configuration details.<br />
<br />
==== Routing tables ====<br />
<br />
{{Accuracy|Investigate if a routing protocol like RIP, QUAGGA, BIRD, etc can be used}}<br />
<br />
By default, all IP packets on a LAN addressed to a different subnet get sent to the default gateway. If the LAN/VPN gateway is also the default gateway, there is no problem and the packets get properly forwarded. If not, the gateway has no way of knowing where to send the packets. There are a couple of solutions to this problem.<br />
<br />
* Add a static route to the default gateway routing the VPN subnet to the LAN/VPN gateway's IP address.<br />
* Add a static route on each host on the LAN that needs to send IP packets back to the VPN.<br />
* Use [[iptables]]' NAT feature on the LAN/VPN gateway to masquerade the incoming VPN IP packets.<br />
<br />
=== Connect the server LAN to a client ===<br />
<br />
The server is on a LAN using the 10.66.0.0/24 subnet. To inform the client about the available subnet, add a push directive to the server configuration file:{{hc|/etc/openvpn/server/server.conf|push "route 10.66.0.0 255.255.255.0"}}<br />
<br />
{{Note|To route more LANs from the server to the client, add more push directives to the server configuration file, but keep in mind that the server side LANs will need to know how to route to the client.<br />
}}<br />
<br />
=== Connect the client LAN to a server ===<br />
<br />
Prerequisites:<br />
<br />
* Any subnets used on the client side, must be unique and not in use on the server or by any other client. In this example we will use 192.168.4.0/24 for the clients LAN.<br />
* Each client's certificate has a unique Common Name, in this case bugs.<br />
* The server may not use the duplicate-cn directive in its config file.<br />
<br />
Create a client configuration directory on the server. It will be searched for a file named the same as the client's common name, and the directives will be applied to the client when it connects.<br />
<br />
# mkdir -p /etc/openvpn/ccd<br />
<br />
Create a file in the client configuration directory called bugs, containing the {{ic|iroute 192.168.4.0 255.255.255.0}} directive. It tells the server what subnet should be routed to the client:<br />
<br />
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}<br />
<br />
Add the client-config-dir and the {{ic|route 192.168.4.0 255.255.255.0}} directive to the server configuration file. It tells the server what subnet should be routed from the tun device to the server LAN:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
client-config-dir ccd<br />
route 192.168.4.0 255.255.255.0<br />
}}<br />
<br />
{{Note|To route more LANs from the client to the server, add more iroute and route directives to the appropriate configuration files, but keep in mind that the client side LANs will need to know how to route to the server.<br />
}}<br />
<br />
=== Connect both the client and server LANs ===<br />
<br />
Combine the two previous sections:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
push "route 10.66.0.0 255.255.255.0"<br />
.<br />
.<br />
client-config-dir ccd<br />
route 192.168.4.0 255.255.255.0<br />
}}<br />
<br />
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}<br />
<br />
{{Note|Remember to make sure that all the LANs or the needed hosts can route to all the destinations.}}<br />
<br />
=== Connect clients and client LANs ===<br />
<br />
By default clients will not see each other. To allow IP packets to flow between clients and/or client LANs, add a client-to-client directive to the server configuration file:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
client-to-client<br />
}}<br />
<br />
In order for another client or client LAN to see a specific client LAN, you will need to add a push directive for each client subnet to the server configuration file (this will make the server announce the available subnet(s) to other clients):<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
client-to-client<br />
push "route 192.168.4.0 255.255.255.0"<br />
push "route 192.168.5.0 255.255.255.0"<br />
..<br />
}}<br />
<br />
{{Note|You may need to adjust the [[#Firewall configuration|firewall]] to allowing client traffic passing through the VPN server.}}<br />
<br />
== DNS ==<br />
<br />
The DNS servers used by the system are defined in {{ic|/etc/resolv.conf}}. Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc.). However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side. To achieve this in a sensible way, install {{pkg|openresolv}}, which makes it possible for more than one program to modify {{ic|resolv.conf}} without stepping on each-other's toes.<br />
<br />
Before continuing, test openresolv by restarting your network connection and ensuring that {{ic|resolv.conf}} states that it was generated by ''resolvconf'', and that your DNS resolution still works as before. You should not need to configure openresolv; it should be automatically detected and used by your network system.<br />
<br />
For Linux, OpenVPN can send DNS host information, but expects an external process to act on it. This can be done with the {{ic|client.up}} and {{ic|client.down}} scripts packaged in {{ic|/usr/share/openvpn/contrib/pull-resolv-conf/}}. See their comments on how to install them to {{ic|/etc/openvpn/client/}}. The following is an excerpt of a resulting client configuration using the scripts in conjunction with ''resolvconf'' and options to [[#Run as unprivileged user]]:<br />
<br />
{{hc|/etc/openvpn/client/''clienttunnel''.conf|<br />
user nobody<br />
group nobody<br />
# Optional, choose a suitable path to chroot into for your system<br />
chroot /srv<br />
script-security 2<br />
up /etc/openvpn/client/client.up <br />
plugin /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so "/etc/openvpn/client/client.down tun0"<br />
}}<br />
<br />
=== Update resolv-conf script ===<br />
<br />
The [https://github.com/masterkorp/openvpn-update-resolv-conf openvpn-update-resolv-conf] script is available as an alternative to packaged scripts. It needs to be saved for example at {{ic|/etc/openvpn/update-resolv-conf}} and made executable with [[chmod]].<br />
<br />
Once the script is installed add lines like the following into your OpenVPN client configuration file:<br />
<br />
script-security 2<br />
up /etc/openvpn/update-resolv-conf<br />
down /etc/openvpn/update-resolv-conf<br />
<br />
{{Note|If manually placing the script on the filesystem, be sure to have {{pkg|openresolv}} installed.}}<br />
<br />
Now, when you launch your OpenVPN connection, you should find that your {{ic|resolv.conf}} file is updated accordingly, and also returns to normal when you close the connection.<br />
<br />
{{Note|When using {{ic|openresolv}} with the ''-p'' or ''-x'' options in a script (as both the included {{ic|client.up}} and {{ic|update-resolv-conf}} scripts currently do), a DNS resolver like {{Pkg|dnsmasq}} or {{Pkg|unbound}} is required for {{ic|openresolv}} to correctly update {{ic|/etc/resolv.conf}}. In contrast, when using the default DNS resolution from {{ic|libc}} the ''-p'' and ''-x'' options must be removed in order for {{ic|/etc/resolv.conf}} to be correctly updated by {{ic|openresolv}}.<br />
For example, if the script contains a command like {{ic|resolvconf -p -a }} and the default DNS resolver from {{ic|libc}} is being used, change the command in the script to be {{ic|resolvconf -a }}.}}<br />
<br />
=== Update systemd-resolved script ===<br />
<br />
Since [[systemd]] 229, [[systemd-networkd]] has exposed an API through DBus allowing management of DNS configuration on a per-link basis. Tools such as {{pkg|openresolv}} may not work reliably when {{ic|/etc/resolv.conf}} is managed by {{ic|systemd-resolved}}, and will not work at all if you are using {{ic|resolve}} instead of {{ic|dns}} in your {{ic|/etc/nsswitch.conf}} file. The [https://github.com/jonathanio/update-systemd-resolved update-systemd-resolved] script is another alternative and links OpenVPN with {{ic|systemd-resolved}} via DBus to update the DNS records.<br />
<br />
Copy the script into {{ic|/etc/openvpn}} and mark as [[executable]], or [[install]] {{AUR|openvpn-update-systemd-resolved}}, and [[append]] the following lines into the OpenVPN client configuration file:<br />
<br />
{{hc|/etc/openvpn/client/client.conf|<br />
client<br />
remote example.com 1194 udp<br />
..<br />
script-security 2<br />
setenv PATH /usr/bin<br />
up /etc/openvpn/scripts/update-systemd-resolved<br />
down /etc/openvpn/scripts/update-systemd-resolved<br />
down-pre<br />
}}<br />
<br />
===Override DNS servers using NetworkManager===<br />
By default [https://www.archlinux.org/packages/extra/x86_64/networkmanager-openvpn/ networkmanager-openvpn] plugin just appends DNS servers provided by OpenVPN to {{ic|/etc/resolv.conf}}. This may result result DNS instability (leakage).<br />
<br />
Settings UI does not provide any way to change this behavior, but it is possible to [https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1211110/comments/92 completely override] DNS using connection config file.<br />
<br />
To use DNS settings provided by VPN connection just add {{ic|1=dns-priority=-1}} ([https://developer.gnome.org/NetworkManager/stable/settings-ipv4.html ipv4 section]) into file located on: {{ic|/etc/NetworkManager/system-connections/your_vpn_name}}.<br />
<br />
== L2 Ethernet bridging ==<br />
<br />
{{Expansion|Please add a well thought out section on L2 bridging.}}<br />
<br />
For now see: [[OpenVPN Bridge]]<br />
<br />
== Config generators ==<br />
<br />
{{Warning|Users are highly recommended to pass through the manual configuration described above to gain knowledge about options and usage before using any additional automation scripts.}}<br />
<br />
=== ovpngen ===<br />
<br />
The {{AUR|ovpngen}} package provides a simple shell script that creates OpenVPN compatible tunnel profiles in the unified file format suitable for the iOS version of OpenVPN Connect as well as for the Android app.<br />
<br />
Simply invoke the script with 5 tokens:<br />
<br />
# Server Fully Qualified Domain Name of the OpenVPN server (or IP address).<br />
# Full path to the CA cert.<br />
# Full path to the client cert.<br />
# Full path to the client private key.<br />
# Full path to the server TLS shared secret key.<br />
# Optionally a port number.<br />
# Optionally a protocol (udp or tcp).<br />
<br />
Example:<br />
<br />
# ovpngen example.org /etc/openvpn/server/ca.crt /etc/easy-rsa/pki/signed/client1.crt /etc/easy-rsa/pki/private/client1.key /etc/openvpn/server/ta.key > iphone.ovpn<br />
<br />
The resulting {{ic|iphone.ovpn}} can be edited if desired as the script does insert some commented lines.<br />
<br />
The client expects this file to be located in {{ic|/etc/openvpn/client/iphone.conf}}. Note the change in file extension from 'ovpn' to 'conf' in this case.<br />
<br />
{{Tip|If the server.conf contains a specified cipher and/or auth line, it is highly recommended that users manually edit the generated .ovpn file adding matching lines for cipher and auth. Failure to do so may results in connection errors!}}<br />
<br />
=== openvpn-unroot ===<br />
<br />
The steps necessary for OpenVPN to [[#Run as unprivileged user]], can be performed automatically using [https://github.com/wknapik/openvpn-unroot openvpn-unroot] ({{AUR|openvpn-unroot-git}}).<br />
<br />
It automates the actions required for the [https://community.openvpn.net/openvpn/wiki/UnprivilegedUser OpenVPN howto] by adapting it to systemd, and also working around the bug for persistent tun devices mentioned in the note.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Client daemon not reconnecting after suspend ===<br />
<br />
{{AUR|openvpn-reconnect}}, available on the AUR, solves this problem by sending a SIGHUP to openvpn after waking up from suspend.<br />
<br />
Alternatively, you can kill and restart OpenVPN after suspend by creating the folowing systemd service:<br />
<br />
{{hc|1=/etc/systemd/system/openvpn-reconnect.service|2=<br />
[Unit]<br />
Description=Restart OpenVPN after suspend<br />
<br />
[Service]<br />
ExecStart=/usr/bin/pkill --signal SIGHUP --exact openvpn<br />
<br />
[Install]<br />
WantedBy=sleep.target<br />
}}<br />
<br />
[[Enable]] this service for it to take effect.<br />
<br />
=== Connection drops out after some time of inactivity ===<br />
<br />
If the VPN-Connection drops some seconds after it stopped transmitting data and, even though it states it is connected, no data can be transmitted through the tunnel, try adding a {{ic|keepalive}}directive to the server's configuration:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
.<br />
.<br />
keepalive 10 120<br />
.<br />
.<br />
}}<br />
<br />
In this case the server will send ping-like messages to all of its clients every 10 seconds, thus keeping the tunnel up.<br />
If the server does not receive a response within 120 seconds from a specific client, it will assume this client is down.<br />
<br />
A small ping-interval can increase the stability of the tunnel, but will also cause slightly higher traffic. Depending on your connection, also try lower intervals than 10 seconds.<br />
<br />
=== PID files not present ===<br />
<br />
The default systemd service file for openvpn-client does not have the --writepid flag enabled, despite creating /var/run/openvpn-client. If this breaks a config (such as an i3bar VPN indicator), simply change {{ic|openvpn-client@.service}} using a [[drop-in snippet]]:<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf --writepid /var/run/openvpn-client/%i.pid<br />
<br />
=== Route configuration fails with systemd-networkd ===<br />
<br />
When using [[systemd-networkd]] to manage network connections and attempting to tunnel all outgoing traffic through the VPN, OpenVPN may fail to add routes. This is a result of systemd-networkd attempting to manage the tun interface before OpenVPN finishes configuring the routes. When this happens, the following message will appear in the OpenVPN log.<br />
<br />
openvpn[458]: RTNETLINK answers: Network is unreachable<br />
openvpn[458]: ERROR: Linux route add command failed: external program exited with error status: 2<br />
<br />
With systemd-233 (currently in [[testing]]), systemd-networkd can be configured to ignore the tun connections and allow OpenVPN to manage them. To do this, create the following file:<br />
<br />
{{hc|1=/etc/systemd/network/90-tun-ignore.network|2=<br />
[Match]<br />
Name=tun*<br />
<br />
[Link]<br />
Unmanaged=true<br />
}}<br />
<br />
[[Restart]] {{ic|systemd-networkd.service}} to apply the changes. To verify that the changes took effect, start the previously problematic OpenVPN connection and run {{ic|networkctl}}. The output should have a line similar to the following:<br />
<br />
7 tun0 none routable unmanaged<br />
<br />
== See also ==<br />
<br />
* [[Wikipedia:OpenVPN]]</div>Altazarhttps://wiki.archlinux.org/index.php?title=OpenVPN&diff=517905OpenVPN2018-04-18T22:08:22Z<p>Altazar: /* Override DNS servers using NetworkManager */ Hyperlinks</p>
<hr />
<div>[[Category:Virtual Private Network]]<br />
[[de:OpenVPN]]<br />
[[ja:OpenVPN]]<br />
[[ru:OpenVPN]]<br />
[[zh-hans:OpenVPN]]<br />
{{Related articles start}}<br />
{{Related|OpenVPN (client) in Linux containers}}<br />
{{Related|OpenVPN (server) in Linux containers}}<br />
{{Related|Easy-RSA}}<br />
{{Related articles end}}<br />
<br />
This article describes a basic installation and configuration of [http://openvpn.net OpenVPN], suitable for private and small business use. For more detailed information, please see the [https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage OpenVPN 2.4 man page] and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation]. OpenVPN is a robust and highly flexible [[Wikipedia:VPN|VPN]] daemon. It supports [[Wikipedia:SSL/TLS|SSL/TLS]] security, [[Wikipedia:Bridging_(networking)|Ethernet bridging]], [[Wikipedia:Transmission_Control_Protocol|TCP]] or [[Wikipedia:User_Datagram_Protocol|UDP]] [[Wikipedia:Tunneling_protocol|tunnel transport]] through [[Wikipedia:Proxy_server|proxies]] or [[Wikipedia:Network address translation|NAT]]. Additionally it has support for dynamic IP addresses and [[Wikipedia:Dynamic_Host_Configuration_Protocol|DHCP]], scalability to hundreds or thousands of users, and portability to most major OS platforms.<br />
<br />
OpenVPN is tightly bound to the [http://www.openssl.org OpenSSL] library, and derives much of its crypto capabilities from it. It supports conventional encryption using a [[Wikipedia:Pre-shared_key|pre-shared secret key]] (Static Key mode) or [[Wikipedia:Public_key|public key security]] ([[Wikipedia:SSL/TLS|SSL/TLS]] mode) using client & server certificates. Additionally it supports unencrypted TCP/UDP tunnels.<br />
<br />
OpenVPN is designed to work with the [[Wikipedia:TUN/TAP|TUN/TAP]] virtual networking interface that exists on most platforms. Overall, it aims to offer many of the key features of [[Wikipedia:Ipsec|IPSec]] but with a relatively lightweight footprint. OpenVPN was written by James Yonan and is published under the [[Wikipedia:GNU General Public License|GNU General Public License (GPL)]].<br />
<br />
== Install OpenVPN ==<br />
<br />
[[Install]] the {{Pkg|openvpn}} package, which provides both server and client mode.<br />
<br />
== Kernel configuration ==<br />
<br />
OpenVPN requires TUN/TAP support, which is already configured in the default kernel. Users of custom kernel should make sure to enable the {{ic|tun}} module:<br />
<br />
{{hc|Kernel config file|<br />
Device Drivers<br />
--> Network device support<br />
[M] Universal TUN/TAP device driver support<br />
}}<br />
<br />
Read [[Kernel modules]] for more information.<br />
<br />
== Connect to a VPN provided by a third party ==<br />
<br />
To connect to a VPN service provided by a third party, most of the following can most likely be ignored, especially regarding server setup. Begin with [[#The client config profile]] and skip ahead to [[#Starting OpenVPN]] after that. One should use the provider certificates and instructions, see [[:Category:VPN providers]] for examples that can be adapted to other providers. [[OpenVPN (client) in Linux containers]] also has general applicable instructions, while it goes a step further by isolating an OpenVPN client process into a container.<br />
<br />
{{Note|Most free VPN providers will (often only) offer [[PPTP server|PPTP]], which is drastically easier to setup and configure, but [http://poptop.sourceforge.net/dox/protocol-security.phtml not secure].}}<br />
<br />
== Create a Public Key Infrastructure (PKI) from scratch ==<br />
<br />
When setting up an OpenVPN server, users need to create a [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]] which is detailed in the [[Easy-RSA]] article. Once the needed certificates, private keys, and associated files are created via following the steps in the separate article, one should have 5 files in {{ic|/etc/openvpn/server}} at this point:<br />
<br />
ca.crt<br />
dh.pem<br />
servername.crt<br />
servername.key<br />
ta.key<br />
<br />
Alternatively, as of OpenVPN 2.4, one can use Easy-RSA to generate certificates and keys using elliptic curves. See the OpenVPN documentation for details.<br />
<br />
== A basic L3 IP routing configuration ==<br />
<br />
{{Note|Unless otherwise explicitly stated, the rest of this article assumes a basic L3 IP routing configuration.}}<br />
<br />
OpenVPN is an extremely versatile piece of software and many configurations are possible, in fact machines can be both servers and clients.<br />
<br />
With the release of v2.4, server configurations are stored in {{ic|/etc/openvpn/server}} and client configurations are stored in {{ic|/etc/openvpn/client}} and each mode has its own respective systemd unit, namely, {{ic|openvpn-client@.service}} and {{ic|openvpn-server@.service}}.<br />
<br />
=== Example configuration ===<br />
<br />
The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:<br />
<br />
* Uses [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]] for authentication.<br />
* Creates a VPN using a virtual TUN network interface (OSI L3 IP routing).<br />
* Listens for client connections on UDP port 1194 (OpenVPN's official IANA port number[https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=openvpn]).<br />
* Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.<br />
<br />
For more advanced configurations, please see the {{man|8|openvpn}} man page and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation].<br />
<br />
=== The server configuration file ===<br />
<br />
{{Note|Note that if the server is behind a firewall or a NAT translating router, the OpenVPN port must be forwarded on to the server.}}<br />
<br />
Copy the example server configuration file {{ic|/usr/share/openvpn/examples/server.conf}} to {{ic|/etc/openvpn/server/server.conf}}.<br />
<br />
Edit the file making a minimum of the following changes:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
ca ca.crt<br />
cert servername.crt<br />
key servername.key # This file should be kept secret<br />
dh dh.pem<br />
.<br />
tls-crypt ta.key # Replaces ''tls-auth ta.key 0''<br />
.<br />
user nobody<br />
group nobody<br />
}}<br />
<br />
==== Hardening the server ====<br />
<br />
If security is a priority, additional configuration is recommended including: limiting the server to use a strong cipher/auth method and (optionally) limiting the set of enabled TLS ciphers to the newer ciphers.<br />
<br />
Add the following to {{ic|/etc/openvpn/server/server.conf}}:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
.<br />
cipher AES-256-CBC<br />
auth SHA512<br />
tls-version-min 1.2<br />
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA<br />
.<br />
}}<br />
<br />
{{Note|<br />
*The .ovpn client profile '''must''' contain a matching cipher and auth line to work properly (at least with the iOS and Android client).<br />
*Using {{ic|tls-cipher}} incorrectly may cause difficulty with debugging connections and may not be necessary. See [https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher OpenVPN’s community wiki] for more information.}}<br />
<br />
==== Enabling compression ====<br />
<br />
Since OpenVPN v2.4 it is possible to use LZ4 compression over lzo. LZ4 generally offering the best performance with least CPU usage. For backwards compatibility with OpenVPN versions before v2.4, use lzo {{ic|comp-lzo}}. Do '''not''' enable both compression options at the same time.<br />
<br />
To do so, configure {{ic|/etc/openvpn/server/server.conf}} as such:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
.<br />
compress lz4-v2<br />
push "compress lz4-v2"<br />
.<br />
}}<br />
<br />
On the client set {{ic|--compress lz4}} [https://community.openvpn.net/openvpn/wiki/DeprecatedOptions], although this may be deprecated in the near future.<br />
<br />
==== Deviating from the standard port and/or protocol ====<br />
<br />
Some public/private network admins may not allow OpenVPN connections on its default port and/or protocol. One strategy to circumvent this is to mimic https/SSL traffic which is very likely unobstructed.<br />
<br />
To do so, configure {{ic|/etc/openvpn/server/server.conf}} as such:<br />
{{hc|/etc/openvpn/server/server.conf|<br />
.<br />
port 443<br />
proto tcp<br />
.<br />
}}<br />
<br />
{{Note|The .ovpn client profile '''must''' contain a matching port and proto line to work properly!}}<br />
<br />
===== TCP vs UDP =====<br />
<br />
There are subtle differences between TCP and UDP.<br />
<br />
TCP<br />
<br />
* So-called "stateful protocol."<br />
* High reliability due to error correction (i.e. waits for packet acknowledgment).<br />
* Potentially slower than UDP.<br />
<br />
UDP<br />
<br />
* So-called "stateless protocol."<br />
* Less reliable than TCP as no error correction is in use.<br />
* Potentially faster than TCP.<br />
<br />
{{Note|It is generally a bad idea to use TCP for VPN unless your connection to the server is very stable. High reliability sounds great in theory but any disruption (packet drop, lag spikes, etc...) to the connection will potentially snowball into a [http://sites.inka.de/bigred/devel/tcp-tcp.html TCP Meltdown][http://adsabs.harvard.edu/abs/2005SPIE.6011..138H].}}<br />
<br />
=== The client config profile ===<br />
<br />
Copy the example client configuration file {{ic|/usr/share/openvpn/examples/client.conf}} to {{ic|/etc/openvpn/client/}}.<br />
<br />
Edit the following:<br />
<br />
* The {{ic|remote}} directive to reflect either the server's [[Wikipedia:Fully qualified domain name|Fully Qualified Domain Name]], hostname (as known to the client), or its IP address.<br />
* Uncomment the {{ic|user}} and {{ic|group}} directives to drop privileges.<br />
* The {{ic|ca}}, {{ic|cert}}, and {{ic|key}} parameters to reflect the path and names of the keys and certificates.<br />
* Enable the TLS HMAC handshake protection ({{ic|--tls-crypt}} or {{ic|--tls-auth}}).<br />
<br />
{{hc|/etc/openvpn/client/client.conf|<br />
client<br />
remote elmer.acmecorp.org 1194<br />
.<br />
user nobody<br />
group nobody<br />
ca ca.crt<br />
cert client.crt<br />
key client.key<br />
.<br />
tls-crypt ta.key # Replaces ''tls-auth ta.key 1''<br />
}}<br />
<br />
==== Run as unprivileged user ====<br />
<br />
Using the options {{ic|user nobody}} and {{ic|group nobody}} in the configuration file makes ''OpenVPN'' drop its {{ic|root}} privileges after establishing the connection. The downside is that upon VPN disconnect the daemon is unable to delete its set network routes again. If one wants to limit transmitting traffic without the VPN connection, then lingering routes may be considered beneficial. It can also happen, however, that the OpenVPN server pushes updates to routes at runtime of the tunnel. A client with dropped privileges will be unable to perform the update and exit with an error.<br />
<br />
As it could seem to require manual action to manage the routes, the options {{ic|user nobody}} and {{ic|group nobody}} might seem undesirable. Depending on setup, however, there are different ways to handle these situations: <br />
<br />
* For errors of the unit, a simple way is to [[edit]] it and add a {{ic|1=Restart=on-failure}} to the {{ic|[Service]}} section. Though, this alone will not delete any obsoleted routes, so it may happen that the restarted tunnel is not routed properly. <br />
* The package contains the {{ic|/usr/lib/openvpn/plugins/openvpn-plugin-down-root.so}}, which can be used to let ''openvpn'' fork a process with root privileges with the only task to execute a custom script when receiving a down signal from the main process, which is handling the tunnel with dropped privileges (see also its [https://community.openvpn.net/openvpn/browser/plugin/down-root/README?rev=d02a86d37bed69ee3fb63d08913623a86c88da15 README]).<br />
<br />
The OpenVPN HowTo's linked below go further by creating a dedicated non-privileged user/group, instead of the already existing {{ic|nobody}}. The advantage is that this avoids potential risks when sharing a user among daemons:<br />
* The [https://openvpn.net/index.php/open-source/documentation/howto.html#security OpenVPN HowTo] explains another way how to create an unprivileged user mode and wrapper script to have the routes restored automatically.<br />
* It is possible to let OpenVPN start as a non-privileged user in the first place, without ever running as root, see [https://community.openvpn.net/openvpn/wiki/UnprivilegedUser this OpenVPN wiki] (howto). The howto assumes the presence of System V init, rather than [[Systemd]] and does not cover the handling of {{ic|--up}}/{{ic|--down}} scripts - those should be handled the same way as the ''ip'' command, with additional attention to access rights.<br />
<br />
{{Note|Due to a [https://community.openvpn.net/openvpn/ticket/812 bug] in OpenVPN 2.4.0, the {{ic|persist-tun}} option mentioned in the howtos should '''not''' be used, otherwise new routes/IPs pushed on reconnect will be ignored by the client.}}<br />
<br />
{{Tip|[[#openvpn-unroot]] describes a tool to automate above setup.}}<br />
<br />
=== Converting certificates to encrypted .p12 format ===<br />
<br />
Some software will only read VPN certificates that are stored in a password-encrypted .p12 file. These can be generated with the following command:<br />
{{bc|# openssl pkcs12 -export -inkey keys/bugs.key -in keys/bugs.crt -certfile keys/ca.crt -out keys/bugs.p12}}<br />
<br />
=== Testing the OpenVPN configuration ===<br />
<br />
Run {{ic|# openvpn /etc/openvpn/server/server.conf}} on the server, and {{ic|# openvpn /etc/openvpn/client/client.conf}} on the client. Example output should be similar to the following:<br />
<br />
{{hc|# openvpn /etc/openvpn/server/server.conf|2=<br />
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011<br />
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables<br />
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key<br />
.<br />
.<br />
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6<br />
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'<br />
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 SENT CONTROL [bugs]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)<br />
}}<br />
<br />
{{hc|# openvpn /etc/openvpn/client/client.conf|2=<br />
Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011<br />
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables<br />
Wed Dec 28 14:41:50 2011 LZO compression initialized<br />
.<br />
.<br />
Wed Dec 28 14:41:57 2011 GID set to nobody<br />
Wed Dec 28 14:41:57 2011 UID set to nobody<br />
Wed Dec 28 14:41:57 2011 Initialization Sequence Completed<br />
}}<br />
<br />
On the server, find the IP address assigned to the tunX device:<br />
<br />
{{hc|# ip addr show|2=<br />
.<br />
.<br />
40: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100<br />
link/none<br />
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0<br />
}}<br />
<br />
Here we see that the server end of the tunnel has been given the IP address 10.8.0.1.<br />
<br />
Do the same on the client:<br />
<br />
{{hc|# ip addr show|2=<br />
.<br />
.<br />
37: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100<br />
link/none<br />
inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0<br />
}}<br />
<br />
And the client side has been given the IP address 10.8.0.6.<br />
<br />
Now try pinging the interfaces.<br />
<br />
On the server:<br />
<br />
{{hc|# ping -c3 10.8.0.6|2=<br />
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.<br />
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms<br />
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=237 ms<br />
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=205 ms<br />
<br />
--- 10.8.0.6 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2002ms<br />
rtt min/avg/max/mdev = 205.862/227.266/238.788/15.160 ms<br />
}}<br />
<br />
On the client:<br />
<br />
{{hc|# ping -c3 10.8.0.1|2=<br />
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.<br />
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=158 ms<br />
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=158 ms<br />
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=157 ms<br />
<br />
--- 10.8.0.1 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2001ms<br />
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms<br />
}}<br />
<br />
{{Note|If using a firewall, make sure that IP packets on the TUN device are not blocked.}}<br />
<br />
=== Configure the MTU with Fragment and MSS ===<br />
<br />
If experiencing issues when using (remote) services over OpenVPN (e.g. web browsing, [[DNS]], [[NFS]]), it may be needed to set a MTU value manually.<br />
<br />
The following message may indicate the MTU value should be adjusted:<br />
<br />
read UDPv4 [EMSGSIZE Path-MTU=1407]: Message too long (code=90)<br />
<br />
In order to get the maximum segment size (MSS), the client needs to discover the smallest MTU along the path to the server. In order to do this ping the server and disable fragmentation, then specify the maximum packet size [https://www.sonassi.com/help/troubleshooting/setting-correct-mtu-for-openvpn]:<br />
<br />
# ping -M do -s 1500 -c 1 example.com<br />
<br />
Decrease the 1500 value by 10 each time, until the ping succeeds.<br />
<br />
{{Note|Clients that do not support the 'fragment' directive (e.g. OpenELEC, [https://forums.openvpn.net/topic13201.html#p31156 iOS app]) are not able to connect to a server that uses the {{ic|fragment}} directive. See {{ic|mtu-test}} as alternative solution.}}<br />
<br />
Update the client configuration to use the succeeded MTU value, e.g.:<br />
<br />
{{hc|/etc/openvpn/client/client.conf|<br />
remote example.com 1194<br />
...<br />
tun-mtu 1400 <br />
mssfix 1360<br />
}}<br />
<br />
OpenVPN may be instructed to test the MTU every time on client connect. Be patient, since your client may not inform about the test being run and the connection may appear as nonfunctional until finished. The following will add about 3 minutes to OpenVPN start time. It is advisable to configure the fragment size unless a client will be connecting over many different networks and the bottle neck is not on the server side:<br />
<br />
{{hc|/etc/openvpn/client/client.conf|<br />
remote example.com 1194<br />
...<br />
mtu-test<br />
...<br />
}}<br />
<br />
=== IPv6 ===<br />
<br />
==== Connect to the server via IPv6 ====<br />
<br />
In order to enable Dual Stack for OpenVPN, you have to change {{ic|proto udp}} to {{ic|proto udp6}} in both server.conf and client.conf. Afterwards both IPv4 and IPv6 are enabled.<br />
<br />
==== Provide IPv6 inside the tunnel ====<br />
<br />
In order to provide IPv6 inside the tunnel, you need to have a IPv6 prefix routed to your OpenVPN server. Either set up a static route on your gateway (if you have a static block assigned), or use a DHCPv6 client to get a prefix with DHCPv6 Prefix delegation (see [[IPv6#Prefix delegation (DHCPv6-PD)|IPv6 Prefix delegation]] for details). You can also use a unique local address from the address block fc00::/7. Both methods have advantages and disadvantages:<br />
<br />
* Many ISPs only provide dynamically changing IPv6 prefixes. OpenVPN does not support prefix changes, so you need to change your server.conf every time the prefix is changed (Maybe can be automated with a script).<br />
* ULA addresses are not routed to the Internet, and setting up NAT is not as straightforward as with IPv4. So you cannot route the entire traffic over the tunnel. If you only want to connect two sites via IPv6, without the need to connect to the Internet over the tunnel, the ULA addresses may be easier to use.<br />
<br />
After you have received a prefix (a /64 is recommended), append the following to the server.conf:<br />
<br />
server-ipv6 2001:db8:0:123::/64<br />
<br />
This is the IPv6 equivalent to the default 10.8.0.0/24 network of OpenVPN and needs to be taken from the DHCPv6 client. Or use for example fd00:1234::/64.<br />
<br />
If you want to push a route to your home network (192.168.1.0/24 equivalent), also append:<br />
<br />
push "route-ipv6 2001:db8:0:abc::/64"<br />
<br />
OpenVPN does not yet include DHCPv6, so there is no method to e.g. push DNS server over IPv6. This needs to be done with IPv4. The [https://community.openvpn.net/openvpn/wiki/IPv6 OpenVPN Wiki] provides some other configuration options.<br />
<br />
== Starting OpenVPN ==<br />
<br />
=== Manual startup ===<br />
<br />
To troubleshoot a VPN connection, start the client's daemon manually with {{ic|openvpn /etc/openvpn/client/client.conf}} as root. The server can be started the same way using its own configuration file (e.g., {{ic|openvpn /etc/openvpn/server/server.conf}}).<br />
<br />
=== systemd service configuration ===<br />
<br />
To start the OpenVPN server automatically at system boot, [[enable]] {{ic|openvpn-server@''<configuration>''.service}} on the applicable machine. For a client, [[enable]] {{ic|openvpn-client@''<configuration>''.service}} instead. (Leave {{ic|.conf}} out of the {{ic|<configuration>}} string.)<br />
<br />
For example, if the client configuration file is {{ic|/etc/openvpn/client/''client''.conf}}, the service name is {{ic|openvpn-client@''client''.service}}. Or, if the server configuration file is {{ic|/etc/openvpn/server/''server''.conf}}, the service name is {{ic|openvpn-server@''server''.service}}.<br />
<br />
=== Letting NetworkManager start a connection ===<br />
<br />
On a client you might not always need to run a VPN tunnel and/or only want to establish it for a specific NetworkManager connection. This can be done by adding a script to {{ic|/etc/NetworkManager/dispatcher.d/}}. In the following example "Provider" is the name of the NetworkManager connection:<br />
<br />
{{hc|/etc/NetworkManager/dispatcher.d/10-openvpn|2=<br />
#!/bin/bash<br />
<br />
case "$2" in<br />
up)<br />
if [ "$CONNECTION_ID" == "Provider" ]; then<br />
systemctl start openvpn-client@''<configuration>''<br />
fi<br />
;;<br />
down)<br />
systemctl stop openvpn-client@''<configuration>''<br />
;;<br />
esac}}<br />
<br />
See [[NetworkManager#Network services with NetworkManager dispatcher]] for more details.<br />
<br />
=== Gnome configuration ===<br />
<br />
If you would like to connect a client to an OpenVPN server through Gnome's built-in network configuration do the following. First, install {{pkg|networkmanager-openvpn}}. Then go to the Settings menu and choose Network. Click the plus sign to add a new connection and choose VPN. From there you can choose OpenVPN and manually enter the settings. You can also choose to import [[#The client config profile]], if you have already created one. Yet, be aware NetworkManager does not show error messages for options it does not import. To connect to the VPN simply turn the connection on and check the options are applied as you configured (e.g. via {{ic|journalctl -b -u NetworkManager}}).<br />
<br />
== Routing client traffic through the server ==<br />
<br />
By default only traffic directly to and from an OpenVPN server passes through the VPN. To have all traffic (including web traffic) pass through the VPN, [[append]] {{ic|push "redirect-gateway def1 bypass-dhcp"}} to the configuration file (i.e. {{ic|/etc/openvpn/server/server.conf}}) [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect] of the server. Note this is not a requirement and may even give performance issue:<br />
<br />
push "redirect-gateway def1 bypass-dhcp"<br />
<br />
Use the {{ic|push "route <address pool> <subnet>"}} option to allow clients reaching other subnets/devices behind the server:<br />
<br />
push "route 192.168.1.0 255.255.255.0"<br />
push "route 192.168.2.0 255.255.255.0"<br />
<br />
You may want to push local [[DNS]] settings to clients (e.g. the DNS-server of the router and domain prefix ''.internal''):<br />
<br />
{{Note|You may need to use a simple [[DNS]] forwarder like [[BIND]] and push the IP address of the OpenVPN server as DNS to clients.}}<br />
<br />
push "dhcp-option DNS 192.168.1.1"<br />
push "dhcp-option DOMAIN internal"<br />
<br />
After setting up the configuration file, [[Internet_sharing#Enable_packet_forwarding|enable packet forwarding]] on the server. Additionally, the server's [[firewall]] needs to be adjusted to allow VPN traffic, which is described below for both [[#ufw|ufw]] and [[#iptables|iptables]].<br />
<br />
{{Note|There are potential pitfalls when routing all traffic through a VPN server. Refer to the [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect OpenVPN documentation] for more information.}}<br />
<br />
=== Firewall configuration ===<br />
<br />
==== ufw ====<br />
<br />
In order to allow [[ufw]] forwarding (VPN) traffic [[append]] the following to {{ic|/etc/default/ufw}}:<br />
<br />
{{hc|/etc/default/ufw|2=<br />
DEFAULT_FORWARD_POLICY="ACCEPT"<br />
}}<br />
<br />
Change {{ic|/etc/ufw/before.rules}}, and [[append]] the following code after the header and before the "*filter" line:<br />
* Change the IP/subnet mask to match the {{ic|server}} set in the OpenVPN server configuration.<br />
* Change the [[Network_configuration#Check_the_connection|network interface]] to the connection used by OpenVPN server.<br />
<br />
{{hc|/etc/ufw/before.rules|2=<br />
# NAT (Network Address Translation) table rules<br />
*nat<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Allow traffic from clients to the interface<br />
-A POSTROUTING -s 10.8.0.0/24 -o ''interface'' -j MASQUERADE<br />
<br />
# do not delete the "COMMIT" line or the NAT table rules above will not be processed<br />
COMMIT<br />
<br />
# Don't delete these required lines, otherwise there will be errors<br />
*filter<br />
..<br />
}}<br />
<br />
Make sure to open the chosen OpenVPN port (default 1194/udp):<br />
<br />
# ufw allow 1194 udp<br />
<br />
To apply the changes. [[reload]]/[[restart]] ufw:<br />
<br />
# ufw reload<br />
<br />
==== iptables ====<br />
<br />
In order to allow VPN traffic through your [[iptables]] firewall of your server, first create an iptables rule for NAT forwarding [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect] on the server, assuming the interface you want to forward to is named {{ic|eth0}}:<br />
<br />
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE<br />
<br />
If you have difficulty pinging the server through the VPN, you may need to add explicit rules to open up TUN/TAP interfaces to all traffic. If that is the case, do the following [https://community.openvpn.net/openvpn/wiki/255-qconnection-initiated-with-xxxxq-but-i-cannot-ping-the-server-through-the-vpn]:<br />
<br />
{{Warning|There are security implications for the following rules if you do not trust all clients which connect to the server. Refer to the [https://community.openvpn.net/openvpn/wiki/255-qconnection-initiated-with-xxxxq-but-i-cannot-ping-the-server-through-the-vpn OpenVPN documentation on this topic] for more details.}}<br />
<br />
iptables -A INPUT -i tun+ -j ACCEPT<br />
iptables -A FORWARD -i tun+ -j ACCEPT<br />
iptables -A INPUT -i tap+ -j ACCEPT<br />
iptables -A FORWARD -i tap+ -j ACCEPT<br />
<br />
Additionally be sure to accept connections from the OpenVPN port (default 1194) and through the physical interface.<br />
<br />
When you are satisfied make the changes permanent as shown in [[iptables#Configuration and usage]].<br />
<br />
If you have multiple {{ic|tun}} or {{ic|tap}} interfaces, or more than one VPN configuration, you can "pin" the name of your interface by specifying it in the OpenVPN config file, e.g. {{ic|tun22}} instead of {{ic|tun}}. This is advantageous if you have different firewall rules for different interfaces or OpenVPN configurations.<br />
<br />
=== Prevent leaks if VPN goes down ===<br />
<br />
The idea is simple: prevent all traffic through our default interface (enp3s0 for example) and only allow tun0.<br />
If the OpenVPN connection drops, your computer will lose its internet access and therefore, avoid your programs to continue connecting through an insecure network adapter.<br />
<br />
Be sure to set up a script to restart OpenVPN if it goes down if you do not want to manually restart it.<br />
<br />
==== ufw ====<br />
<br />
# Default policies<br />
ufw default deny incoming<br />
ufw default deny outgoing<br />
<br />
# Openvpn interface (adjust interface accordingly to your configuration)<br />
ufw allow in on tun0<br />
ufw allow out on tun0<br />
<br />
# Local Network (adjust ip accordingly to your configuration)<br />
ufw allow in on enp3s0 from 192.168.1.0/24<br />
ufw allow out on enp3s0 to 192.168.1.0/24<br />
<br />
# Openvpn (adjust port accordingly to your configuration)<br />
ufw allow in on enp3s0 from any port 1194<br />
ufw allow out on enp3s0 to any port 1194<br />
<br />
<br />
{{Warning| DNS '''will not''' work '''unless''' you run your own DNS server like [[BIND]]<br />
Otherwise, you will need to allow dns leak. '''Be sure to trust your DNS server!'''<br />
# DNS<br />
ufw allow in from any to any port 53<br />
ufw allow out from any to any port 53<br />
}}<br />
<br />
==== vpnfailsafe ====<br />
<br />
Alternatively, the [https://github.com/wknapik/vpnfailsafe vpnfailsafe] ({{AUR|vpnfailsafe-git}}) script can be used by the client to prevent DNS leaks and ensure that all traffic to the internet goes over the VPN. If the VPN tunnel goes down, internet access will be cut off, except for connections to the VPN server(s). The script contains the functionality of [[#Update resolv-conf script|update-resolv-conf]], so the two do not need to be combined.<br />
<br />
== L3 IPv4 routing==<br />
<br />
This section describes how to connect client/server LANs to each other using L3 IPv4 routing.<br />
<br />
=== Prerequisites for routing a LAN ===<br />
<br />
For a host to be able to forward IPv4 packets between the LAN and VPN, it must be able to forward the packets between its NIC and its tun/tap device. See [[Internet sharing#Enable packet forwarding]] for configuration details.<br />
<br />
==== Routing tables ====<br />
<br />
{{Accuracy|Investigate if a routing protocol like RIP, QUAGGA, BIRD, etc can be used}}<br />
<br />
By default, all IP packets on a LAN addressed to a different subnet get sent to the default gateway. If the LAN/VPN gateway is also the default gateway, there is no problem and the packets get properly forwarded. If not, the gateway has no way of knowing where to send the packets. There are a couple of solutions to this problem.<br />
<br />
* Add a static route to the default gateway routing the VPN subnet to the LAN/VPN gateway's IP address.<br />
* Add a static route on each host on the LAN that needs to send IP packets back to the VPN.<br />
* Use [[iptables]]' NAT feature on the LAN/VPN gateway to masquerade the incoming VPN IP packets.<br />
<br />
=== Connect the server LAN to a client ===<br />
<br />
The server is on a LAN using the 10.66.0.0/24 subnet. To inform the client about the available subnet, add a push directive to the server configuration file:{{hc|/etc/openvpn/server/server.conf|push "route 10.66.0.0 255.255.255.0"}}<br />
<br />
{{Note|To route more LANs from the server to the client, add more push directives to the server configuration file, but keep in mind that the server side LANs will need to know how to route to the client.<br />
}}<br />
<br />
=== Connect the client LAN to a server ===<br />
<br />
Prerequisites:<br />
<br />
* Any subnets used on the client side, must be unique and not in use on the server or by any other client. In this example we will use 192.168.4.0/24 for the clients LAN.<br />
* Each client's certificate has a unique Common Name, in this case bugs.<br />
* The server may not use the duplicate-cn directive in its config file.<br />
<br />
Create a client configuration directory on the server. It will be searched for a file named the same as the client's common name, and the directives will be applied to the client when it connects.<br />
<br />
# mkdir -p /etc/openvpn/ccd<br />
<br />
Create a file in the client configuration directory called bugs, containing the {{ic|iroute 192.168.4.0 255.255.255.0}} directive. It tells the server what subnet should be routed to the client:<br />
<br />
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}<br />
<br />
Add the client-config-dir and the {{ic|route 192.168.4.0 255.255.255.0}} directive to the server configuration file. It tells the server what subnet should be routed from the tun device to the server LAN:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
client-config-dir ccd<br />
route 192.168.4.0 255.255.255.0<br />
}}<br />
<br />
{{Note|To route more LANs from the client to the server, add more iroute and route directives to the appropriate configuration files, but keep in mind that the client side LANs will need to know how to route to the server.<br />
}}<br />
<br />
=== Connect both the client and server LANs ===<br />
<br />
Combine the two previous sections:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
push "route 10.66.0.0 255.255.255.0"<br />
.<br />
.<br />
client-config-dir ccd<br />
route 192.168.4.0 255.255.255.0<br />
}}<br />
<br />
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}<br />
<br />
{{Note|Remember to make sure that all the LANs or the needed hosts can route to all the destinations.}}<br />
<br />
=== Connect clients and client LANs ===<br />
<br />
By default clients will not see each other. To allow IP packets to flow between clients and/or client LANs, add a client-to-client directive to the server configuration file:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
client-to-client<br />
}}<br />
<br />
In order for another client or client LAN to see a specific client LAN, you will need to add a push directive for each client subnet to the server configuration file (this will make the server announce the available subnet(s) to other clients):<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
client-to-client<br />
push "route 192.168.4.0 255.255.255.0"<br />
push "route 192.168.5.0 255.255.255.0"<br />
..<br />
}}<br />
<br />
{{Note|You may need to adjust the [[#Firewall configuration|firewall]] to allowing client traffic passing through the VPN server.}}<br />
<br />
== DNS ==<br />
<br />
The DNS servers used by the system are defined in {{ic|/etc/resolv.conf}}. Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc.). However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side. To achieve this in a sensible way, install {{pkg|openresolv}}, which makes it possible for more than one program to modify {{ic|resolv.conf}} without stepping on each-other's toes.<br />
<br />
Before continuing, test openresolv by restarting your network connection and ensuring that {{ic|resolv.conf}} states that it was generated by ''resolvconf'', and that your DNS resolution still works as before. You should not need to configure openresolv; it should be automatically detected and used by your network system.<br />
<br />
For Linux, OpenVPN can send DNS host information, but expects an external process to act on it. This can be done with the {{ic|client.up}} and {{ic|client.down}} scripts packaged in {{ic|/usr/share/openvpn/contrib/pull-resolv-conf/}}. See their comments on how to install them to {{ic|/etc/openvpn/client/}}. The following is an excerpt of a resulting client configuration using the scripts in conjunction with ''resolvconf'' and options to [[#Run as unprivileged user]]:<br />
<br />
{{hc|/etc/openvpn/client/''clienttunnel''.conf|<br />
user nobody<br />
group nobody<br />
# Optional, choose a suitable path to chroot into for your system<br />
chroot /srv<br />
script-security 2<br />
up /etc/openvpn/client/client.up <br />
plugin /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so "/etc/openvpn/client/client.down tun0"<br />
}}<br />
<br />
=== Update resolv-conf script ===<br />
<br />
The [https://github.com/masterkorp/openvpn-update-resolv-conf openvpn-update-resolv-conf] script is available as an alternative to packaged scripts. It needs to be saved for example at {{ic|/etc/openvpn/update-resolv-conf}} and made executable with [[chmod]].<br />
<br />
Once the script is installed add lines like the following into your OpenVPN client configuration file:<br />
<br />
script-security 2<br />
up /etc/openvpn/update-resolv-conf<br />
down /etc/openvpn/update-resolv-conf<br />
<br />
{{Note|If manually placing the script on the filesystem, be sure to have {{pkg|openresolv}} installed.}}<br />
<br />
Now, when you launch your OpenVPN connection, you should find that your {{ic|resolv.conf}} file is updated accordingly, and also returns to normal when you close the connection.<br />
<br />
{{Note|When using {{ic|openresolv}} with the ''-p'' or ''-x'' options in a script (as both the included {{ic|client.up}} and {{ic|update-resolv-conf}} scripts currently do), a DNS resolver like {{Pkg|dnsmasq}} or {{Pkg|unbound}} is required for {{ic|openresolv}} to correctly update {{ic|/etc/resolv.conf}}. In contrast, when using the default DNS resolution from {{ic|libc}} the ''-p'' and ''-x'' options must be removed in order for {{ic|/etc/resolv.conf}} to be correctly updated by {{ic|openresolv}}.<br />
For example, if the script contains a command like {{ic|resolvconf -p -a }} and the default DNS resolver from {{ic|libc}} is being used, change the command in the script to be {{ic|resolvconf -a }}.}}<br />
<br />
=== Update systemd-resolved script ===<br />
<br />
Since [[systemd]] 229, [[systemd-networkd]] has exposed an API through DBus allowing management of DNS configuration on a per-link basis. Tools such as {{pkg|openresolv}} may not work reliably when {{ic|/etc/resolv.conf}} is managed by {{ic|systemd-resolved}}, and will not work at all if you are using {{ic|resolve}} instead of {{ic|dns}} in your {{ic|/etc/nsswitch.conf}} file. The [https://github.com/jonathanio/update-systemd-resolved update-systemd-resolved] script is another alternative and links OpenVPN with {{ic|systemd-resolved}} via DBus to update the DNS records.<br />
<br />
Copy the script into {{ic|/etc/openvpn}} and mark as [[executable]], or [[install]] {{AUR|openvpn-update-systemd-resolved}}, and [[append]] the following lines into the OpenVPN client configuration file:<br />
<br />
{{hc|/etc/openvpn/client/client.conf|<br />
client<br />
remote example.com 1194 udp<br />
..<br />
script-security 2<br />
setenv PATH /usr/bin<br />
up /etc/openvpn/scripts/update-systemd-resolved<br />
down /etc/openvpn/scripts/update-systemd-resolved<br />
down-pre<br />
}}<br />
<br />
===Override DNS servers using NetworkManager===<br />
By default [https://www.archlinux.org/packages/extra/x86_64/networkmanager-openvpn/ networkmanager-openvpn] plugin just appends DNS servers provided by OpenVPN to {{ic|/etc/resolv.conf}}. This may result result DNS instability (leakage).<br />
<br />
Settings UI does not provide any way to change this behavior, but it is possible to [https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1211110/comments/92 completely override] existing DNS servers by VPN's using connection config file.<br />
<br />
To use DNS settings provided by VPN connection just add {{ic|1=dns-priority=-1}} ([https://developer.gnome.org/NetworkManager/stable/settings-ipv4.html ipv4 section]) into file located on: {{ic|/etc/NetworkManager/system-connections/your_vpn_name}}.<br />
<br />
== L2 Ethernet bridging ==<br />
<br />
{{Expansion|Please add a well thought out section on L2 bridging.}}<br />
<br />
For now see: [[OpenVPN Bridge]]<br />
<br />
== Config generators ==<br />
<br />
{{Warning|Users are highly recommended to pass through the manual configuration described above to gain knowledge about options and usage before using any additional automation scripts.}}<br />
<br />
=== ovpngen ===<br />
<br />
The {{AUR|ovpngen}} package provides a simple shell script that creates OpenVPN compatible tunnel profiles in the unified file format suitable for the iOS version of OpenVPN Connect as well as for the Android app.<br />
<br />
Simply invoke the script with 5 tokens:<br />
<br />
# Server Fully Qualified Domain Name of the OpenVPN server (or IP address).<br />
# Full path to the CA cert.<br />
# Full path to the client cert.<br />
# Full path to the client private key.<br />
# Full path to the server TLS shared secret key.<br />
# Optionally a port number.<br />
# Optionally a protocol (udp or tcp).<br />
<br />
Example:<br />
<br />
# ovpngen example.org /etc/openvpn/server/ca.crt /etc/easy-rsa/pki/signed/client1.crt /etc/easy-rsa/pki/private/client1.key /etc/openvpn/server/ta.key > iphone.ovpn<br />
<br />
The resulting {{ic|iphone.ovpn}} can be edited if desired as the script does insert some commented lines.<br />
<br />
The client expects this file to be located in {{ic|/etc/openvpn/client/iphone.conf}}. Note the change in file extension from 'ovpn' to 'conf' in this case.<br />
<br />
{{Tip|If the server.conf contains a specified cipher and/or auth line, it is highly recommended that users manually edit the generated .ovpn file adding matching lines for cipher and auth. Failure to do so may results in connection errors!}}<br />
<br />
=== openvpn-unroot ===<br />
<br />
The steps necessary for OpenVPN to [[#Run as unprivileged user]], can be performed automatically using [https://github.com/wknapik/openvpn-unroot openvpn-unroot] ({{AUR|openvpn-unroot-git}}).<br />
<br />
It automates the actions required for the [https://community.openvpn.net/openvpn/wiki/UnprivilegedUser OpenVPN howto] by adapting it to systemd, and also working around the bug for persistent tun devices mentioned in the note.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Client daemon not reconnecting after suspend ===<br />
<br />
{{AUR|openvpn-reconnect}}, available on the AUR, solves this problem by sending a SIGHUP to openvpn after waking up from suspend.<br />
<br />
Alternatively, you can kill and restart OpenVPN after suspend by creating the folowing systemd service:<br />
<br />
{{hc|1=/etc/systemd/system/openvpn-reconnect.service|2=<br />
[Unit]<br />
Description=Restart OpenVPN after suspend<br />
<br />
[Service]<br />
ExecStart=/usr/bin/pkill --signal SIGHUP --exact openvpn<br />
<br />
[Install]<br />
WantedBy=sleep.target<br />
}}<br />
<br />
[[Enable]] this service for it to take effect.<br />
<br />
=== Connection drops out after some time of inactivity ===<br />
<br />
If the VPN-Connection drops some seconds after it stopped transmitting data and, even though it states it is connected, no data can be transmitted through the tunnel, try adding a {{ic|keepalive}}directive to the server's configuration:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
.<br />
.<br />
keepalive 10 120<br />
.<br />
.<br />
}}<br />
<br />
In this case the server will send ping-like messages to all of its clients every 10 seconds, thus keeping the tunnel up.<br />
If the server does not receive a response within 120 seconds from a specific client, it will assume this client is down.<br />
<br />
A small ping-interval can increase the stability of the tunnel, but will also cause slightly higher traffic. Depending on your connection, also try lower intervals than 10 seconds.<br />
<br />
=== PID files not present ===<br />
<br />
The default systemd service file for openvpn-client does not have the --writepid flag enabled, despite creating /var/run/openvpn-client. If this breaks a config (such as an i3bar VPN indicator), simply change {{ic|openvpn-client@.service}} using a [[drop-in snippet]]:<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf --writepid /var/run/openvpn-client/%i.pid<br />
<br />
=== Route configuration fails with systemd-networkd ===<br />
<br />
When using [[systemd-networkd]] to manage network connections and attempting to tunnel all outgoing traffic through the VPN, OpenVPN may fail to add routes. This is a result of systemd-networkd attempting to manage the tun interface before OpenVPN finishes configuring the routes. When this happens, the following message will appear in the OpenVPN log.<br />
<br />
openvpn[458]: RTNETLINK answers: Network is unreachable<br />
openvpn[458]: ERROR: Linux route add command failed: external program exited with error status: 2<br />
<br />
With systemd-233 (currently in [[testing]]), systemd-networkd can be configured to ignore the tun connections and allow OpenVPN to manage them. To do this, create the following file:<br />
<br />
{{hc|1=/etc/systemd/network/90-tun-ignore.network|2=<br />
[Match]<br />
Name=tun*<br />
<br />
[Link]<br />
Unmanaged=true<br />
}}<br />
<br />
[[Restart]] {{ic|systemd-networkd.service}} to apply the changes. To verify that the changes took effect, start the previously problematic OpenVPN connection and run {{ic|networkctl}}. The output should have a line similar to the following:<br />
<br />
7 tun0 none routable unmanaged<br />
<br />
== See also ==<br />
<br />
* [[Wikipedia:OpenVPN]]</div>Altazarhttps://wiki.archlinux.org/index.php?title=OpenVPN&diff=517903OpenVPN2018-04-18T21:44:33Z<p>Altazar: /* Override DNS servers using NetworkManager */ short description</p>
<hr />
<div>[[Category:Virtual Private Network]]<br />
[[de:OpenVPN]]<br />
[[ja:OpenVPN]]<br />
[[ru:OpenVPN]]<br />
[[zh-hans:OpenVPN]]<br />
{{Related articles start}}<br />
{{Related|OpenVPN (client) in Linux containers}}<br />
{{Related|OpenVPN (server) in Linux containers}}<br />
{{Related|Easy-RSA}}<br />
{{Related articles end}}<br />
<br />
This article describes a basic installation and configuration of [http://openvpn.net OpenVPN], suitable for private and small business use. For more detailed information, please see the [https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage OpenVPN 2.4 man page] and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation]. OpenVPN is a robust and highly flexible [[Wikipedia:VPN|VPN]] daemon. It supports [[Wikipedia:SSL/TLS|SSL/TLS]] security, [[Wikipedia:Bridging_(networking)|Ethernet bridging]], [[Wikipedia:Transmission_Control_Protocol|TCP]] or [[Wikipedia:User_Datagram_Protocol|UDP]] [[Wikipedia:Tunneling_protocol|tunnel transport]] through [[Wikipedia:Proxy_server|proxies]] or [[Wikipedia:Network address translation|NAT]]. Additionally it has support for dynamic IP addresses and [[Wikipedia:Dynamic_Host_Configuration_Protocol|DHCP]], scalability to hundreds or thousands of users, and portability to most major OS platforms.<br />
<br />
OpenVPN is tightly bound to the [http://www.openssl.org OpenSSL] library, and derives much of its crypto capabilities from it. It supports conventional encryption using a [[Wikipedia:Pre-shared_key|pre-shared secret key]] (Static Key mode) or [[Wikipedia:Public_key|public key security]] ([[Wikipedia:SSL/TLS|SSL/TLS]] mode) using client & server certificates. Additionally it supports unencrypted TCP/UDP tunnels.<br />
<br />
OpenVPN is designed to work with the [[Wikipedia:TUN/TAP|TUN/TAP]] virtual networking interface that exists on most platforms. Overall, it aims to offer many of the key features of [[Wikipedia:Ipsec|IPSec]] but with a relatively lightweight footprint. OpenVPN was written by James Yonan and is published under the [[Wikipedia:GNU General Public License|GNU General Public License (GPL)]].<br />
<br />
== Install OpenVPN ==<br />
<br />
[[Install]] the {{Pkg|openvpn}} package, which provides both server and client mode.<br />
<br />
== Kernel configuration ==<br />
<br />
OpenVPN requires TUN/TAP support, which is already configured in the default kernel. Users of custom kernel should make sure to enable the {{ic|tun}} module:<br />
<br />
{{hc|Kernel config file|<br />
Device Drivers<br />
--> Network device support<br />
[M] Universal TUN/TAP device driver support<br />
}}<br />
<br />
Read [[Kernel modules]] for more information.<br />
<br />
== Connect to a VPN provided by a third party ==<br />
<br />
To connect to a VPN service provided by a third party, most of the following can most likely be ignored, especially regarding server setup. Begin with [[#The client config profile]] and skip ahead to [[#Starting OpenVPN]] after that. One should use the provider certificates and instructions, see [[:Category:VPN providers]] for examples that can be adapted to other providers. [[OpenVPN (client) in Linux containers]] also has general applicable instructions, while it goes a step further by isolating an OpenVPN client process into a container.<br />
<br />
{{Note|Most free VPN providers will (often only) offer [[PPTP server|PPTP]], which is drastically easier to setup and configure, but [http://poptop.sourceforge.net/dox/protocol-security.phtml not secure].}}<br />
<br />
== Create a Public Key Infrastructure (PKI) from scratch ==<br />
<br />
When setting up an OpenVPN server, users need to create a [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]] which is detailed in the [[Easy-RSA]] article. Once the needed certificates, private keys, and associated files are created via following the steps in the separate article, one should have 5 files in {{ic|/etc/openvpn/server}} at this point:<br />
<br />
ca.crt<br />
dh.pem<br />
servername.crt<br />
servername.key<br />
ta.key<br />
<br />
Alternatively, as of OpenVPN 2.4, one can use Easy-RSA to generate certificates and keys using elliptic curves. See the OpenVPN documentation for details.<br />
<br />
== A basic L3 IP routing configuration ==<br />
<br />
{{Note|Unless otherwise explicitly stated, the rest of this article assumes a basic L3 IP routing configuration.}}<br />
<br />
OpenVPN is an extremely versatile piece of software and many configurations are possible, in fact machines can be both servers and clients.<br />
<br />
With the release of v2.4, server configurations are stored in {{ic|/etc/openvpn/server}} and client configurations are stored in {{ic|/etc/openvpn/client}} and each mode has its own respective systemd unit, namely, {{ic|openvpn-client@.service}} and {{ic|openvpn-server@.service}}.<br />
<br />
=== Example configuration ===<br />
<br />
The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:<br />
<br />
* Uses [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]] for authentication.<br />
* Creates a VPN using a virtual TUN network interface (OSI L3 IP routing).<br />
* Listens for client connections on UDP port 1194 (OpenVPN's official IANA port number[https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=openvpn]).<br />
* Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.<br />
<br />
For more advanced configurations, please see the {{man|8|openvpn}} man page and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation].<br />
<br />
=== The server configuration file ===<br />
<br />
{{Note|Note that if the server is behind a firewall or a NAT translating router, the OpenVPN port must be forwarded on to the server.}}<br />
<br />
Copy the example server configuration file {{ic|/usr/share/openvpn/examples/server.conf}} to {{ic|/etc/openvpn/server/server.conf}}.<br />
<br />
Edit the file making a minimum of the following changes:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
ca ca.crt<br />
cert servername.crt<br />
key servername.key # This file should be kept secret<br />
dh dh.pem<br />
.<br />
tls-crypt ta.key # Replaces ''tls-auth ta.key 0''<br />
.<br />
user nobody<br />
group nobody<br />
}}<br />
<br />
==== Hardening the server ====<br />
<br />
If security is a priority, additional configuration is recommended including: limiting the server to use a strong cipher/auth method and (optionally) limiting the set of enabled TLS ciphers to the newer ciphers.<br />
<br />
Add the following to {{ic|/etc/openvpn/server/server.conf}}:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
.<br />
cipher AES-256-CBC<br />
auth SHA512<br />
tls-version-min 1.2<br />
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA<br />
.<br />
}}<br />
<br />
{{Note|<br />
*The .ovpn client profile '''must''' contain a matching cipher and auth line to work properly (at least with the iOS and Android client).<br />
*Using {{ic|tls-cipher}} incorrectly may cause difficulty with debugging connections and may not be necessary. See [https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher OpenVPN’s community wiki] for more information.}}<br />
<br />
==== Enabling compression ====<br />
<br />
Since OpenVPN v2.4 it is possible to use LZ4 compression over lzo. LZ4 generally offering the best performance with least CPU usage. For backwards compatibility with OpenVPN versions before v2.4, use lzo {{ic|comp-lzo}}. Do '''not''' enable both compression options at the same time.<br />
<br />
To do so, configure {{ic|/etc/openvpn/server/server.conf}} as such:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
.<br />
compress lz4-v2<br />
push "compress lz4-v2"<br />
.<br />
}}<br />
<br />
On the client set {{ic|--compress lz4}} [https://community.openvpn.net/openvpn/wiki/DeprecatedOptions], although this may be deprecated in the near future.<br />
<br />
==== Deviating from the standard port and/or protocol ====<br />
<br />
Some public/private network admins may not allow OpenVPN connections on its default port and/or protocol. One strategy to circumvent this is to mimic https/SSL traffic which is very likely unobstructed.<br />
<br />
To do so, configure {{ic|/etc/openvpn/server/server.conf}} as such:<br />
{{hc|/etc/openvpn/server/server.conf|<br />
.<br />
port 443<br />
proto tcp<br />
.<br />
}}<br />
<br />
{{Note|The .ovpn client profile '''must''' contain a matching port and proto line to work properly!}}<br />
<br />
===== TCP vs UDP =====<br />
<br />
There are subtle differences between TCP and UDP.<br />
<br />
TCP<br />
<br />
* So-called "stateful protocol."<br />
* High reliability due to error correction (i.e. waits for packet acknowledgment).<br />
* Potentially slower than UDP.<br />
<br />
UDP<br />
<br />
* So-called "stateless protocol."<br />
* Less reliable than TCP as no error correction is in use.<br />
* Potentially faster than TCP.<br />
<br />
{{Note|It is generally a bad idea to use TCP for VPN unless your connection to the server is very stable. High reliability sounds great in theory but any disruption (packet drop, lag spikes, etc...) to the connection will potentially snowball into a [http://sites.inka.de/bigred/devel/tcp-tcp.html TCP Meltdown][http://adsabs.harvard.edu/abs/2005SPIE.6011..138H].}}<br />
<br />
=== The client config profile ===<br />
<br />
Copy the example client configuration file {{ic|/usr/share/openvpn/examples/client.conf}} to {{ic|/etc/openvpn/client/}}.<br />
<br />
Edit the following:<br />
<br />
* The {{ic|remote}} directive to reflect either the server's [[Wikipedia:Fully qualified domain name|Fully Qualified Domain Name]], hostname (as known to the client), or its IP address.<br />
* Uncomment the {{ic|user}} and {{ic|group}} directives to drop privileges.<br />
* The {{ic|ca}}, {{ic|cert}}, and {{ic|key}} parameters to reflect the path and names of the keys and certificates.<br />
* Enable the TLS HMAC handshake protection ({{ic|--tls-crypt}} or {{ic|--tls-auth}}).<br />
<br />
{{hc|/etc/openvpn/client/client.conf|<br />
client<br />
remote elmer.acmecorp.org 1194<br />
.<br />
user nobody<br />
group nobody<br />
ca ca.crt<br />
cert client.crt<br />
key client.key<br />
.<br />
tls-crypt ta.key # Replaces ''tls-auth ta.key 1''<br />
}}<br />
<br />
==== Run as unprivileged user ====<br />
<br />
Using the options {{ic|user nobody}} and {{ic|group nobody}} in the configuration file makes ''OpenVPN'' drop its {{ic|root}} privileges after establishing the connection. The downside is that upon VPN disconnect the daemon is unable to delete its set network routes again. If one wants to limit transmitting traffic without the VPN connection, then lingering routes may be considered beneficial. It can also happen, however, that the OpenVPN server pushes updates to routes at runtime of the tunnel. A client with dropped privileges will be unable to perform the update and exit with an error.<br />
<br />
As it could seem to require manual action to manage the routes, the options {{ic|user nobody}} and {{ic|group nobody}} might seem undesirable. Depending on setup, however, there are different ways to handle these situations: <br />
<br />
* For errors of the unit, a simple way is to [[edit]] it and add a {{ic|1=Restart=on-failure}} to the {{ic|[Service]}} section. Though, this alone will not delete any obsoleted routes, so it may happen that the restarted tunnel is not routed properly. <br />
* The package contains the {{ic|/usr/lib/openvpn/plugins/openvpn-plugin-down-root.so}}, which can be used to let ''openvpn'' fork a process with root privileges with the only task to execute a custom script when receiving a down signal from the main process, which is handling the tunnel with dropped privileges (see also its [https://community.openvpn.net/openvpn/browser/plugin/down-root/README?rev=d02a86d37bed69ee3fb63d08913623a86c88da15 README]).<br />
<br />
The OpenVPN HowTo's linked below go further by creating a dedicated non-privileged user/group, instead of the already existing {{ic|nobody}}. The advantage is that this avoids potential risks when sharing a user among daemons:<br />
* The [https://openvpn.net/index.php/open-source/documentation/howto.html#security OpenVPN HowTo] explains another way how to create an unprivileged user mode and wrapper script to have the routes restored automatically.<br />
* It is possible to let OpenVPN start as a non-privileged user in the first place, without ever running as root, see [https://community.openvpn.net/openvpn/wiki/UnprivilegedUser this OpenVPN wiki] (howto). The howto assumes the presence of System V init, rather than [[Systemd]] and does not cover the handling of {{ic|--up}}/{{ic|--down}} scripts - those should be handled the same way as the ''ip'' command, with additional attention to access rights.<br />
<br />
{{Note|Due to a [https://community.openvpn.net/openvpn/ticket/812 bug] in OpenVPN 2.4.0, the {{ic|persist-tun}} option mentioned in the howtos should '''not''' be used, otherwise new routes/IPs pushed on reconnect will be ignored by the client.}}<br />
<br />
{{Tip|[[#openvpn-unroot]] describes a tool to automate above setup.}}<br />
<br />
=== Converting certificates to encrypted .p12 format ===<br />
<br />
Some software will only read VPN certificates that are stored in a password-encrypted .p12 file. These can be generated with the following command:<br />
{{bc|# openssl pkcs12 -export -inkey keys/bugs.key -in keys/bugs.crt -certfile keys/ca.crt -out keys/bugs.p12}}<br />
<br />
=== Testing the OpenVPN configuration ===<br />
<br />
Run {{ic|# openvpn /etc/openvpn/server/server.conf}} on the server, and {{ic|# openvpn /etc/openvpn/client/client.conf}} on the client. Example output should be similar to the following:<br />
<br />
{{hc|# openvpn /etc/openvpn/server/server.conf|2=<br />
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011<br />
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables<br />
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key<br />
.<br />
.<br />
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6<br />
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'<br />
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 SENT CONTROL [bugs]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)<br />
}}<br />
<br />
{{hc|# openvpn /etc/openvpn/client/client.conf|2=<br />
Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011<br />
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables<br />
Wed Dec 28 14:41:50 2011 LZO compression initialized<br />
.<br />
.<br />
Wed Dec 28 14:41:57 2011 GID set to nobody<br />
Wed Dec 28 14:41:57 2011 UID set to nobody<br />
Wed Dec 28 14:41:57 2011 Initialization Sequence Completed<br />
}}<br />
<br />
On the server, find the IP address assigned to the tunX device:<br />
<br />
{{hc|# ip addr show|2=<br />
.<br />
.<br />
40: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100<br />
link/none<br />
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0<br />
}}<br />
<br />
Here we see that the server end of the tunnel has been given the IP address 10.8.0.1.<br />
<br />
Do the same on the client:<br />
<br />
{{hc|# ip addr show|2=<br />
.<br />
.<br />
37: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100<br />
link/none<br />
inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0<br />
}}<br />
<br />
And the client side has been given the IP address 10.8.0.6.<br />
<br />
Now try pinging the interfaces.<br />
<br />
On the server:<br />
<br />
{{hc|# ping -c3 10.8.0.6|2=<br />
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.<br />
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms<br />
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=237 ms<br />
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=205 ms<br />
<br />
--- 10.8.0.6 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2002ms<br />
rtt min/avg/max/mdev = 205.862/227.266/238.788/15.160 ms<br />
}}<br />
<br />
On the client:<br />
<br />
{{hc|# ping -c3 10.8.0.1|2=<br />
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.<br />
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=158 ms<br />
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=158 ms<br />
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=157 ms<br />
<br />
--- 10.8.0.1 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2001ms<br />
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms<br />
}}<br />
<br />
{{Note|If using a firewall, make sure that IP packets on the TUN device are not blocked.}}<br />
<br />
=== Configure the MTU with Fragment and MSS ===<br />
<br />
If experiencing issues when using (remote) services over OpenVPN (e.g. web browsing, [[DNS]], [[NFS]]), it may be needed to set a MTU value manually.<br />
<br />
The following message may indicate the MTU value should be adjusted:<br />
<br />
read UDPv4 [EMSGSIZE Path-MTU=1407]: Message too long (code=90)<br />
<br />
In order to get the maximum segment size (MSS), the client needs to discover the smallest MTU along the path to the server. In order to do this ping the server and disable fragmentation, then specify the maximum packet size [https://www.sonassi.com/help/troubleshooting/setting-correct-mtu-for-openvpn]:<br />
<br />
# ping -M do -s 1500 -c 1 example.com<br />
<br />
Decrease the 1500 value by 10 each time, until the ping succeeds.<br />
<br />
{{Note|Clients that do not support the 'fragment' directive (e.g. OpenELEC, [https://forums.openvpn.net/topic13201.html#p31156 iOS app]) are not able to connect to a server that uses the {{ic|fragment}} directive. See {{ic|mtu-test}} as alternative solution.}}<br />
<br />
Update the client configuration to use the succeeded MTU value, e.g.:<br />
<br />
{{hc|/etc/openvpn/client/client.conf|<br />
remote example.com 1194<br />
...<br />
tun-mtu 1400 <br />
mssfix 1360<br />
}}<br />
<br />
OpenVPN may be instructed to test the MTU every time on client connect. Be patient, since your client may not inform about the test being run and the connection may appear as nonfunctional until finished. The following will add about 3 minutes to OpenVPN start time. It is advisable to configure the fragment size unless a client will be connecting over many different networks and the bottle neck is not on the server side:<br />
<br />
{{hc|/etc/openvpn/client/client.conf|<br />
remote example.com 1194<br />
...<br />
mtu-test<br />
...<br />
}}<br />
<br />
=== IPv6 ===<br />
<br />
==== Connect to the server via IPv6 ====<br />
<br />
In order to enable Dual Stack for OpenVPN, you have to change {{ic|proto udp}} to {{ic|proto udp6}} in both server.conf and client.conf. Afterwards both IPv4 and IPv6 are enabled.<br />
<br />
==== Provide IPv6 inside the tunnel ====<br />
<br />
In order to provide IPv6 inside the tunnel, you need to have a IPv6 prefix routed to your OpenVPN server. Either set up a static route on your gateway (if you have a static block assigned), or use a DHCPv6 client to get a prefix with DHCPv6 Prefix delegation (see [[IPv6#Prefix delegation (DHCPv6-PD)|IPv6 Prefix delegation]] for details). You can also use a unique local address from the address block fc00::/7. Both methods have advantages and disadvantages:<br />
<br />
* Many ISPs only provide dynamically changing IPv6 prefixes. OpenVPN does not support prefix changes, so you need to change your server.conf every time the prefix is changed (Maybe can be automated with a script).<br />
* ULA addresses are not routed to the Internet, and setting up NAT is not as straightforward as with IPv4. So you cannot route the entire traffic over the tunnel. If you only want to connect two sites via IPv6, without the need to connect to the Internet over the tunnel, the ULA addresses may be easier to use.<br />
<br />
After you have received a prefix (a /64 is recommended), append the following to the server.conf:<br />
<br />
server-ipv6 2001:db8:0:123::/64<br />
<br />
This is the IPv6 equivalent to the default 10.8.0.0/24 network of OpenVPN and needs to be taken from the DHCPv6 client. Or use for example fd00:1234::/64.<br />
<br />
If you want to push a route to your home network (192.168.1.0/24 equivalent), also append:<br />
<br />
push "route-ipv6 2001:db8:0:abc::/64"<br />
<br />
OpenVPN does not yet include DHCPv6, so there is no method to e.g. push DNS server over IPv6. This needs to be done with IPv4. The [https://community.openvpn.net/openvpn/wiki/IPv6 OpenVPN Wiki] provides some other configuration options.<br />
<br />
== Starting OpenVPN ==<br />
<br />
=== Manual startup ===<br />
<br />
To troubleshoot a VPN connection, start the client's daemon manually with {{ic|openvpn /etc/openvpn/client/client.conf}} as root. The server can be started the same way using its own configuration file (e.g., {{ic|openvpn /etc/openvpn/server/server.conf}}).<br />
<br />
=== systemd service configuration ===<br />
<br />
To start the OpenVPN server automatically at system boot, [[enable]] {{ic|openvpn-server@''<configuration>''.service}} on the applicable machine. For a client, [[enable]] {{ic|openvpn-client@''<configuration>''.service}} instead. (Leave {{ic|.conf}} out of the {{ic|<configuration>}} string.)<br />
<br />
For example, if the client configuration file is {{ic|/etc/openvpn/client/''client''.conf}}, the service name is {{ic|openvpn-client@''client''.service}}. Or, if the server configuration file is {{ic|/etc/openvpn/server/''server''.conf}}, the service name is {{ic|openvpn-server@''server''.service}}.<br />
<br />
=== Letting NetworkManager start a connection ===<br />
<br />
On a client you might not always need to run a VPN tunnel and/or only want to establish it for a specific NetworkManager connection. This can be done by adding a script to {{ic|/etc/NetworkManager/dispatcher.d/}}. In the following example "Provider" is the name of the NetworkManager connection:<br />
<br />
{{hc|/etc/NetworkManager/dispatcher.d/10-openvpn|2=<br />
#!/bin/bash<br />
<br />
case "$2" in<br />
up)<br />
if [ "$CONNECTION_ID" == "Provider" ]; then<br />
systemctl start openvpn-client@''<configuration>''<br />
fi<br />
;;<br />
down)<br />
systemctl stop openvpn-client@''<configuration>''<br />
;;<br />
esac}}<br />
<br />
See [[NetworkManager#Network services with NetworkManager dispatcher]] for more details.<br />
<br />
=== Gnome configuration ===<br />
<br />
If you would like to connect a client to an OpenVPN server through Gnome's built-in network configuration do the following. First, install {{pkg|networkmanager-openvpn}}. Then go to the Settings menu and choose Network. Click the plus sign to add a new connection and choose VPN. From there you can choose OpenVPN and manually enter the settings. You can also choose to import [[#The client config profile]], if you have already created one. Yet, be aware NetworkManager does not show error messages for options it does not import. To connect to the VPN simply turn the connection on and check the options are applied as you configured (e.g. via {{ic|journalctl -b -u NetworkManager}}).<br />
<br />
== Routing client traffic through the server ==<br />
<br />
By default only traffic directly to and from an OpenVPN server passes through the VPN. To have all traffic (including web traffic) pass through the VPN, [[append]] {{ic|push "redirect-gateway def1 bypass-dhcp"}} to the configuration file (i.e. {{ic|/etc/openvpn/server/server.conf}}) [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect] of the server. Note this is not a requirement and may even give performance issue:<br />
<br />
push "redirect-gateway def1 bypass-dhcp"<br />
<br />
Use the {{ic|push "route <address pool> <subnet>"}} option to allow clients reaching other subnets/devices behind the server:<br />
<br />
push "route 192.168.1.0 255.255.255.0"<br />
push "route 192.168.2.0 255.255.255.0"<br />
<br />
You may want to push local [[DNS]] settings to clients (e.g. the DNS-server of the router and domain prefix ''.internal''):<br />
<br />
{{Note|You may need to use a simple [[DNS]] forwarder like [[BIND]] and push the IP address of the OpenVPN server as DNS to clients.}}<br />
<br />
push "dhcp-option DNS 192.168.1.1"<br />
push "dhcp-option DOMAIN internal"<br />
<br />
After setting up the configuration file, [[Internet_sharing#Enable_packet_forwarding|enable packet forwarding]] on the server. Additionally, the server's [[firewall]] needs to be adjusted to allow VPN traffic, which is described below for both [[#ufw|ufw]] and [[#iptables|iptables]].<br />
<br />
{{Note|There are potential pitfalls when routing all traffic through a VPN server. Refer to the [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect OpenVPN documentation] for more information.}}<br />
<br />
=== Firewall configuration ===<br />
<br />
==== ufw ====<br />
<br />
In order to allow [[ufw]] forwarding (VPN) traffic [[append]] the following to {{ic|/etc/default/ufw}}:<br />
<br />
{{hc|/etc/default/ufw|2=<br />
DEFAULT_FORWARD_POLICY="ACCEPT"<br />
}}<br />
<br />
Change {{ic|/etc/ufw/before.rules}}, and [[append]] the following code after the header and before the "*filter" line:<br />
* Change the IP/subnet mask to match the {{ic|server}} set in the OpenVPN server configuration.<br />
* Change the [[Network_configuration#Check_the_connection|network interface]] to the connection used by OpenVPN server.<br />
<br />
{{hc|/etc/ufw/before.rules|2=<br />
# NAT (Network Address Translation) table rules<br />
*nat<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Allow traffic from clients to the interface<br />
-A POSTROUTING -s 10.8.0.0/24 -o ''interface'' -j MASQUERADE<br />
<br />
# do not delete the "COMMIT" line or the NAT table rules above will not be processed<br />
COMMIT<br />
<br />
# Don't delete these required lines, otherwise there will be errors<br />
*filter<br />
..<br />
}}<br />
<br />
Make sure to open the chosen OpenVPN port (default 1194/udp):<br />
<br />
# ufw allow 1194 udp<br />
<br />
To apply the changes. [[reload]]/[[restart]] ufw:<br />
<br />
# ufw reload<br />
<br />
==== iptables ====<br />
<br />
In order to allow VPN traffic through your [[iptables]] firewall of your server, first create an iptables rule for NAT forwarding [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect] on the server, assuming the interface you want to forward to is named {{ic|eth0}}:<br />
<br />
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE<br />
<br />
If you have difficulty pinging the server through the VPN, you may need to add explicit rules to open up TUN/TAP interfaces to all traffic. If that is the case, do the following [https://community.openvpn.net/openvpn/wiki/255-qconnection-initiated-with-xxxxq-but-i-cannot-ping-the-server-through-the-vpn]:<br />
<br />
{{Warning|There are security implications for the following rules if you do not trust all clients which connect to the server. Refer to the [https://community.openvpn.net/openvpn/wiki/255-qconnection-initiated-with-xxxxq-but-i-cannot-ping-the-server-through-the-vpn OpenVPN documentation on this topic] for more details.}}<br />
<br />
iptables -A INPUT -i tun+ -j ACCEPT<br />
iptables -A FORWARD -i tun+ -j ACCEPT<br />
iptables -A INPUT -i tap+ -j ACCEPT<br />
iptables -A FORWARD -i tap+ -j ACCEPT<br />
<br />
Additionally be sure to accept connections from the OpenVPN port (default 1194) and through the physical interface.<br />
<br />
When you are satisfied make the changes permanent as shown in [[iptables#Configuration and usage]].<br />
<br />
If you have multiple {{ic|tun}} or {{ic|tap}} interfaces, or more than one VPN configuration, you can "pin" the name of your interface by specifying it in the OpenVPN config file, e.g. {{ic|tun22}} instead of {{ic|tun}}. This is advantageous if you have different firewall rules for different interfaces or OpenVPN configurations.<br />
<br />
=== Prevent leaks if VPN goes down ===<br />
<br />
The idea is simple: prevent all traffic through our default interface (enp3s0 for example) and only allow tun0.<br />
If the OpenVPN connection drops, your computer will lose its internet access and therefore, avoid your programs to continue connecting through an insecure network adapter.<br />
<br />
Be sure to set up a script to restart OpenVPN if it goes down if you do not want to manually restart it.<br />
<br />
==== ufw ====<br />
<br />
# Default policies<br />
ufw default deny incoming<br />
ufw default deny outgoing<br />
<br />
# Openvpn interface (adjust interface accordingly to your configuration)<br />
ufw allow in on tun0<br />
ufw allow out on tun0<br />
<br />
# Local Network (adjust ip accordingly to your configuration)<br />
ufw allow in on enp3s0 from 192.168.1.0/24<br />
ufw allow out on enp3s0 to 192.168.1.0/24<br />
<br />
# Openvpn (adjust port accordingly to your configuration)<br />
ufw allow in on enp3s0 from any port 1194<br />
ufw allow out on enp3s0 to any port 1194<br />
<br />
<br />
{{Warning| DNS '''will not''' work '''unless''' you run your own DNS server like [[BIND]]<br />
Otherwise, you will need to allow dns leak. '''Be sure to trust your DNS server!'''<br />
# DNS<br />
ufw allow in from any to any port 53<br />
ufw allow out from any to any port 53<br />
}}<br />
<br />
==== vpnfailsafe ====<br />
<br />
Alternatively, the [https://github.com/wknapik/vpnfailsafe vpnfailsafe] ({{AUR|vpnfailsafe-git}}) script can be used by the client to prevent DNS leaks and ensure that all traffic to the internet goes over the VPN. If the VPN tunnel goes down, internet access will be cut off, except for connections to the VPN server(s). The script contains the functionality of [[#Update resolv-conf script|update-resolv-conf]], so the two do not need to be combined.<br />
<br />
== L3 IPv4 routing==<br />
<br />
This section describes how to connect client/server LANs to each other using L3 IPv4 routing.<br />
<br />
=== Prerequisites for routing a LAN ===<br />
<br />
For a host to be able to forward IPv4 packets between the LAN and VPN, it must be able to forward the packets between its NIC and its tun/tap device. See [[Internet sharing#Enable packet forwarding]] for configuration details.<br />
<br />
==== Routing tables ====<br />
<br />
{{Accuracy|Investigate if a routing protocol like RIP, QUAGGA, BIRD, etc can be used}}<br />
<br />
By default, all IP packets on a LAN addressed to a different subnet get sent to the default gateway. If the LAN/VPN gateway is also the default gateway, there is no problem and the packets get properly forwarded. If not, the gateway has no way of knowing where to send the packets. There are a couple of solutions to this problem.<br />
<br />
* Add a static route to the default gateway routing the VPN subnet to the LAN/VPN gateway's IP address.<br />
* Add a static route on each host on the LAN that needs to send IP packets back to the VPN.<br />
* Use [[iptables]]' NAT feature on the LAN/VPN gateway to masquerade the incoming VPN IP packets.<br />
<br />
=== Connect the server LAN to a client ===<br />
<br />
The server is on a LAN using the 10.66.0.0/24 subnet. To inform the client about the available subnet, add a push directive to the server configuration file:{{hc|/etc/openvpn/server/server.conf|push "route 10.66.0.0 255.255.255.0"}}<br />
<br />
{{Note|To route more LANs from the server to the client, add more push directives to the server configuration file, but keep in mind that the server side LANs will need to know how to route to the client.<br />
}}<br />
<br />
=== Connect the client LAN to a server ===<br />
<br />
Prerequisites:<br />
<br />
* Any subnets used on the client side, must be unique and not in use on the server or by any other client. In this example we will use 192.168.4.0/24 for the clients LAN.<br />
* Each client's certificate has a unique Common Name, in this case bugs.<br />
* The server may not use the duplicate-cn directive in its config file.<br />
<br />
Create a client configuration directory on the server. It will be searched for a file named the same as the client's common name, and the directives will be applied to the client when it connects.<br />
<br />
# mkdir -p /etc/openvpn/ccd<br />
<br />
Create a file in the client configuration directory called bugs, containing the {{ic|iroute 192.168.4.0 255.255.255.0}} directive. It tells the server what subnet should be routed to the client:<br />
<br />
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}<br />
<br />
Add the client-config-dir and the {{ic|route 192.168.4.0 255.255.255.0}} directive to the server configuration file. It tells the server what subnet should be routed from the tun device to the server LAN:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
client-config-dir ccd<br />
route 192.168.4.0 255.255.255.0<br />
}}<br />
<br />
{{Note|To route more LANs from the client to the server, add more iroute and route directives to the appropriate configuration files, but keep in mind that the client side LANs will need to know how to route to the server.<br />
}}<br />
<br />
=== Connect both the client and server LANs ===<br />
<br />
Combine the two previous sections:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
push "route 10.66.0.0 255.255.255.0"<br />
.<br />
.<br />
client-config-dir ccd<br />
route 192.168.4.0 255.255.255.0<br />
}}<br />
<br />
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}<br />
<br />
{{Note|Remember to make sure that all the LANs or the needed hosts can route to all the destinations.}}<br />
<br />
=== Connect clients and client LANs ===<br />
<br />
By default clients will not see each other. To allow IP packets to flow between clients and/or client LANs, add a client-to-client directive to the server configuration file:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
client-to-client<br />
}}<br />
<br />
In order for another client or client LAN to see a specific client LAN, you will need to add a push directive for each client subnet to the server configuration file (this will make the server announce the available subnet(s) to other clients):<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
client-to-client<br />
push "route 192.168.4.0 255.255.255.0"<br />
push "route 192.168.5.0 255.255.255.0"<br />
..<br />
}}<br />
<br />
{{Note|You may need to adjust the [[#Firewall configuration|firewall]] to allowing client traffic passing through the VPN server.}}<br />
<br />
== DNS ==<br />
<br />
The DNS servers used by the system are defined in {{ic|/etc/resolv.conf}}. Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc.). However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side. To achieve this in a sensible way, install {{pkg|openresolv}}, which makes it possible for more than one program to modify {{ic|resolv.conf}} without stepping on each-other's toes.<br />
<br />
Before continuing, test openresolv by restarting your network connection and ensuring that {{ic|resolv.conf}} states that it was generated by ''resolvconf'', and that your DNS resolution still works as before. You should not need to configure openresolv; it should be automatically detected and used by your network system.<br />
<br />
For Linux, OpenVPN can send DNS host information, but expects an external process to act on it. This can be done with the {{ic|client.up}} and {{ic|client.down}} scripts packaged in {{ic|/usr/share/openvpn/contrib/pull-resolv-conf/}}. See their comments on how to install them to {{ic|/etc/openvpn/client/}}. The following is an excerpt of a resulting client configuration using the scripts in conjunction with ''resolvconf'' and options to [[#Run as unprivileged user]]:<br />
<br />
{{hc|/etc/openvpn/client/''clienttunnel''.conf|<br />
user nobody<br />
group nobody<br />
# Optional, choose a suitable path to chroot into for your system<br />
chroot /srv<br />
script-security 2<br />
up /etc/openvpn/client/client.up <br />
plugin /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so "/etc/openvpn/client/client.down tun0"<br />
}}<br />
<br />
=== Update resolv-conf script ===<br />
<br />
The [https://github.com/masterkorp/openvpn-update-resolv-conf openvpn-update-resolv-conf] script is available as an alternative to packaged scripts. It needs to be saved for example at {{ic|/etc/openvpn/update-resolv-conf}} and made executable with [[chmod]].<br />
<br />
Once the script is installed add lines like the following into your OpenVPN client configuration file:<br />
<br />
script-security 2<br />
up /etc/openvpn/update-resolv-conf<br />
down /etc/openvpn/update-resolv-conf<br />
<br />
{{Note|If manually placing the script on the filesystem, be sure to have {{pkg|openresolv}} installed.}}<br />
<br />
Now, when you launch your OpenVPN connection, you should find that your {{ic|resolv.conf}} file is updated accordingly, and also returns to normal when you close the connection.<br />
<br />
{{Note|When using {{ic|openresolv}} with the ''-p'' or ''-x'' options in a script (as both the included {{ic|client.up}} and {{ic|update-resolv-conf}} scripts currently do), a DNS resolver like {{Pkg|dnsmasq}} or {{Pkg|unbound}} is required for {{ic|openresolv}} to correctly update {{ic|/etc/resolv.conf}}. In contrast, when using the default DNS resolution from {{ic|libc}} the ''-p'' and ''-x'' options must be removed in order for {{ic|/etc/resolv.conf}} to be correctly updated by {{ic|openresolv}}.<br />
For example, if the script contains a command like {{ic|resolvconf -p -a }} and the default DNS resolver from {{ic|libc}} is being used, change the command in the script to be {{ic|resolvconf -a }}.}}<br />
<br />
=== Update systemd-resolved script ===<br />
<br />
Since [[systemd]] 229, [[systemd-networkd]] has exposed an API through DBus allowing management of DNS configuration on a per-link basis. Tools such as {{pkg|openresolv}} may not work reliably when {{ic|/etc/resolv.conf}} is managed by {{ic|systemd-resolved}}, and will not work at all if you are using {{ic|resolve}} instead of {{ic|dns}} in your {{ic|/etc/nsswitch.conf}} file. The [https://github.com/jonathanio/update-systemd-resolved update-systemd-resolved] script is another alternative and links OpenVPN with {{ic|systemd-resolved}} via DBus to update the DNS records.<br />
<br />
Copy the script into {{ic|/etc/openvpn}} and mark as [[executable]], or [[install]] {{AUR|openvpn-update-systemd-resolved}}, and [[append]] the following lines into the OpenVPN client configuration file:<br />
<br />
{{hc|/etc/openvpn/client/client.conf|<br />
client<br />
remote example.com 1194 udp<br />
..<br />
script-security 2<br />
setenv PATH /usr/bin<br />
up /etc/openvpn/scripts/update-systemd-resolved<br />
down /etc/openvpn/scripts/update-systemd-resolved<br />
down-pre<br />
}}<br />
<br />
===Override DNS servers using NetworkManager===<br />
NetworkManager provide OpenVPN plugin (networkmanager-openvpn) to support OpenVPN connection. By default server-side settings appends to /etc/resolv.conf file and does not override provider settings.<br />
NetworkManager UI does not provide setting to change this behavior, but it is possible to completelly override system DNS settings using connection config file, located at: /etc/NetworkManager/system-connections/<vpn name>. To use DNS settings from the VPN server just add dns-priority=-1 in ipv4 section.<br />
<br />
== L2 Ethernet bridging ==<br />
<br />
{{Expansion|Please add a well thought out section on L2 bridging.}}<br />
<br />
For now see: [[OpenVPN Bridge]]<br />
<br />
== Config generators ==<br />
<br />
{{Warning|Users are highly recommended to pass through the manual configuration described above to gain knowledge about options and usage before using any additional automation scripts.}}<br />
<br />
=== ovpngen ===<br />
<br />
The {{AUR|ovpngen}} package provides a simple shell script that creates OpenVPN compatible tunnel profiles in the unified file format suitable for the iOS version of OpenVPN Connect as well as for the Android app.<br />
<br />
Simply invoke the script with 5 tokens:<br />
<br />
# Server Fully Qualified Domain Name of the OpenVPN server (or IP address).<br />
# Full path to the CA cert.<br />
# Full path to the client cert.<br />
# Full path to the client private key.<br />
# Full path to the server TLS shared secret key.<br />
# Optionally a port number.<br />
# Optionally a protocol (udp or tcp).<br />
<br />
Example:<br />
<br />
# ovpngen example.org /etc/openvpn/server/ca.crt /etc/easy-rsa/pki/signed/client1.crt /etc/easy-rsa/pki/private/client1.key /etc/openvpn/server/ta.key > iphone.ovpn<br />
<br />
The resulting {{ic|iphone.ovpn}} can be edited if desired as the script does insert some commented lines.<br />
<br />
The client expects this file to be located in {{ic|/etc/openvpn/client/iphone.conf}}. Note the change in file extension from 'ovpn' to 'conf' in this case.<br />
<br />
{{Tip|If the server.conf contains a specified cipher and/or auth line, it is highly recommended that users manually edit the generated .ovpn file adding matching lines for cipher and auth. Failure to do so may results in connection errors!}}<br />
<br />
=== openvpn-unroot ===<br />
<br />
The steps necessary for OpenVPN to [[#Run as unprivileged user]], can be performed automatically using [https://github.com/wknapik/openvpn-unroot openvpn-unroot] ({{AUR|openvpn-unroot-git}}).<br />
<br />
It automates the actions required for the [https://community.openvpn.net/openvpn/wiki/UnprivilegedUser OpenVPN howto] by adapting it to systemd, and also working around the bug for persistent tun devices mentioned in the note.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Client daemon not reconnecting after suspend ===<br />
<br />
{{AUR|openvpn-reconnect}}, available on the AUR, solves this problem by sending a SIGHUP to openvpn after waking up from suspend.<br />
<br />
Alternatively, you can kill and restart OpenVPN after suspend by creating the folowing systemd service:<br />
<br />
{{hc|1=/etc/systemd/system/openvpn-reconnect.service|2=<br />
[Unit]<br />
Description=Restart OpenVPN after suspend<br />
<br />
[Service]<br />
ExecStart=/usr/bin/pkill --signal SIGHUP --exact openvpn<br />
<br />
[Install]<br />
WantedBy=sleep.target<br />
}}<br />
<br />
[[Enable]] this service for it to take effect.<br />
<br />
=== Connection drops out after some time of inactivity ===<br />
<br />
If the VPN-Connection drops some seconds after it stopped transmitting data and, even though it states it is connected, no data can be transmitted through the tunnel, try adding a {{ic|keepalive}}directive to the server's configuration:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
.<br />
.<br />
keepalive 10 120<br />
.<br />
.<br />
}}<br />
<br />
In this case the server will send ping-like messages to all of its clients every 10 seconds, thus keeping the tunnel up.<br />
If the server does not receive a response within 120 seconds from a specific client, it will assume this client is down.<br />
<br />
A small ping-interval can increase the stability of the tunnel, but will also cause slightly higher traffic. Depending on your connection, also try lower intervals than 10 seconds.<br />
<br />
=== PID files not present ===<br />
<br />
The default systemd service file for openvpn-client does not have the --writepid flag enabled, despite creating /var/run/openvpn-client. If this breaks a config (such as an i3bar VPN indicator), simply change {{ic|openvpn-client@.service}} using a [[drop-in snippet]]:<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf --writepid /var/run/openvpn-client/%i.pid<br />
<br />
=== Route configuration fails with systemd-networkd ===<br />
<br />
When using [[systemd-networkd]] to manage network connections and attempting to tunnel all outgoing traffic through the VPN, OpenVPN may fail to add routes. This is a result of systemd-networkd attempting to manage the tun interface before OpenVPN finishes configuring the routes. When this happens, the following message will appear in the OpenVPN log.<br />
<br />
openvpn[458]: RTNETLINK answers: Network is unreachable<br />
openvpn[458]: ERROR: Linux route add command failed: external program exited with error status: 2<br />
<br />
With systemd-233 (currently in [[testing]]), systemd-networkd can be configured to ignore the tun connections and allow OpenVPN to manage them. To do this, create the following file:<br />
<br />
{{hc|1=/etc/systemd/network/90-tun-ignore.network|2=<br />
[Match]<br />
Name=tun*<br />
<br />
[Link]<br />
Unmanaged=true<br />
}}<br />
<br />
[[Restart]] {{ic|systemd-networkd.service}} to apply the changes. To verify that the changes took effect, start the previously problematic OpenVPN connection and run {{ic|networkctl}}. The output should have a line similar to the following:<br />
<br />
7 tun0 none routable unmanaged<br />
<br />
== See also ==<br />
<br />
* [[Wikipedia:OpenVPN]]</div>Altazarhttps://wiki.archlinux.org/index.php?title=OpenVPN&diff=517902OpenVPN2018-04-18T21:38:26Z<p>Altazar: /* DNS */ Add title for Network manager</p>
<hr />
<div>[[Category:Virtual Private Network]]<br />
[[de:OpenVPN]]<br />
[[ja:OpenVPN]]<br />
[[ru:OpenVPN]]<br />
[[zh-hans:OpenVPN]]<br />
{{Related articles start}}<br />
{{Related|OpenVPN (client) in Linux containers}}<br />
{{Related|OpenVPN (server) in Linux containers}}<br />
{{Related|Easy-RSA}}<br />
{{Related articles end}}<br />
<br />
This article describes a basic installation and configuration of [http://openvpn.net OpenVPN], suitable for private and small business use. For more detailed information, please see the [https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage OpenVPN 2.4 man page] and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation]. OpenVPN is a robust and highly flexible [[Wikipedia:VPN|VPN]] daemon. It supports [[Wikipedia:SSL/TLS|SSL/TLS]] security, [[Wikipedia:Bridging_(networking)|Ethernet bridging]], [[Wikipedia:Transmission_Control_Protocol|TCP]] or [[Wikipedia:User_Datagram_Protocol|UDP]] [[Wikipedia:Tunneling_protocol|tunnel transport]] through [[Wikipedia:Proxy_server|proxies]] or [[Wikipedia:Network address translation|NAT]]. Additionally it has support for dynamic IP addresses and [[Wikipedia:Dynamic_Host_Configuration_Protocol|DHCP]], scalability to hundreds or thousands of users, and portability to most major OS platforms.<br />
<br />
OpenVPN is tightly bound to the [http://www.openssl.org OpenSSL] library, and derives much of its crypto capabilities from it. It supports conventional encryption using a [[Wikipedia:Pre-shared_key|pre-shared secret key]] (Static Key mode) or [[Wikipedia:Public_key|public key security]] ([[Wikipedia:SSL/TLS|SSL/TLS]] mode) using client & server certificates. Additionally it supports unencrypted TCP/UDP tunnels.<br />
<br />
OpenVPN is designed to work with the [[Wikipedia:TUN/TAP|TUN/TAP]] virtual networking interface that exists on most platforms. Overall, it aims to offer many of the key features of [[Wikipedia:Ipsec|IPSec]] but with a relatively lightweight footprint. OpenVPN was written by James Yonan and is published under the [[Wikipedia:GNU General Public License|GNU General Public License (GPL)]].<br />
<br />
== Install OpenVPN ==<br />
<br />
[[Install]] the {{Pkg|openvpn}} package, which provides both server and client mode.<br />
<br />
== Kernel configuration ==<br />
<br />
OpenVPN requires TUN/TAP support, which is already configured in the default kernel. Users of custom kernel should make sure to enable the {{ic|tun}} module:<br />
<br />
{{hc|Kernel config file|<br />
Device Drivers<br />
--> Network device support<br />
[M] Universal TUN/TAP device driver support<br />
}}<br />
<br />
Read [[Kernel modules]] for more information.<br />
<br />
== Connect to a VPN provided by a third party ==<br />
<br />
To connect to a VPN service provided by a third party, most of the following can most likely be ignored, especially regarding server setup. Begin with [[#The client config profile]] and skip ahead to [[#Starting OpenVPN]] after that. One should use the provider certificates and instructions, see [[:Category:VPN providers]] for examples that can be adapted to other providers. [[OpenVPN (client) in Linux containers]] also has general applicable instructions, while it goes a step further by isolating an OpenVPN client process into a container.<br />
<br />
{{Note|Most free VPN providers will (often only) offer [[PPTP server|PPTP]], which is drastically easier to setup and configure, but [http://poptop.sourceforge.net/dox/protocol-security.phtml not secure].}}<br />
<br />
== Create a Public Key Infrastructure (PKI) from scratch ==<br />
<br />
When setting up an OpenVPN server, users need to create a [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]] which is detailed in the [[Easy-RSA]] article. Once the needed certificates, private keys, and associated files are created via following the steps in the separate article, one should have 5 files in {{ic|/etc/openvpn/server}} at this point:<br />
<br />
ca.crt<br />
dh.pem<br />
servername.crt<br />
servername.key<br />
ta.key<br />
<br />
Alternatively, as of OpenVPN 2.4, one can use Easy-RSA to generate certificates and keys using elliptic curves. See the OpenVPN documentation for details.<br />
<br />
== A basic L3 IP routing configuration ==<br />
<br />
{{Note|Unless otherwise explicitly stated, the rest of this article assumes a basic L3 IP routing configuration.}}<br />
<br />
OpenVPN is an extremely versatile piece of software and many configurations are possible, in fact machines can be both servers and clients.<br />
<br />
With the release of v2.4, server configurations are stored in {{ic|/etc/openvpn/server}} and client configurations are stored in {{ic|/etc/openvpn/client}} and each mode has its own respective systemd unit, namely, {{ic|openvpn-client@.service}} and {{ic|openvpn-server@.service}}.<br />
<br />
=== Example configuration ===<br />
<br />
The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:<br />
<br />
* Uses [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]] for authentication.<br />
* Creates a VPN using a virtual TUN network interface (OSI L3 IP routing).<br />
* Listens for client connections on UDP port 1194 (OpenVPN's official IANA port number[https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=openvpn]).<br />
* Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.<br />
<br />
For more advanced configurations, please see the {{man|8|openvpn}} man page and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation].<br />
<br />
=== The server configuration file ===<br />
<br />
{{Note|Note that if the server is behind a firewall or a NAT translating router, the OpenVPN port must be forwarded on to the server.}}<br />
<br />
Copy the example server configuration file {{ic|/usr/share/openvpn/examples/server.conf}} to {{ic|/etc/openvpn/server/server.conf}}.<br />
<br />
Edit the file making a minimum of the following changes:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
ca ca.crt<br />
cert servername.crt<br />
key servername.key # This file should be kept secret<br />
dh dh.pem<br />
.<br />
tls-crypt ta.key # Replaces ''tls-auth ta.key 0''<br />
.<br />
user nobody<br />
group nobody<br />
}}<br />
<br />
==== Hardening the server ====<br />
<br />
If security is a priority, additional configuration is recommended including: limiting the server to use a strong cipher/auth method and (optionally) limiting the set of enabled TLS ciphers to the newer ciphers.<br />
<br />
Add the following to {{ic|/etc/openvpn/server/server.conf}}:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
.<br />
cipher AES-256-CBC<br />
auth SHA512<br />
tls-version-min 1.2<br />
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA<br />
.<br />
}}<br />
<br />
{{Note|<br />
*The .ovpn client profile '''must''' contain a matching cipher and auth line to work properly (at least with the iOS and Android client).<br />
*Using {{ic|tls-cipher}} incorrectly may cause difficulty with debugging connections and may not be necessary. See [https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher OpenVPN’s community wiki] for more information.}}<br />
<br />
==== Enabling compression ====<br />
<br />
Since OpenVPN v2.4 it is possible to use LZ4 compression over lzo. LZ4 generally offering the best performance with least CPU usage. For backwards compatibility with OpenVPN versions before v2.4, use lzo {{ic|comp-lzo}}. Do '''not''' enable both compression options at the same time.<br />
<br />
To do so, configure {{ic|/etc/openvpn/server/server.conf}} as such:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
.<br />
compress lz4-v2<br />
push "compress lz4-v2"<br />
.<br />
}}<br />
<br />
On the client set {{ic|--compress lz4}} [https://community.openvpn.net/openvpn/wiki/DeprecatedOptions], although this may be deprecated in the near future.<br />
<br />
==== Deviating from the standard port and/or protocol ====<br />
<br />
Some public/private network admins may not allow OpenVPN connections on its default port and/or protocol. One strategy to circumvent this is to mimic https/SSL traffic which is very likely unobstructed.<br />
<br />
To do so, configure {{ic|/etc/openvpn/server/server.conf}} as such:<br />
{{hc|/etc/openvpn/server/server.conf|<br />
.<br />
port 443<br />
proto tcp<br />
.<br />
}}<br />
<br />
{{Note|The .ovpn client profile '''must''' contain a matching port and proto line to work properly!}}<br />
<br />
===== TCP vs UDP =====<br />
<br />
There are subtle differences between TCP and UDP.<br />
<br />
TCP<br />
<br />
* So-called "stateful protocol."<br />
* High reliability due to error correction (i.e. waits for packet acknowledgment).<br />
* Potentially slower than UDP.<br />
<br />
UDP<br />
<br />
* So-called "stateless protocol."<br />
* Less reliable than TCP as no error correction is in use.<br />
* Potentially faster than TCP.<br />
<br />
{{Note|It is generally a bad idea to use TCP for VPN unless your connection to the server is very stable. High reliability sounds great in theory but any disruption (packet drop, lag spikes, etc...) to the connection will potentially snowball into a [http://sites.inka.de/bigred/devel/tcp-tcp.html TCP Meltdown][http://adsabs.harvard.edu/abs/2005SPIE.6011..138H].}}<br />
<br />
=== The client config profile ===<br />
<br />
Copy the example client configuration file {{ic|/usr/share/openvpn/examples/client.conf}} to {{ic|/etc/openvpn/client/}}.<br />
<br />
Edit the following:<br />
<br />
* The {{ic|remote}} directive to reflect either the server's [[Wikipedia:Fully qualified domain name|Fully Qualified Domain Name]], hostname (as known to the client), or its IP address.<br />
* Uncomment the {{ic|user}} and {{ic|group}} directives to drop privileges.<br />
* The {{ic|ca}}, {{ic|cert}}, and {{ic|key}} parameters to reflect the path and names of the keys and certificates.<br />
* Enable the TLS HMAC handshake protection ({{ic|--tls-crypt}} or {{ic|--tls-auth}}).<br />
<br />
{{hc|/etc/openvpn/client/client.conf|<br />
client<br />
remote elmer.acmecorp.org 1194<br />
.<br />
user nobody<br />
group nobody<br />
ca ca.crt<br />
cert client.crt<br />
key client.key<br />
.<br />
tls-crypt ta.key # Replaces ''tls-auth ta.key 1''<br />
}}<br />
<br />
==== Run as unprivileged user ====<br />
<br />
Using the options {{ic|user nobody}} and {{ic|group nobody}} in the configuration file makes ''OpenVPN'' drop its {{ic|root}} privileges after establishing the connection. The downside is that upon VPN disconnect the daemon is unable to delete its set network routes again. If one wants to limit transmitting traffic without the VPN connection, then lingering routes may be considered beneficial. It can also happen, however, that the OpenVPN server pushes updates to routes at runtime of the tunnel. A client with dropped privileges will be unable to perform the update and exit with an error.<br />
<br />
As it could seem to require manual action to manage the routes, the options {{ic|user nobody}} and {{ic|group nobody}} might seem undesirable. Depending on setup, however, there are different ways to handle these situations: <br />
<br />
* For errors of the unit, a simple way is to [[edit]] it and add a {{ic|1=Restart=on-failure}} to the {{ic|[Service]}} section. Though, this alone will not delete any obsoleted routes, so it may happen that the restarted tunnel is not routed properly. <br />
* The package contains the {{ic|/usr/lib/openvpn/plugins/openvpn-plugin-down-root.so}}, which can be used to let ''openvpn'' fork a process with root privileges with the only task to execute a custom script when receiving a down signal from the main process, which is handling the tunnel with dropped privileges (see also its [https://community.openvpn.net/openvpn/browser/plugin/down-root/README?rev=d02a86d37bed69ee3fb63d08913623a86c88da15 README]).<br />
<br />
The OpenVPN HowTo's linked below go further by creating a dedicated non-privileged user/group, instead of the already existing {{ic|nobody}}. The advantage is that this avoids potential risks when sharing a user among daemons:<br />
* The [https://openvpn.net/index.php/open-source/documentation/howto.html#security OpenVPN HowTo] explains another way how to create an unprivileged user mode and wrapper script to have the routes restored automatically.<br />
* It is possible to let OpenVPN start as a non-privileged user in the first place, without ever running as root, see [https://community.openvpn.net/openvpn/wiki/UnprivilegedUser this OpenVPN wiki] (howto). The howto assumes the presence of System V init, rather than [[Systemd]] and does not cover the handling of {{ic|--up}}/{{ic|--down}} scripts - those should be handled the same way as the ''ip'' command, with additional attention to access rights.<br />
<br />
{{Note|Due to a [https://community.openvpn.net/openvpn/ticket/812 bug] in OpenVPN 2.4.0, the {{ic|persist-tun}} option mentioned in the howtos should '''not''' be used, otherwise new routes/IPs pushed on reconnect will be ignored by the client.}}<br />
<br />
{{Tip|[[#openvpn-unroot]] describes a tool to automate above setup.}}<br />
<br />
=== Converting certificates to encrypted .p12 format ===<br />
<br />
Some software will only read VPN certificates that are stored in a password-encrypted .p12 file. These can be generated with the following command:<br />
{{bc|# openssl pkcs12 -export -inkey keys/bugs.key -in keys/bugs.crt -certfile keys/ca.crt -out keys/bugs.p12}}<br />
<br />
=== Testing the OpenVPN configuration ===<br />
<br />
Run {{ic|# openvpn /etc/openvpn/server/server.conf}} on the server, and {{ic|# openvpn /etc/openvpn/client/client.conf}} on the client. Example output should be similar to the following:<br />
<br />
{{hc|# openvpn /etc/openvpn/server/server.conf|2=<br />
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011<br />
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables<br />
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key<br />
.<br />
.<br />
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6<br />
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'<br />
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 SENT CONTROL [bugs]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)<br />
}}<br />
<br />
{{hc|# openvpn /etc/openvpn/client/client.conf|2=<br />
Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011<br />
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables<br />
Wed Dec 28 14:41:50 2011 LZO compression initialized<br />
.<br />
.<br />
Wed Dec 28 14:41:57 2011 GID set to nobody<br />
Wed Dec 28 14:41:57 2011 UID set to nobody<br />
Wed Dec 28 14:41:57 2011 Initialization Sequence Completed<br />
}}<br />
<br />
On the server, find the IP address assigned to the tunX device:<br />
<br />
{{hc|# ip addr show|2=<br />
.<br />
.<br />
40: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100<br />
link/none<br />
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0<br />
}}<br />
<br />
Here we see that the server end of the tunnel has been given the IP address 10.8.0.1.<br />
<br />
Do the same on the client:<br />
<br />
{{hc|# ip addr show|2=<br />
.<br />
.<br />
37: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100<br />
link/none<br />
inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0<br />
}}<br />
<br />
And the client side has been given the IP address 10.8.0.6.<br />
<br />
Now try pinging the interfaces.<br />
<br />
On the server:<br />
<br />
{{hc|# ping -c3 10.8.0.6|2=<br />
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.<br />
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms<br />
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=237 ms<br />
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=205 ms<br />
<br />
--- 10.8.0.6 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2002ms<br />
rtt min/avg/max/mdev = 205.862/227.266/238.788/15.160 ms<br />
}}<br />
<br />
On the client:<br />
<br />
{{hc|# ping -c3 10.8.0.1|2=<br />
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.<br />
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=158 ms<br />
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=158 ms<br />
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=157 ms<br />
<br />
--- 10.8.0.1 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2001ms<br />
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms<br />
}}<br />
<br />
{{Note|If using a firewall, make sure that IP packets on the TUN device are not blocked.}}<br />
<br />
=== Configure the MTU with Fragment and MSS ===<br />
<br />
If experiencing issues when using (remote) services over OpenVPN (e.g. web browsing, [[DNS]], [[NFS]]), it may be needed to set a MTU value manually.<br />
<br />
The following message may indicate the MTU value should be adjusted:<br />
<br />
read UDPv4 [EMSGSIZE Path-MTU=1407]: Message too long (code=90)<br />
<br />
In order to get the maximum segment size (MSS), the client needs to discover the smallest MTU along the path to the server. In order to do this ping the server and disable fragmentation, then specify the maximum packet size [https://www.sonassi.com/help/troubleshooting/setting-correct-mtu-for-openvpn]:<br />
<br />
# ping -M do -s 1500 -c 1 example.com<br />
<br />
Decrease the 1500 value by 10 each time, until the ping succeeds.<br />
<br />
{{Note|Clients that do not support the 'fragment' directive (e.g. OpenELEC, [https://forums.openvpn.net/topic13201.html#p31156 iOS app]) are not able to connect to a server that uses the {{ic|fragment}} directive. See {{ic|mtu-test}} as alternative solution.}}<br />
<br />
Update the client configuration to use the succeeded MTU value, e.g.:<br />
<br />
{{hc|/etc/openvpn/client/client.conf|<br />
remote example.com 1194<br />
...<br />
tun-mtu 1400 <br />
mssfix 1360<br />
}}<br />
<br />
OpenVPN may be instructed to test the MTU every time on client connect. Be patient, since your client may not inform about the test being run and the connection may appear as nonfunctional until finished. The following will add about 3 minutes to OpenVPN start time. It is advisable to configure the fragment size unless a client will be connecting over many different networks and the bottle neck is not on the server side:<br />
<br />
{{hc|/etc/openvpn/client/client.conf|<br />
remote example.com 1194<br />
...<br />
mtu-test<br />
...<br />
}}<br />
<br />
=== IPv6 ===<br />
<br />
==== Connect to the server via IPv6 ====<br />
<br />
In order to enable Dual Stack for OpenVPN, you have to change {{ic|proto udp}} to {{ic|proto udp6}} in both server.conf and client.conf. Afterwards both IPv4 and IPv6 are enabled.<br />
<br />
==== Provide IPv6 inside the tunnel ====<br />
<br />
In order to provide IPv6 inside the tunnel, you need to have a IPv6 prefix routed to your OpenVPN server. Either set up a static route on your gateway (if you have a static block assigned), or use a DHCPv6 client to get a prefix with DHCPv6 Prefix delegation (see [[IPv6#Prefix delegation (DHCPv6-PD)|IPv6 Prefix delegation]] for details). You can also use a unique local address from the address block fc00::/7. Both methods have advantages and disadvantages:<br />
<br />
* Many ISPs only provide dynamically changing IPv6 prefixes. OpenVPN does not support prefix changes, so you need to change your server.conf every time the prefix is changed (Maybe can be automated with a script).<br />
* ULA addresses are not routed to the Internet, and setting up NAT is not as straightforward as with IPv4. So you cannot route the entire traffic over the tunnel. If you only want to connect two sites via IPv6, without the need to connect to the Internet over the tunnel, the ULA addresses may be easier to use.<br />
<br />
After you have received a prefix (a /64 is recommended), append the following to the server.conf:<br />
<br />
server-ipv6 2001:db8:0:123::/64<br />
<br />
This is the IPv6 equivalent to the default 10.8.0.0/24 network of OpenVPN and needs to be taken from the DHCPv6 client. Or use for example fd00:1234::/64.<br />
<br />
If you want to push a route to your home network (192.168.1.0/24 equivalent), also append:<br />
<br />
push "route-ipv6 2001:db8:0:abc::/64"<br />
<br />
OpenVPN does not yet include DHCPv6, so there is no method to e.g. push DNS server over IPv6. This needs to be done with IPv4. The [https://community.openvpn.net/openvpn/wiki/IPv6 OpenVPN Wiki] provides some other configuration options.<br />
<br />
== Starting OpenVPN ==<br />
<br />
=== Manual startup ===<br />
<br />
To troubleshoot a VPN connection, start the client's daemon manually with {{ic|openvpn /etc/openvpn/client/client.conf}} as root. The server can be started the same way using its own configuration file (e.g., {{ic|openvpn /etc/openvpn/server/server.conf}}).<br />
<br />
=== systemd service configuration ===<br />
<br />
To start the OpenVPN server automatically at system boot, [[enable]] {{ic|openvpn-server@''<configuration>''.service}} on the applicable machine. For a client, [[enable]] {{ic|openvpn-client@''<configuration>''.service}} instead. (Leave {{ic|.conf}} out of the {{ic|<configuration>}} string.)<br />
<br />
For example, if the client configuration file is {{ic|/etc/openvpn/client/''client''.conf}}, the service name is {{ic|openvpn-client@''client''.service}}. Or, if the server configuration file is {{ic|/etc/openvpn/server/''server''.conf}}, the service name is {{ic|openvpn-server@''server''.service}}.<br />
<br />
=== Letting NetworkManager start a connection ===<br />
<br />
On a client you might not always need to run a VPN tunnel and/or only want to establish it for a specific NetworkManager connection. This can be done by adding a script to {{ic|/etc/NetworkManager/dispatcher.d/}}. In the following example "Provider" is the name of the NetworkManager connection:<br />
<br />
{{hc|/etc/NetworkManager/dispatcher.d/10-openvpn|2=<br />
#!/bin/bash<br />
<br />
case "$2" in<br />
up)<br />
if [ "$CONNECTION_ID" == "Provider" ]; then<br />
systemctl start openvpn-client@''<configuration>''<br />
fi<br />
;;<br />
down)<br />
systemctl stop openvpn-client@''<configuration>''<br />
;;<br />
esac}}<br />
<br />
See [[NetworkManager#Network services with NetworkManager dispatcher]] for more details.<br />
<br />
=== Gnome configuration ===<br />
<br />
If you would like to connect a client to an OpenVPN server through Gnome's built-in network configuration do the following. First, install {{pkg|networkmanager-openvpn}}. Then go to the Settings menu and choose Network. Click the plus sign to add a new connection and choose VPN. From there you can choose OpenVPN and manually enter the settings. You can also choose to import [[#The client config profile]], if you have already created one. Yet, be aware NetworkManager does not show error messages for options it does not import. To connect to the VPN simply turn the connection on and check the options are applied as you configured (e.g. via {{ic|journalctl -b -u NetworkManager}}).<br />
<br />
== Routing client traffic through the server ==<br />
<br />
By default only traffic directly to and from an OpenVPN server passes through the VPN. To have all traffic (including web traffic) pass through the VPN, [[append]] {{ic|push "redirect-gateway def1 bypass-dhcp"}} to the configuration file (i.e. {{ic|/etc/openvpn/server/server.conf}}) [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect] of the server. Note this is not a requirement and may even give performance issue:<br />
<br />
push "redirect-gateway def1 bypass-dhcp"<br />
<br />
Use the {{ic|push "route <address pool> <subnet>"}} option to allow clients reaching other subnets/devices behind the server:<br />
<br />
push "route 192.168.1.0 255.255.255.0"<br />
push "route 192.168.2.0 255.255.255.0"<br />
<br />
You may want to push local [[DNS]] settings to clients (e.g. the DNS-server of the router and domain prefix ''.internal''):<br />
<br />
{{Note|You may need to use a simple [[DNS]] forwarder like [[BIND]] and push the IP address of the OpenVPN server as DNS to clients.}}<br />
<br />
push "dhcp-option DNS 192.168.1.1"<br />
push "dhcp-option DOMAIN internal"<br />
<br />
After setting up the configuration file, [[Internet_sharing#Enable_packet_forwarding|enable packet forwarding]] on the server. Additionally, the server's [[firewall]] needs to be adjusted to allow VPN traffic, which is described below for both [[#ufw|ufw]] and [[#iptables|iptables]].<br />
<br />
{{Note|There are potential pitfalls when routing all traffic through a VPN server. Refer to the [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect OpenVPN documentation] for more information.}}<br />
<br />
=== Firewall configuration ===<br />
<br />
==== ufw ====<br />
<br />
In order to allow [[ufw]] forwarding (VPN) traffic [[append]] the following to {{ic|/etc/default/ufw}}:<br />
<br />
{{hc|/etc/default/ufw|2=<br />
DEFAULT_FORWARD_POLICY="ACCEPT"<br />
}}<br />
<br />
Change {{ic|/etc/ufw/before.rules}}, and [[append]] the following code after the header and before the "*filter" line:<br />
* Change the IP/subnet mask to match the {{ic|server}} set in the OpenVPN server configuration.<br />
* Change the [[Network_configuration#Check_the_connection|network interface]] to the connection used by OpenVPN server.<br />
<br />
{{hc|/etc/ufw/before.rules|2=<br />
# NAT (Network Address Translation) table rules<br />
*nat<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Allow traffic from clients to the interface<br />
-A POSTROUTING -s 10.8.0.0/24 -o ''interface'' -j MASQUERADE<br />
<br />
# do not delete the "COMMIT" line or the NAT table rules above will not be processed<br />
COMMIT<br />
<br />
# Don't delete these required lines, otherwise there will be errors<br />
*filter<br />
..<br />
}}<br />
<br />
Make sure to open the chosen OpenVPN port (default 1194/udp):<br />
<br />
# ufw allow 1194 udp<br />
<br />
To apply the changes. [[reload]]/[[restart]] ufw:<br />
<br />
# ufw reload<br />
<br />
==== iptables ====<br />
<br />
In order to allow VPN traffic through your [[iptables]] firewall of your server, first create an iptables rule for NAT forwarding [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect] on the server, assuming the interface you want to forward to is named {{ic|eth0}}:<br />
<br />
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE<br />
<br />
If you have difficulty pinging the server through the VPN, you may need to add explicit rules to open up TUN/TAP interfaces to all traffic. If that is the case, do the following [https://community.openvpn.net/openvpn/wiki/255-qconnection-initiated-with-xxxxq-but-i-cannot-ping-the-server-through-the-vpn]:<br />
<br />
{{Warning|There are security implications for the following rules if you do not trust all clients which connect to the server. Refer to the [https://community.openvpn.net/openvpn/wiki/255-qconnection-initiated-with-xxxxq-but-i-cannot-ping-the-server-through-the-vpn OpenVPN documentation on this topic] for more details.}}<br />
<br />
iptables -A INPUT -i tun+ -j ACCEPT<br />
iptables -A FORWARD -i tun+ -j ACCEPT<br />
iptables -A INPUT -i tap+ -j ACCEPT<br />
iptables -A FORWARD -i tap+ -j ACCEPT<br />
<br />
Additionally be sure to accept connections from the OpenVPN port (default 1194) and through the physical interface.<br />
<br />
When you are satisfied make the changes permanent as shown in [[iptables#Configuration and usage]].<br />
<br />
If you have multiple {{ic|tun}} or {{ic|tap}} interfaces, or more than one VPN configuration, you can "pin" the name of your interface by specifying it in the OpenVPN config file, e.g. {{ic|tun22}} instead of {{ic|tun}}. This is advantageous if you have different firewall rules for different interfaces or OpenVPN configurations.<br />
<br />
=== Prevent leaks if VPN goes down ===<br />
<br />
The idea is simple: prevent all traffic through our default interface (enp3s0 for example) and only allow tun0.<br />
If the OpenVPN connection drops, your computer will lose its internet access and therefore, avoid your programs to continue connecting through an insecure network adapter.<br />
<br />
Be sure to set up a script to restart OpenVPN if it goes down if you do not want to manually restart it.<br />
<br />
==== ufw ====<br />
<br />
# Default policies<br />
ufw default deny incoming<br />
ufw default deny outgoing<br />
<br />
# Openvpn interface (adjust interface accordingly to your configuration)<br />
ufw allow in on tun0<br />
ufw allow out on tun0<br />
<br />
# Local Network (adjust ip accordingly to your configuration)<br />
ufw allow in on enp3s0 from 192.168.1.0/24<br />
ufw allow out on enp3s0 to 192.168.1.0/24<br />
<br />
# Openvpn (adjust port accordingly to your configuration)<br />
ufw allow in on enp3s0 from any port 1194<br />
ufw allow out on enp3s0 to any port 1194<br />
<br />
<br />
{{Warning| DNS '''will not''' work '''unless''' you run your own DNS server like [[BIND]]<br />
Otherwise, you will need to allow dns leak. '''Be sure to trust your DNS server!'''<br />
# DNS<br />
ufw allow in from any to any port 53<br />
ufw allow out from any to any port 53<br />
}}<br />
<br />
==== vpnfailsafe ====<br />
<br />
Alternatively, the [https://github.com/wknapik/vpnfailsafe vpnfailsafe] ({{AUR|vpnfailsafe-git}}) script can be used by the client to prevent DNS leaks and ensure that all traffic to the internet goes over the VPN. If the VPN tunnel goes down, internet access will be cut off, except for connections to the VPN server(s). The script contains the functionality of [[#Update resolv-conf script|update-resolv-conf]], so the two do not need to be combined.<br />
<br />
== L3 IPv4 routing==<br />
<br />
This section describes how to connect client/server LANs to each other using L3 IPv4 routing.<br />
<br />
=== Prerequisites for routing a LAN ===<br />
<br />
For a host to be able to forward IPv4 packets between the LAN and VPN, it must be able to forward the packets between its NIC and its tun/tap device. See [[Internet sharing#Enable packet forwarding]] for configuration details.<br />
<br />
==== Routing tables ====<br />
<br />
{{Accuracy|Investigate if a routing protocol like RIP, QUAGGA, BIRD, etc can be used}}<br />
<br />
By default, all IP packets on a LAN addressed to a different subnet get sent to the default gateway. If the LAN/VPN gateway is also the default gateway, there is no problem and the packets get properly forwarded. If not, the gateway has no way of knowing where to send the packets. There are a couple of solutions to this problem.<br />
<br />
* Add a static route to the default gateway routing the VPN subnet to the LAN/VPN gateway's IP address.<br />
* Add a static route on each host on the LAN that needs to send IP packets back to the VPN.<br />
* Use [[iptables]]' NAT feature on the LAN/VPN gateway to masquerade the incoming VPN IP packets.<br />
<br />
=== Connect the server LAN to a client ===<br />
<br />
The server is on a LAN using the 10.66.0.0/24 subnet. To inform the client about the available subnet, add a push directive to the server configuration file:{{hc|/etc/openvpn/server/server.conf|push "route 10.66.0.0 255.255.255.0"}}<br />
<br />
{{Note|To route more LANs from the server to the client, add more push directives to the server configuration file, but keep in mind that the server side LANs will need to know how to route to the client.<br />
}}<br />
<br />
=== Connect the client LAN to a server ===<br />
<br />
Prerequisites:<br />
<br />
* Any subnets used on the client side, must be unique and not in use on the server or by any other client. In this example we will use 192.168.4.0/24 for the clients LAN.<br />
* Each client's certificate has a unique Common Name, in this case bugs.<br />
* The server may not use the duplicate-cn directive in its config file.<br />
<br />
Create a client configuration directory on the server. It will be searched for a file named the same as the client's common name, and the directives will be applied to the client when it connects.<br />
<br />
# mkdir -p /etc/openvpn/ccd<br />
<br />
Create a file in the client configuration directory called bugs, containing the {{ic|iroute 192.168.4.0 255.255.255.0}} directive. It tells the server what subnet should be routed to the client:<br />
<br />
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}<br />
<br />
Add the client-config-dir and the {{ic|route 192.168.4.0 255.255.255.0}} directive to the server configuration file. It tells the server what subnet should be routed from the tun device to the server LAN:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
client-config-dir ccd<br />
route 192.168.4.0 255.255.255.0<br />
}}<br />
<br />
{{Note|To route more LANs from the client to the server, add more iroute and route directives to the appropriate configuration files, but keep in mind that the client side LANs will need to know how to route to the server.<br />
}}<br />
<br />
=== Connect both the client and server LANs ===<br />
<br />
Combine the two previous sections:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
push "route 10.66.0.0 255.255.255.0"<br />
.<br />
.<br />
client-config-dir ccd<br />
route 192.168.4.0 255.255.255.0<br />
}}<br />
<br />
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}<br />
<br />
{{Note|Remember to make sure that all the LANs or the needed hosts can route to all the destinations.}}<br />
<br />
=== Connect clients and client LANs ===<br />
<br />
By default clients will not see each other. To allow IP packets to flow between clients and/or client LANs, add a client-to-client directive to the server configuration file:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
client-to-client<br />
}}<br />
<br />
In order for another client or client LAN to see a specific client LAN, you will need to add a push directive for each client subnet to the server configuration file (this will make the server announce the available subnet(s) to other clients):<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
client-to-client<br />
push "route 192.168.4.0 255.255.255.0"<br />
push "route 192.168.5.0 255.255.255.0"<br />
..<br />
}}<br />
<br />
{{Note|You may need to adjust the [[#Firewall configuration|firewall]] to allowing client traffic passing through the VPN server.}}<br />
<br />
== DNS ==<br />
<br />
The DNS servers used by the system are defined in {{ic|/etc/resolv.conf}}. Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc.). However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side. To achieve this in a sensible way, install {{pkg|openresolv}}, which makes it possible for more than one program to modify {{ic|resolv.conf}} without stepping on each-other's toes.<br />
<br />
Before continuing, test openresolv by restarting your network connection and ensuring that {{ic|resolv.conf}} states that it was generated by ''resolvconf'', and that your DNS resolution still works as before. You should not need to configure openresolv; it should be automatically detected and used by your network system.<br />
<br />
For Linux, OpenVPN can send DNS host information, but expects an external process to act on it. This can be done with the {{ic|client.up}} and {{ic|client.down}} scripts packaged in {{ic|/usr/share/openvpn/contrib/pull-resolv-conf/}}. See their comments on how to install them to {{ic|/etc/openvpn/client/}}. The following is an excerpt of a resulting client configuration using the scripts in conjunction with ''resolvconf'' and options to [[#Run as unprivileged user]]:<br />
<br />
{{hc|/etc/openvpn/client/''clienttunnel''.conf|<br />
user nobody<br />
group nobody<br />
# Optional, choose a suitable path to chroot into for your system<br />
chroot /srv<br />
script-security 2<br />
up /etc/openvpn/client/client.up <br />
plugin /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so "/etc/openvpn/client/client.down tun0"<br />
}}<br />
<br />
=== Update resolv-conf script ===<br />
<br />
The [https://github.com/masterkorp/openvpn-update-resolv-conf openvpn-update-resolv-conf] script is available as an alternative to packaged scripts. It needs to be saved for example at {{ic|/etc/openvpn/update-resolv-conf}} and made executable with [[chmod]].<br />
<br />
Once the script is installed add lines like the following into your OpenVPN client configuration file:<br />
<br />
script-security 2<br />
up /etc/openvpn/update-resolv-conf<br />
down /etc/openvpn/update-resolv-conf<br />
<br />
{{Note|If manually placing the script on the filesystem, be sure to have {{pkg|openresolv}} installed.}}<br />
<br />
Now, when you launch your OpenVPN connection, you should find that your {{ic|resolv.conf}} file is updated accordingly, and also returns to normal when you close the connection.<br />
<br />
{{Note|When using {{ic|openresolv}} with the ''-p'' or ''-x'' options in a script (as both the included {{ic|client.up}} and {{ic|update-resolv-conf}} scripts currently do), a DNS resolver like {{Pkg|dnsmasq}} or {{Pkg|unbound}} is required for {{ic|openresolv}} to correctly update {{ic|/etc/resolv.conf}}. In contrast, when using the default DNS resolution from {{ic|libc}} the ''-p'' and ''-x'' options must be removed in order for {{ic|/etc/resolv.conf}} to be correctly updated by {{ic|openresolv}}.<br />
For example, if the script contains a command like {{ic|resolvconf -p -a }} and the default DNS resolver from {{ic|libc}} is being used, change the command in the script to be {{ic|resolvconf -a }}.}}<br />
<br />
=== Update systemd-resolved script ===<br />
<br />
Since [[systemd]] 229, [[systemd-networkd]] has exposed an API through DBus allowing management of DNS configuration on a per-link basis. Tools such as {{pkg|openresolv}} may not work reliably when {{ic|/etc/resolv.conf}} is managed by {{ic|systemd-resolved}}, and will not work at all if you are using {{ic|resolve}} instead of {{ic|dns}} in your {{ic|/etc/nsswitch.conf}} file. The [https://github.com/jonathanio/update-systemd-resolved update-systemd-resolved] script is another alternative and links OpenVPN with {{ic|systemd-resolved}} via DBus to update the DNS records.<br />
<br />
Copy the script into {{ic|/etc/openvpn}} and mark as [[executable]], or [[install]] {{AUR|openvpn-update-systemd-resolved}}, and [[append]] the following lines into the OpenVPN client configuration file:<br />
<br />
{{hc|/etc/openvpn/client/client.conf|<br />
client<br />
remote example.com 1194 udp<br />
..<br />
script-security 2<br />
setenv PATH /usr/bin<br />
up /etc/openvpn/scripts/update-systemd-resolved<br />
down /etc/openvpn/scripts/update-systemd-resolved<br />
down-pre<br />
}}<br />
<br />
===Override DNS servers using NetworkManager===<br />
<br />
== L2 Ethernet bridging ==<br />
<br />
{{Expansion|Please add a well thought out section on L2 bridging.}}<br />
<br />
For now see: [[OpenVPN Bridge]]<br />
<br />
== Config generators ==<br />
<br />
{{Warning|Users are highly recommended to pass through the manual configuration described above to gain knowledge about options and usage before using any additional automation scripts.}}<br />
<br />
=== ovpngen ===<br />
<br />
The {{AUR|ovpngen}} package provides a simple shell script that creates OpenVPN compatible tunnel profiles in the unified file format suitable for the iOS version of OpenVPN Connect as well as for the Android app.<br />
<br />
Simply invoke the script with 5 tokens:<br />
<br />
# Server Fully Qualified Domain Name of the OpenVPN server (or IP address).<br />
# Full path to the CA cert.<br />
# Full path to the client cert.<br />
# Full path to the client private key.<br />
# Full path to the server TLS shared secret key.<br />
# Optionally a port number.<br />
# Optionally a protocol (udp or tcp).<br />
<br />
Example:<br />
<br />
# ovpngen example.org /etc/openvpn/server/ca.crt /etc/easy-rsa/pki/signed/client1.crt /etc/easy-rsa/pki/private/client1.key /etc/openvpn/server/ta.key > iphone.ovpn<br />
<br />
The resulting {{ic|iphone.ovpn}} can be edited if desired as the script does insert some commented lines.<br />
<br />
The client expects this file to be located in {{ic|/etc/openvpn/client/iphone.conf}}. Note the change in file extension from 'ovpn' to 'conf' in this case.<br />
<br />
{{Tip|If the server.conf contains a specified cipher and/or auth line, it is highly recommended that users manually edit the generated .ovpn file adding matching lines for cipher and auth. Failure to do so may results in connection errors!}}<br />
<br />
=== openvpn-unroot ===<br />
<br />
The steps necessary for OpenVPN to [[#Run as unprivileged user]], can be performed automatically using [https://github.com/wknapik/openvpn-unroot openvpn-unroot] ({{AUR|openvpn-unroot-git}}).<br />
<br />
It automates the actions required for the [https://community.openvpn.net/openvpn/wiki/UnprivilegedUser OpenVPN howto] by adapting it to systemd, and also working around the bug for persistent tun devices mentioned in the note.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Client daemon not reconnecting after suspend ===<br />
<br />
{{AUR|openvpn-reconnect}}, available on the AUR, solves this problem by sending a SIGHUP to openvpn after waking up from suspend.<br />
<br />
Alternatively, you can kill and restart OpenVPN after suspend by creating the folowing systemd service:<br />
<br />
{{hc|1=/etc/systemd/system/openvpn-reconnect.service|2=<br />
[Unit]<br />
Description=Restart OpenVPN after suspend<br />
<br />
[Service]<br />
ExecStart=/usr/bin/pkill --signal SIGHUP --exact openvpn<br />
<br />
[Install]<br />
WantedBy=sleep.target<br />
}}<br />
<br />
[[Enable]] this service for it to take effect.<br />
<br />
=== Connection drops out after some time of inactivity ===<br />
<br />
If the VPN-Connection drops some seconds after it stopped transmitting data and, even though it states it is connected, no data can be transmitted through the tunnel, try adding a {{ic|keepalive}}directive to the server's configuration:<br />
<br />
{{hc|/etc/openvpn/server/server.conf|<br />
.<br />
.<br />
keepalive 10 120<br />
.<br />
.<br />
}}<br />
<br />
In this case the server will send ping-like messages to all of its clients every 10 seconds, thus keeping the tunnel up.<br />
If the server does not receive a response within 120 seconds from a specific client, it will assume this client is down.<br />
<br />
A small ping-interval can increase the stability of the tunnel, but will also cause slightly higher traffic. Depending on your connection, also try lower intervals than 10 seconds.<br />
<br />
=== PID files not present ===<br />
<br />
The default systemd service file for openvpn-client does not have the --writepid flag enabled, despite creating /var/run/openvpn-client. If this breaks a config (such as an i3bar VPN indicator), simply change {{ic|openvpn-client@.service}} using a [[drop-in snippet]]:<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf --writepid /var/run/openvpn-client/%i.pid<br />
<br />
=== Route configuration fails with systemd-networkd ===<br />
<br />
When using [[systemd-networkd]] to manage network connections and attempting to tunnel all outgoing traffic through the VPN, OpenVPN may fail to add routes. This is a result of systemd-networkd attempting to manage the tun interface before OpenVPN finishes configuring the routes. When this happens, the following message will appear in the OpenVPN log.<br />
<br />
openvpn[458]: RTNETLINK answers: Network is unreachable<br />
openvpn[458]: ERROR: Linux route add command failed: external program exited with error status: 2<br />
<br />
With systemd-233 (currently in [[testing]]), systemd-networkd can be configured to ignore the tun connections and allow OpenVPN to manage them. To do this, create the following file:<br />
<br />
{{hc|1=/etc/systemd/network/90-tun-ignore.network|2=<br />
[Match]<br />
Name=tun*<br />
<br />
[Link]<br />
Unmanaged=true<br />
}}<br />
<br />
[[Restart]] {{ic|systemd-networkd.service}} to apply the changes. To verify that the changes took effect, start the previously problematic OpenVPN connection and run {{ic|networkctl}}. The output should have a line similar to the following:<br />
<br />
7 tun0 none routable unmanaged<br />
<br />
== See also ==<br />
<br />
* [[Wikipedia:OpenVPN]]</div>Altazarhttps://wiki.archlinux.org/index.php?title=Dell_XPS_13_(9360)&diff=481654Dell XPS 13 (9360)2017-07-10T19:20:05Z<p>Altazar: /* Continuous hissing sound with headphones: misspelling */</p>
<hr />
<div>[[Category:Dell]]<br />
[[ja:Dell XPS 13 (9360)]]<br />
{| class="wikitable" style="float: right;"<br />
| '''Device''' || '''Status''' || '''Modules'''<br />
|-<br />
| Video || {{G|Working}} || i915<br />
|-<br />
| Wireless || {{G|Working}} || ath10k<br />
|-<br />
| Bluetooth || {{G|Working}}|| btusb<br />
|-<br />
| Audio || {{G|Working}} || snd_hda_intel<br />
|-<br />
| Touchpad || {{G|Working}} || hid_multitouch (mousedev)<br />
|-<br />
| Webcam || {{G|Working}} || uvcvideo<br />
|-<br />
| USB-C / Thunderbolt 3 || {{G|Working}} || ?<br />
|-<br />
| Wireless switch || {{G|Working}} || intel_hid<br />
|-<br />
| Function/Multimedia Keys || {{G|Working}} || ?<br />
|-<br />
| Fingerprint sensor || {{R|Not working}} || ?<br />
|}<br />
<br />
The Dell XPS 13 Late 2016 (9360) is the fourth-generation model of the XPS 13 line. The laptop is available since October (pre-2017 model) in both a standard edition with Windows installed as well as both a pre-2017 model and a 2017 model (with insignificant hardware differences) Developer Edition with Ubuntu 16.04 "SP1" installed, featuring kernel 4.8 as of now. There is only minor hardware differences between them, mostly in regards to the mainboard microchip manufacturers. Just like the older versions ([[Dell XPS 13 (9333)|9333]], [[Dell XPS 13 (9343)|9343]] and [[Dell XPS 13 (9350)|9350]]) it is available in different hardware configurations as well. These fourth gen models includes Intel's Kaby Lake CPUs and advertised with up to 16GB LPDDR 1866 MHz RAM and a 1TB PCI SSD. It will now also be available in Rose Gold. Prior to previous information and current specifications available provided by Dell (at least to regular customers), it is not available with the 2133 MHz RAM speed. However, some models, including those available to employees and possibly Dell partners (and/or business customers), memory speed is indeed available up to 2133 Mhz LPDDR3 (non-upgradable). [https://codepaste.net/yr5n9i ref]. The same mentioned models are also available with the Intel Core i7-7660U (aswell as i7-7560U) with the Intel 640 Iris Plus onboard graphics. Respective clock frequencies are 2.5 Ghz (up to 4GHz in Turbo-mode) and 2,4 Ghz (up to 3.8 Ghz), respectively.<br />
<br />
The installation process for Arch on the XPS 13 does not differ from any other PC. For installation help, please see the [[Installation guide]] and [[UEFI]]. This page covers the current status of hardware support on Arch, as well as post-installation recommendations.<br />
<br />
As of kernel 4.5, the Intel Kaby Lake architecture is supported.<br />
<br />
<br />
== Content adaptive brightness control ==<br />
In the XPS 13 the display panels (both FHD and QHD+) come with adaptive brightness embedded in the panel firmware, this "content adaptive brightness control" (usually referred to as CABC or DBC) will adjust the screen brightness depending on the content displayed on the screen and will generally be found undesirable, especially for Linux users who are likely to be switching between dark and light screen content. Dell has issued a fix for this however it is only available to run in Windows and for the QHD+ model of the laptop so this precaution should be taken before installing Linux, the FHD model of the XPS 13 (9360) cannot be fixed. This is not a problem with the panel but rather a problem with the way the panels are configured for the XPS 13, as the same panel exists in the Dell's Latitude 13 7000 series (e7370) FHD model but with CABC disabled. The fix is available directly from [http://www.dell.com/support/home/us/en/4/Drivers/DriversDetails?driverId=20JWV Dell].<br />
<br />
== NVM Express SSD ==<br />
=== NVME Power Saving Patch ===<br />
<br />
Andy Lutomirski has created a patchset which fixes power saving for NVME devices in linux. The patch was merged into mainline and manually compiling the kernel is not necessary anymore. Nevertheless the [[AUR]] package is still available for further use if desired. <br />
{{App|Linux-nvme|Mainline linux kernel patched with Andy's patch for NVME power saving APST.|https://github.com/damige/linux-nvme|{{AUR|linux-nvme}}}} (check out [http://linuxnvme.damige.net/] for compiled packages)<br />
<br />
For some devices it might be necessary to set a higher value for the {{ic|nvme_core.default_ps_max_latency_us}} parameter to enable all power saving states. This parameter has to be set on the [[kernel parameters|kernel command line]].<br />
<br />
For the Toshiba 512GB SSD used in some models of the XPS 13 the value to enable all PS-States is 170000 (the combined latency of entering and leaving the highest power state, add {{ic|<nowiki>nvme_core.default_ps_max_latency_us=170000</nowiki>}} to your kernel command line). For the 1TB SSD this valued should be increased to 180000 instead. To check if all states are enabled you can use the {{AUR|nvme-cli}} package, which provides the {{ic|nvme-cli}} command:<br />
<br />
# nvme get-feature -f 0x0c -H /dev/nvme0<br />
get-feature:0xc (Autonomous Power State Transition), Current value:0x000001<br />
Autonomous Power State Transition Enable (APSTE): Enabled<br />
Auto PST Entries .................<br />
Entry[ 0] <br />
.................<br />
Idle Time Prior to Transition (ITPT): 1500 ms<br />
Idle Transition Power State (ITPS): 3<br />
.................<br />
Entry[ 1] <br />
.................<br />
Idle Time Prior to Transition (ITPT): 1500 ms<br />
Idle Transition Power State (ITPS): 3<br />
.................<br />
Entry[ 2] <br />
.................<br />
Idle Time Prior to Transition (ITPT): 1500 ms<br />
Idle Transition Power State (ITPS): 3<br />
.................<br />
Entry[ 3] <br />
.................<br />
Idle Time Prior to Transition (ITPT): 8500 ms<br />
Idle Transition Power State (ITPS): 4<br />
.................<br />
<br />
If the power states are enabled there should be values for ITPT and ITPS in the first entries. Also the ITPS-value of the last filled entry should be the highest power saving-state of the SSD (which can be viewed using {{ic|smartctl -a /dev/nvme0}} or {{ic|nvme id-ctrl /dev/nvme0}}).<br />
<br />
== Video ==<br />
The video should work with the {{ic|i915}} driver of the current {{Pkg|linux}} kernel. Consult [[Intel graphics]] for a detailed installation and configuration guide as well as for [[Intel graphics#Troubleshooting|Troubleshooting]].<br />
<br />
If you have the QHD+ (3200x1800) model, also check out [[HiDPI]] for UI scaling configurations.<br />
<br />
''But there might be video issues left for this model. '''Please help by contributing any feedback''' about similar issues you might have experience(d) to this bugreport (https://bugs.freedesktop.org/show_bug.cgi?id=100671).''<br />
<br />
=== Module-based Powersaving Options ===<br />
For the HD 620 graphics card the following modules are working: (see [[Intel graphics#Module-based Powersaving Options]])<br />
modeset=1 enable_rc6=1 enable_fbc=1 <br />
The first argument is to enable modesetting if it's not set by default. The second argument is needed to active power-saving C-States. Higher values than 1 are not available for kaby lake CPUs. The third argument is for frame buffer compression power savings. These values should work well!<br />
<br />
enable_guc_loading=1 enable_guc_submission=1<br />
These arguments are used to enable GuC updates. GuC is a small proprietary binary blob released by intel to update the GuC binary in faster intervals than the kernel release does. It is used for graphics workload scheduling on the various graphics parallel engines. More details at (https://01.org/linuxgraphics/downloads/firmware). The GuC binary for kaby lake is included since firmware release linux-firmware 20170217 in the official repository.<br />
<br />
enable_huc=1<br />
HuC is also an binary blob from intel. It's designed to offload some of the media functions from the CPU to GPU. More details at (https://01.org/linuxgraphics/downloads/firmware). As of kernel 4.11, HuC remains unsupported.<br />
<br />
enable_psr=1 disable_power_well=0 OR enable_psr=2 <br />
Enable psr level 2 is working, while level 1 has a lot of problems. Setting it on level 2 doesn't give much energy saving at the moment. It's said that 'disable_power_well=0 enable_psr=1' is working in this combination.<br />
<br />
NOT WORKING: semaphores=1 <br />
The semaphore option is NOT working for kaby lake CPUs and won't enable even if you set the option to 1.<br />
<br />
=== Blank screen issue after booting ===<br />
If using "late start" [[KMS]] (the default) and the screen goes blank when loading modules, it may help to add {{ic|i915}} and {{ic|intel_agp}} to the initramfs or using a special [[kernel parameter]]. Consult [[Intel graphics#Blank screen during boot, when "Loading modules"]] for more information about the kernel parameter way and have a look at [[Kernel mode setting#Early KMS start]] for a guide on how to setup the modules for the initramfs.<br />
<br />
== Wireless ==<br />
<br />
The Killer 1535 Wirless Adapter is functional and the ath10k firmware is included in recent linux kernel versions. The connection speed reported by iw is limited to 1-6Mbits/s. However this is just the output being wrong. The real connection speed is not limited to this value.<br />
<br />
Some users are experiencing issues, where the connection is dropped under heavy load but reconnects within a brief moment. This might not be noticed during browsing at all but becomes apparent in online games. There is no know solution so far.<br />
<br />
== Bluetooth ==<br />
<br />
After following the instructions given at [[Bluetooth]] tethering of internet connections via phone works immediately.<br />
<br />
<br />
== Thunderbolt 3 / USB 3.1 ==<br />
<br />
The USB-C port supports Thunderbolt 3, Displayport-over-USB-C and USB power delivery as well as USB 3.1.<br />
<br />
=== Ethernet repeatedly disconnects/reconnects with Dell USB-C adapter (DA200) ===<br />
<br />
Use of a power management package (such as [[TLP]]) may cause the ethernet adapter to repeatedly disconnect and reconnect. If this happens, disable/blacklist USB autosuspend for the ethernet adapter. (On my laptop, this is the device <tt>Bus 004 Device 007: ID 0bda:8153 Realtek Semiconductor Corp</tt> in the output of <tt>lsusb</tt>.)<br />
<br />
Also disabling or reducing power of wifi may help: http://en.community.dell.com/support-forums/network-internet-wireless/f/3324/t/19995423<br />
<br />
=== USB-C Compatibility Chart ===<br />
{| class="wikitable"<br />
| '''Device''' || '''Ports''' || '''Status'''<br />
|-<br />
| [http://www.apple.com/uk/shop/product/MJ1K2ZM/A/usb-c-digital-av-multiport-adapter Apple USB-C Digital AV Multiport Adapter] || USB-C, USB-A, HDMI || {{R|Not Working}}<br />
|-<br />
| [http://www.apple.com/uk/shop/product/MJ262B/A/apple-29w-usb-c-power-adapter?fnode=8b Apple 29W USB-C Power Adapter] || USB-C Power || {{R|Not Working}}<br />
|-<br />
| [https://www.amazon.co.uk/gp/product/B01H3K387Q/ref=oh_aui_search_detailpage?ie=UTF8&psc=1 Aukey USB C Hub HDMI 4 Port] || USB-C, 4xUSB-A, HDMI || {{G|Working}}<br />
|-<br />
| [http://www.belkin.com/us/p/P-F2CU037/ Belkin USB-C to VGA Adapter] || VGA || {{G|Working}}<br />
|-<br />
| [https://www.amazon.com/dp/B012DT6KW2 Dell DA200] || USB-A, Ethernet, HDMI, VGA || {{G|Working}}<br />
|-<br />
| [https://www.amazon.com/dp/B01FN1YK92 Dell WD15 130W] || 3xUSB-A 3.0, 2xUSB-A 2.0, Ethernet, HDMI, Mini DisplayPort, VGA, Line Out, Line In || {{G|Working}}<br />
|-<br />
| [https://www.amazon.com/dp/B01ANR4CYE StarTech.com tb32dp2 - Thunderbolt 3 Adapter] || 2 x DP (4 K, 60 Hz) || {{G|Working}}<br />
|-<br />
| [https://www.amazon.com/StarTech-com-Thunderbolt-Adapter-Compatible-DisplayPort/dp/B019FPJDQ2 StarTech TBT3TBTADAP Thunderbolt 3 to Thunderbolt Adapter] || Thunderbolt 2, Thunderbolt || {{G|Working}}<br />
|-<br />
| [https://www.apple.com/shop/product/MMEL2AM/A/thunderbolt-3-usb-c-to-thunderbolt-2-adapter Apple Thunderbolt 3 (USB-C) to Thunderbolt 2 Adapter] || Thunderbolt 2, Thunderbolt || {{R|Not Working}}<br />
|-<br />
| [https://www.amazon.com/dp/B01C316EIK Cable Matters USB-C Multiport Adapter] || 4K HDMI or VGA, USB 3.0, Gigabit Ethernet || {{G|Working}}<br />
|-<br />
| [https://www.amazon.com/Juiced-BizHUB-Multiport-Ethernet-Delivery/dp/B01J391C3W Juiced Systems BizHUB USB-C Multiport Gigabit HDMI Hub] || 4K@30Hz HDMI, 3x USB 3.0, Gigabit Ethernet, USB-C Power, SD, Micro-SD || {{G|Working}}<br />
|-<br />
| [https://www.amazon.com/Anker-Adapter-Supports-Macbook-Chromebook/dp/B01MYUCWOK/ Anker USB-C to HDMI Adapter] || 4K@60Hz HDMI || {{G|Working}}<br />
|-<br />
| [http://www.pct-max.com.tw/cht/products.php?index=289 PCT UHC304] || HDMI (4K@30Hz, 2K@60Hz), Gigabit Ethernet, USB-A, USB-C || {{G|Working}}<br />
|-<br />
| [https://www.i-tec-europe.eu/?lng=en&t=3&v=443 i-Tec USB-C Dual Display MST Dock] || HDMI, DP (4K@30Hz Single Monitor, 1920x1200@60Hz Dual Monitor), Gbit Ethernet, 3xUSB-A, USB-C, Sound, Charging @ 60W || {{G|Working}}<br />
|-<br />
| [https://www.amazon.com/Tripp-Lite-External-Charging-U444-06N-DGU-C/dp/B01LYQB1XI Tripp Lite USB-C to DVI External Video Adapter] || DVI, Gbit Ethernet, USB-A, USB-C PD Charging Port || {{G|Working}}<br />
|-<br />
| [https://www.startech.com/nl/en/AV/usb-c-video-adapters/usb-c-hdmi-adapter~CDP2HD StarTech CDP2HD - USB-C to HDMI Adapter] || HDMI || {{G|Working}}<br />
|-<br />
| [https://www.amazon.com/Kanex-USB-C-Adapter-Inches-White/dp/B00VBNSY0S Kanex USB-C to HDMI 4K Adapter] || HDMI || {{G|Working}}<br />
|-<br />
| [https://smile.amazon.com/QacQoc-Aluminum-Multi-Port-Charging-Ethernet/dp/B01MU1FFMP QacQoc GN30H USB C HUB Aluminum Multi-Port TYPE C HUB Adapter with 4K HDMI] || 4K@30Hz HDMI, 3x USB 3.0, Gigabit Ethernet, USB-C Power, SD, Micro-SD || {{G|Working}}<br />
|-<br />
| [https://xiaomi-mi.com/accessories-for-laptops/xiaomi-usb-type-c-to-hdmi-multifunction-adapter/ Xiaomi USB Type-C to HDMI Multifunction Adapter] || 4K HDMI, 1x USB 3.0, USB-C Power || {{G|Working}}<br />
|}<br />
<br />
=== Thunderbolt Firmware updates ===<br />
The thunderbolt controller in the laptop has an embedded firmware. The laptop ships with firmware version NVM 18, and the most recent available version from Dell's website is NVM 21. If encountering compatibility problems with Thunderbolt accessories, the firmware may need to be updated. Dell maintains a [https://github.com/dell/thunderbolt-nvm-linux Github repository] explaining the process to update the firmware, but unfortunately, does not provide the updated payload files. These can be extracted from the Windows firmware update files. Mainline support for the firmware update process is pending the inclusion of [https://github.com/01org/thunderbolt-software-kernel-tree/tree/networking these patches] into the Linux kernel.<br />
<br />
Here is a short list of steps to update the Thunderbolt-Firmware (use at your own risk):<br />
<br />
* Install {{AUR|thunderbolt-icm-dkms-git}}, {{AUR|thunderboltd-git}}, {{AUR|libtbtfwu-git}} and {{AUR|tbtfwucli-git}}<br />
* Load the thunderbolt-icm kernel module and start thunderbolt.service<br />
* Download the Intel_TBT3_FW_UPDATE_*.exe from Dell's website<br />
* Unpack the exe with 7z x Intel_TBT3_FW_UPDATE_*.exe<br />
* Follow the update instructions at [https://github.com/dell/thunderbolt-nvm-linux Dell's TB Github repository], Using the correct Firmware file from the extracted exe (Intel/0x075B.bin for the 9360 according to the info in Dell's Repository<br />
* Hope everything goes well and reboot after finishing the update<br />
<br />
== SATA controller ==<br />
When the SATA-controller is set to {{ic|RAID On}} in Bios, the hard disk (at least the SSD) is not recognized. Set to {{ic|Off}} or {{ic|AHCI}} ({{ic|AHCI}} is recommended) before attempting to install Arch.<br />
<br />
== Touchpad ==<br />
The touchpad has no explicit buttons. The buttons are built into the pads surface. There is a small line printed on the pad separating left from right click button. The pad has a '''middle button''' built in! (works with libinput without any configuration): To issue a middle click, simply press on the middle area right between the virtual left and click buttons - so on the small printed separator line.<br />
<br />
=== Remove psmouse errors from dmesg ===<br />
<br />
If {{ic|<nowiki>dmesg | grep -i psmouse</nowiki>}} returns an error, but your touchpad still works, then it might be a good idea to disable {{ic|psmouse}}. First create a config file:<br />
<br />
# nano /etc/modprobe.d/modprobe.conf<br />
<br />
blacklist psmouse<br />
<br />
Then add this file to {{ic|/etc/mkinitcpio.conf}}:<br />
<br />
...<br />
FILES="/etc/modprobe.d/modprobe.conf"<br />
...<br />
<br />
Rebuild your initial ramdisk image (see [[Mkinitcpio#Image creation and activation]]).<br />
<br />
== Touchscreen ==<br />
The touchscreen works without additional configuration. The bug resulting in a disabled touchscreen after resume was fixed with kernel 4.8.5.<br />
<br />
=== Gestures ===<br />
Refer to [[libinput#Gestures]] for information about the current development state and available methods.<br />
<br />
=== Scrolling in Firefox ===<br />
See [[Firefox/Tweaks#Pixel-perfect trackpad scrolling]]. This enables both touchscreen scrolling and high-res trackpad scrolling.<br />
<br />
== Keyboard Backlight ==<br />
By default, the keyboard backlight turns off after 10 seconds of inactivity. Some users might find this too short and annoying.<br />
The delay can be increased (or decreased) by editing this file:<br />
/sys/devices/platform/dell-laptop/leds/dell\:\:kbd_backlight/stop_timeout<br />
<br />
You can also change the brightness (0-2) by editing the following file. This is identical to pressing F10 on your keyboard:<br />
/sys/devices/platform/dell-laptop/leds/dell\:\:kbd_backlight/brightness<br />
<br />
== Hidden Keyboard Keys ==<br />
There are additional Fn+<Key> (sequences) that are not marked at all on the keyboard but underlying hardware generates them anyway. Here they are (if you find more add them to the table below):<br />
{| class="wikitable"<br />
|+ Hidden Fn Keys<br />
! Fn+<Key> !! Resulting key (sequence)<br />
|-<br />
| Fn+Ins || XF86Sleep<br />
|-<br />
| Fn+Super_L || Super_R<br />
|-<br />
| Fn+B || Pause<br />
|-<br />
| Fn+R || Print<br />
|-<br />
| Fn+S || Scroll_Lock<br />
|-<br />
| Fn+A / D / E / F / G / T / Q / W || XF86Launch3<br />
|}<br />
<br />
== Firmware Updates ==<br />
Dell provides firmware updates via {{Pkg|fwupd}}. See [[Flashing BIOS from Linux#fwupd]]. Please note if you have used a bind mount partition for /boot, you will not be able to use the fwupd utility; Instead format a USB as FAT32 and put the bios update .exe on. Reboot into the one-time-boot menu and update the BIOS flash through there.<br />
<br />
Alternatively, the BIOS update can be downloaded from the Dell website, and placed in a location accessible to the firmware. This could be the '/boot' folder, or a FAT32 formatted USB stick. Then restart your laptop and hit F12 while starting. In the boot menu choose firmware update and select the new file!<br />
<br />
== Troubleshooting ==<br />
<br />
=== EFISTUB does not boot ===<br />
The BIOS does not pass any boot parameters to the kernel. Use a UEFI [[boot loader]] instead.<br />
<br />
=== Not waking from suspend ===<br />
Update the BIOS to 1.0.7 to patch this issue.<br />
<br />
=== Power Drain after waking from standby ===<br />
<br />
Some users recognised ~2W more power consumption after waking up from standby. Go to the UEFI Firmware Settings (tap the F2 key when the Dell logo appears) and uncheck the 'Enable Thunderbolt Boot Support'. You may use {{Pkg|powertop}} or {{AUR|powerstat-git}} to reproduce and check this behaviour yourself. <br />
<br />
=== Popping sound on headphones/external speakers ===<br />
<br />
Power saving being enabled on the audio chip will cause the hissing and popping to appear. <br />
<br />
Have a look at [[ALSA/Troubleshooting#Pops when starting and stopping playback]] and [[ALSA/Troubleshooting#Popping sound after resuming from suspension]].<br />
<br />
If you are using {{Pkg|tlp}}, it will activate power saving by default when on battery. Edit {{ic|/etc/default/tlp}} and disable it.<br />
<br />
=== Coil Whine ===<br />
<br />
Unfortunately Dell still did not fix this issue and the sound for my model was very loud. The issue seems to be connected to the graphic card. For some users, it is possible to reduce it a lot by activating frame buffer compression "enable_fbc=1" [[Intel graphics#Module-based Powersaving Options]]. The coil whine will then start again under heavy graphic load. For the touchscreen model, this may be very often, due to the high resolution screen. In a similar vein, the display can be run at a lower resolution, again reducing the load on the graphics card.<br />
<br />
=== Freezing after waking from suspend ===<br />
<br />
Installing {{aur|xf86-video-intel-git}} is [https://bbs.archlinux.org/viewtopic.php?pid=1698282#p1698282 reported] to fix this.<br />
<br />
=== Continuous hissing sound with headphones ===<br />
<br />
Open alsamixer and set "Headphone Mic Boost" gain to 10 dB (See discussion on [https://www.reddit.com/r/Dell/comments/4j1zz4/headphones_have_static_noise_with_ubuntu_1604_on/ reddit]). Note that this does reduce the volume slightly.<br />
<br />
You may also run the equivalent command:<br />
<br />
$ amixer -c PCH cset 'name=Headphone Mic Boost Volume' 1<br />
<br />
PulseAudio will rewrite these ALSA settings. So if you use PulseAudio you should change its config to make them permanent:<br />
<br />
# vi /usr/share/pulseaudio/alsa-mixer/paths/analog-input-headphone-mic.conf<br />
<br />
[Element Headphone Mic Boost]<br />
required-any = any<br />
switch = select<br />
# Replace "volume = merge" by:<br />
volume = 1<br />
override-map.1 = all<br />
override-map.2 = all-left,all-right<br />
<br />
# vi /usr/share/pulseaudio/alsa-mixer/paths/analog-input-internal-mic.conf<br />
<br />
[Element Headphone Mic Boost]<br />
switch = off<br />
# Replace "volume = off" by:<br />
volume = 1<br />
<br />
== See Also == <br />
<br />
* [https://bbs.archlinux.org/viewtopic.php?id=217865 Arch Forum thread for Dell XPS 13 (9360)]<br />
* [http://topics-cdn.dell.com/pdf/xps-13-9360-laptop_Service%20Manual_en-us.pdf Service Manual for Dell XPS 13 (9360)]</div>Altazarhttps://wiki.archlinux.org/index.php?title=Dell_XPS_13_(9360)&diff=481653Dell XPS 13 (9360)2017-07-10T19:18:32Z<p>Altazar: /* Continuous hissing sound with headphones: prevent PulseAudio form rewriting boost settings */</p>
<hr />
<div>[[Category:Dell]]<br />
[[ja:Dell XPS 13 (9360)]]<br />
{| class="wikitable" style="float: right;"<br />
| '''Device''' || '''Status''' || '''Modules'''<br />
|-<br />
| Video || {{G|Working}} || i915<br />
|-<br />
| Wireless || {{G|Working}} || ath10k<br />
|-<br />
| Bluetooth || {{G|Working}}|| btusb<br />
|-<br />
| Audio || {{G|Working}} || snd_hda_intel<br />
|-<br />
| Touchpad || {{G|Working}} || hid_multitouch (mousedev)<br />
|-<br />
| Webcam || {{G|Working}} || uvcvideo<br />
|-<br />
| USB-C / Thunderbolt 3 || {{G|Working}} || ?<br />
|-<br />
| Wireless switch || {{G|Working}} || intel_hid<br />
|-<br />
| Function/Multimedia Keys || {{G|Working}} || ?<br />
|-<br />
| Fingerprint sensor || {{R|Not working}} || ?<br />
|}<br />
<br />
The Dell XPS 13 Late 2016 (9360) is the fourth-generation model of the XPS 13 line. The laptop is available since October (pre-2017 model) in both a standard edition with Windows installed as well as both a pre-2017 model and a 2017 model (with insignificant hardware differences) Developer Edition with Ubuntu 16.04 "SP1" installed, featuring kernel 4.8 as of now. There is only minor hardware differences between them, mostly in regards to the mainboard microchip manufacturers. Just like the older versions ([[Dell XPS 13 (9333)|9333]], [[Dell XPS 13 (9343)|9343]] and [[Dell XPS 13 (9350)|9350]]) it is available in different hardware configurations as well. These fourth gen models includes Intel's Kaby Lake CPUs and advertised with up to 16GB LPDDR 1866 MHz RAM and a 1TB PCI SSD. It will now also be available in Rose Gold. Prior to previous information and current specifications available provided by Dell (at least to regular customers), it is not available with the 2133 MHz RAM speed. However, some models, including those available to employees and possibly Dell partners (and/or business customers), memory speed is indeed available up to 2133 Mhz LPDDR3 (non-upgradable). [https://codepaste.net/yr5n9i ref]. The same mentioned models are also available with the Intel Core i7-7660U (aswell as i7-7560U) with the Intel 640 Iris Plus onboard graphics. Respective clock frequencies are 2.5 Ghz (up to 4GHz in Turbo-mode) and 2,4 Ghz (up to 3.8 Ghz), respectively.<br />
<br />
The installation process for Arch on the XPS 13 does not differ from any other PC. For installation help, please see the [[Installation guide]] and [[UEFI]]. This page covers the current status of hardware support on Arch, as well as post-installation recommendations.<br />
<br />
As of kernel 4.5, the Intel Kaby Lake architecture is supported.<br />
<br />
<br />
== Content adaptive brightness control ==<br />
In the XPS 13 the display panels (both FHD and QHD+) come with adaptive brightness embedded in the panel firmware, this "content adaptive brightness control" (usually referred to as CABC or DBC) will adjust the screen brightness depending on the content displayed on the screen and will generally be found undesirable, especially for Linux users who are likely to be switching between dark and light screen content. Dell has issued a fix for this however it is only available to run in Windows and for the QHD+ model of the laptop so this precaution should be taken before installing Linux, the FHD model of the XPS 13 (9360) cannot be fixed. This is not a problem with the panel but rather a problem with the way the panels are configured for the XPS 13, as the same panel exists in the Dell's Latitude 13 7000 series (e7370) FHD model but with CABC disabled. The fix is available directly from [http://www.dell.com/support/home/us/en/4/Drivers/DriversDetails?driverId=20JWV Dell].<br />
<br />
== NVM Express SSD ==<br />
=== NVME Power Saving Patch ===<br />
<br />
Andy Lutomirski has created a patchset which fixes power saving for NVME devices in linux. The patch was merged into mainline and manually compiling the kernel is not necessary anymore. Nevertheless the [[AUR]] package is still available for further use if desired. <br />
{{App|Linux-nvme|Mainline linux kernel patched with Andy's patch for NVME power saving APST.|https://github.com/damige/linux-nvme|{{AUR|linux-nvme}}}} (check out [http://linuxnvme.damige.net/] for compiled packages)<br />
<br />
For some devices it might be necessary to set a higher value for the {{ic|nvme_core.default_ps_max_latency_us}} parameter to enable all power saving states. This parameter has to be set on the [[kernel parameters|kernel command line]].<br />
<br />
For the Toshiba 512GB SSD used in some models of the XPS 13 the value to enable all PS-States is 170000 (the combined latency of entering and leaving the highest power state, add {{ic|<nowiki>nvme_core.default_ps_max_latency_us=170000</nowiki>}} to your kernel command line). For the 1TB SSD this valued should be increased to 180000 instead. To check if all states are enabled you can use the {{AUR|nvme-cli}} package, which provides the {{ic|nvme-cli}} command:<br />
<br />
# nvme get-feature -f 0x0c -H /dev/nvme0<br />
get-feature:0xc (Autonomous Power State Transition), Current value:0x000001<br />
Autonomous Power State Transition Enable (APSTE): Enabled<br />
Auto PST Entries .................<br />
Entry[ 0] <br />
.................<br />
Idle Time Prior to Transition (ITPT): 1500 ms<br />
Idle Transition Power State (ITPS): 3<br />
.................<br />
Entry[ 1] <br />
.................<br />
Idle Time Prior to Transition (ITPT): 1500 ms<br />
Idle Transition Power State (ITPS): 3<br />
.................<br />
Entry[ 2] <br />
.................<br />
Idle Time Prior to Transition (ITPT): 1500 ms<br />
Idle Transition Power State (ITPS): 3<br />
.................<br />
Entry[ 3] <br />
.................<br />
Idle Time Prior to Transition (ITPT): 8500 ms<br />
Idle Transition Power State (ITPS): 4<br />
.................<br />
<br />
If the power states are enabled there should be values for ITPT and ITPS in the first entries. Also the ITPS-value of the last filled entry should be the highest power saving-state of the SSD (which can be viewed using {{ic|smartctl -a /dev/nvme0}} or {{ic|nvme id-ctrl /dev/nvme0}}).<br />
<br />
== Video ==<br />
The video should work with the {{ic|i915}} driver of the current {{Pkg|linux}} kernel. Consult [[Intel graphics]] for a detailed installation and configuration guide as well as for [[Intel graphics#Troubleshooting|Troubleshooting]].<br />
<br />
If you have the QHD+ (3200x1800) model, also check out [[HiDPI]] for UI scaling configurations.<br />
<br />
''But there might be video issues left for this model. '''Please help by contributing any feedback''' about similar issues you might have experience(d) to this bugreport (https://bugs.freedesktop.org/show_bug.cgi?id=100671).''<br />
<br />
=== Module-based Powersaving Options ===<br />
For the HD 620 graphics card the following modules are working: (see [[Intel graphics#Module-based Powersaving Options]])<br />
modeset=1 enable_rc6=1 enable_fbc=1 <br />
The first argument is to enable modesetting if it's not set by default. The second argument is needed to active power-saving C-States. Higher values than 1 are not available for kaby lake CPUs. The third argument is for frame buffer compression power savings. These values should work well!<br />
<br />
enable_guc_loading=1 enable_guc_submission=1<br />
These arguments are used to enable GuC updates. GuC is a small proprietary binary blob released by intel to update the GuC binary in faster intervals than the kernel release does. It is used for graphics workload scheduling on the various graphics parallel engines. More details at (https://01.org/linuxgraphics/downloads/firmware). The GuC binary for kaby lake is included since firmware release linux-firmware 20170217 in the official repository.<br />
<br />
enable_huc=1<br />
HuC is also an binary blob from intel. It's designed to offload some of the media functions from the CPU to GPU. More details at (https://01.org/linuxgraphics/downloads/firmware). As of kernel 4.11, HuC remains unsupported.<br />
<br />
enable_psr=1 disable_power_well=0 OR enable_psr=2 <br />
Enable psr level 2 is working, while level 1 has a lot of problems. Setting it on level 2 doesn't give much energy saving at the moment. It's said that 'disable_power_well=0 enable_psr=1' is working in this combination.<br />
<br />
NOT WORKING: semaphores=1 <br />
The semaphore option is NOT working for kaby lake CPUs and won't enable even if you set the option to 1.<br />
<br />
=== Blank screen issue after booting ===<br />
If using "late start" [[KMS]] (the default) and the screen goes blank when loading modules, it may help to add {{ic|i915}} and {{ic|intel_agp}} to the initramfs or using a special [[kernel parameter]]. Consult [[Intel graphics#Blank screen during boot, when "Loading modules"]] for more information about the kernel parameter way and have a look at [[Kernel mode setting#Early KMS start]] for a guide on how to setup the modules for the initramfs.<br />
<br />
== Wireless ==<br />
<br />
The Killer 1535 Wirless Adapter is functional and the ath10k firmware is included in recent linux kernel versions. The connection speed reported by iw is limited to 1-6Mbits/s. However this is just the output being wrong. The real connection speed is not limited to this value.<br />
<br />
Some users are experiencing issues, where the connection is dropped under heavy load but reconnects within a brief moment. This might not be noticed during browsing at all but becomes apparent in online games. There is no know solution so far.<br />
<br />
== Bluetooth ==<br />
<br />
After following the instructions given at [[Bluetooth]] tethering of internet connections via phone works immediately.<br />
<br />
<br />
== Thunderbolt 3 / USB 3.1 ==<br />
<br />
The USB-C port supports Thunderbolt 3, Displayport-over-USB-C and USB power delivery as well as USB 3.1.<br />
<br />
=== Ethernet repeatedly disconnects/reconnects with Dell USB-C adapter (DA200) ===<br />
<br />
Use of a power management package (such as [[TLP]]) may cause the ethernet adapter to repeatedly disconnect and reconnect. If this happens, disable/blacklist USB autosuspend for the ethernet adapter. (On my laptop, this is the device <tt>Bus 004 Device 007: ID 0bda:8153 Realtek Semiconductor Corp</tt> in the output of <tt>lsusb</tt>.)<br />
<br />
Also disabling or reducing power of wifi may help: http://en.community.dell.com/support-forums/network-internet-wireless/f/3324/t/19995423<br />
<br />
=== USB-C Compatibility Chart ===<br />
{| class="wikitable"<br />
| '''Device''' || '''Ports''' || '''Status'''<br />
|-<br />
| [http://www.apple.com/uk/shop/product/MJ1K2ZM/A/usb-c-digital-av-multiport-adapter Apple USB-C Digital AV Multiport Adapter] || USB-C, USB-A, HDMI || {{R|Not Working}}<br />
|-<br />
| [http://www.apple.com/uk/shop/product/MJ262B/A/apple-29w-usb-c-power-adapter?fnode=8b Apple 29W USB-C Power Adapter] || USB-C Power || {{R|Not Working}}<br />
|-<br />
| [https://www.amazon.co.uk/gp/product/B01H3K387Q/ref=oh_aui_search_detailpage?ie=UTF8&psc=1 Aukey USB C Hub HDMI 4 Port] || USB-C, 4xUSB-A, HDMI || {{G|Working}}<br />
|-<br />
| [http://www.belkin.com/us/p/P-F2CU037/ Belkin USB-C to VGA Adapter] || VGA || {{G|Working}}<br />
|-<br />
| [https://www.amazon.com/dp/B012DT6KW2 Dell DA200] || USB-A, Ethernet, HDMI, VGA || {{G|Working}}<br />
|-<br />
| [https://www.amazon.com/dp/B01FN1YK92 Dell WD15 130W] || 3xUSB-A 3.0, 2xUSB-A 2.0, Ethernet, HDMI, Mini DisplayPort, VGA, Line Out, Line In || {{G|Working}}<br />
|-<br />
| [https://www.amazon.com/dp/B01ANR4CYE StarTech.com tb32dp2 - Thunderbolt 3 Adapter] || 2 x DP (4 K, 60 Hz) || {{G|Working}}<br />
|-<br />
| [https://www.amazon.com/StarTech-com-Thunderbolt-Adapter-Compatible-DisplayPort/dp/B019FPJDQ2 StarTech TBT3TBTADAP Thunderbolt 3 to Thunderbolt Adapter] || Thunderbolt 2, Thunderbolt || {{G|Working}}<br />
|-<br />
| [https://www.apple.com/shop/product/MMEL2AM/A/thunderbolt-3-usb-c-to-thunderbolt-2-adapter Apple Thunderbolt 3 (USB-C) to Thunderbolt 2 Adapter] || Thunderbolt 2, Thunderbolt || {{R|Not Working}}<br />
|-<br />
| [https://www.amazon.com/dp/B01C316EIK Cable Matters USB-C Multiport Adapter] || 4K HDMI or VGA, USB 3.0, Gigabit Ethernet || {{G|Working}}<br />
|-<br />
| [https://www.amazon.com/Juiced-BizHUB-Multiport-Ethernet-Delivery/dp/B01J391C3W Juiced Systems BizHUB USB-C Multiport Gigabit HDMI Hub] || 4K@30Hz HDMI, 3x USB 3.0, Gigabit Ethernet, USB-C Power, SD, Micro-SD || {{G|Working}}<br />
|-<br />
| [https://www.amazon.com/Anker-Adapter-Supports-Macbook-Chromebook/dp/B01MYUCWOK/ Anker USB-C to HDMI Adapter] || 4K@60Hz HDMI || {{G|Working}}<br />
|-<br />
| [http://www.pct-max.com.tw/cht/products.php?index=289 PCT UHC304] || HDMI (4K@30Hz, 2K@60Hz), Gigabit Ethernet, USB-A, USB-C || {{G|Working}}<br />
|-<br />
| [https://www.i-tec-europe.eu/?lng=en&t=3&v=443 i-Tec USB-C Dual Display MST Dock] || HDMI, DP (4K@30Hz Single Monitor, 1920x1200@60Hz Dual Monitor), Gbit Ethernet, 3xUSB-A, USB-C, Sound, Charging @ 60W || {{G|Working}}<br />
|-<br />
| [https://www.amazon.com/Tripp-Lite-External-Charging-U444-06N-DGU-C/dp/B01LYQB1XI Tripp Lite USB-C to DVI External Video Adapter] || DVI, Gbit Ethernet, USB-A, USB-C PD Charging Port || {{G|Working}}<br />
|-<br />
| [https://www.startech.com/nl/en/AV/usb-c-video-adapters/usb-c-hdmi-adapter~CDP2HD StarTech CDP2HD - USB-C to HDMI Adapter] || HDMI || {{G|Working}}<br />
|-<br />
| [https://www.amazon.com/Kanex-USB-C-Adapter-Inches-White/dp/B00VBNSY0S Kanex USB-C to HDMI 4K Adapter] || HDMI || {{G|Working}}<br />
|-<br />
| [https://smile.amazon.com/QacQoc-Aluminum-Multi-Port-Charging-Ethernet/dp/B01MU1FFMP QacQoc GN30H USB C HUB Aluminum Multi-Port TYPE C HUB Adapter with 4K HDMI] || 4K@30Hz HDMI, 3x USB 3.0, Gigabit Ethernet, USB-C Power, SD, Micro-SD || {{G|Working}}<br />
|-<br />
| [https://xiaomi-mi.com/accessories-for-laptops/xiaomi-usb-type-c-to-hdmi-multifunction-adapter/ Xiaomi USB Type-C to HDMI Multifunction Adapter] || 4K HDMI, 1x USB 3.0, USB-C Power || {{G|Working}}<br />
|}<br />
<br />
=== Thunderbolt Firmware updates ===<br />
The thunderbolt controller in the laptop has an embedded firmware. The laptop ships with firmware version NVM 18, and the most recent available version from Dell's website is NVM 21. If encountering compatibility problems with Thunderbolt accessories, the firmware may need to be updated. Dell maintains a [https://github.com/dell/thunderbolt-nvm-linux Github repository] explaining the process to update the firmware, but unfortunately, does not provide the updated payload files. These can be extracted from the Windows firmware update files. Mainline support for the firmware update process is pending the inclusion of [https://github.com/01org/thunderbolt-software-kernel-tree/tree/networking these patches] into the Linux kernel.<br />
<br />
Here is a short list of steps to update the Thunderbolt-Firmware (use at your own risk):<br />
<br />
* Install {{AUR|thunderbolt-icm-dkms-git}}, {{AUR|thunderboltd-git}}, {{AUR|libtbtfwu-git}} and {{AUR|tbtfwucli-git}}<br />
* Load the thunderbolt-icm kernel module and start thunderbolt.service<br />
* Download the Intel_TBT3_FW_UPDATE_*.exe from Dell's website<br />
* Unpack the exe with 7z x Intel_TBT3_FW_UPDATE_*.exe<br />
* Follow the update instructions at [https://github.com/dell/thunderbolt-nvm-linux Dell's TB Github repository], Using the correct Firmware file from the extracted exe (Intel/0x075B.bin for the 9360 according to the info in Dell's Repository<br />
* Hope everything goes well and reboot after finishing the update<br />
<br />
== SATA controller ==<br />
When the SATA-controller is set to {{ic|RAID On}} in Bios, the hard disk (at least the SSD) is not recognized. Set to {{ic|Off}} or {{ic|AHCI}} ({{ic|AHCI}} is recommended) before attempting to install Arch.<br />
<br />
== Touchpad ==<br />
The touchpad has no explicit buttons. The buttons are built into the pads surface. There is a small line printed on the pad separating left from right click button. The pad has a '''middle button''' built in! (works with libinput without any configuration): To issue a middle click, simply press on the middle area right between the virtual left and click buttons - so on the small printed separator line.<br />
<br />
=== Remove psmouse errors from dmesg ===<br />
<br />
If {{ic|<nowiki>dmesg | grep -i psmouse</nowiki>}} returns an error, but your touchpad still works, then it might be a good idea to disable {{ic|psmouse}}. First create a config file:<br />
<br />
# nano /etc/modprobe.d/modprobe.conf<br />
<br />
blacklist psmouse<br />
<br />
Then add this file to {{ic|/etc/mkinitcpio.conf}}:<br />
<br />
...<br />
FILES="/etc/modprobe.d/modprobe.conf"<br />
...<br />
<br />
Rebuild your initial ramdisk image (see [[Mkinitcpio#Image creation and activation]]).<br />
<br />
== Touchscreen ==<br />
The touchscreen works without additional configuration. The bug resulting in a disabled touchscreen after resume was fixed with kernel 4.8.5.<br />
<br />
=== Gestures ===<br />
Refer to [[libinput#Gestures]] for information about the current development state and available methods.<br />
<br />
=== Scrolling in Firefox ===<br />
See [[Firefox/Tweaks#Pixel-perfect trackpad scrolling]]. This enables both touchscreen scrolling and high-res trackpad scrolling.<br />
<br />
== Keyboard Backlight ==<br />
By default, the keyboard backlight turns off after 10 seconds of inactivity. Some users might find this too short and annoying.<br />
The delay can be increased (or decreased) by editing this file:<br />
/sys/devices/platform/dell-laptop/leds/dell\:\:kbd_backlight/stop_timeout<br />
<br />
You can also change the brightness (0-2) by editing the following file. This is identical to pressing F10 on your keyboard:<br />
/sys/devices/platform/dell-laptop/leds/dell\:\:kbd_backlight/brightness<br />
<br />
== Hidden Keyboard Keys ==<br />
There are additional Fn+<Key> (sequences) that are not marked at all on the keyboard but underlying hardware generates them anyway. Here they are (if you find more add them to the table below):<br />
{| class="wikitable"<br />
|+ Hidden Fn Keys<br />
! Fn+<Key> !! Resulting key (sequence)<br />
|-<br />
| Fn+Ins || XF86Sleep<br />
|-<br />
| Fn+Super_L || Super_R<br />
|-<br />
| Fn+B || Pause<br />
|-<br />
| Fn+R || Print<br />
|-<br />
| Fn+S || Scroll_Lock<br />
|-<br />
| Fn+A / D / E / F / G / T / Q / W || XF86Launch3<br />
|}<br />
<br />
== Firmware Updates ==<br />
Dell provides firmware updates via {{Pkg|fwupd}}. See [[Flashing BIOS from Linux#fwupd]]. Please note if you have used a bind mount partition for /boot, you will not be able to use the fwupd utility; Instead format a USB as FAT32 and put the bios update .exe on. Reboot into the one-time-boot menu and update the BIOS flash through there.<br />
<br />
Alternatively, the BIOS update can be downloaded from the Dell website, and placed in a location accessible to the firmware. This could be the '/boot' folder, or a FAT32 formatted USB stick. Then restart your laptop and hit F12 while starting. In the boot menu choose firmware update and select the new file!<br />
<br />
== Troubleshooting ==<br />
<br />
=== EFISTUB does not boot ===<br />
The BIOS does not pass any boot parameters to the kernel. Use a UEFI [[boot loader]] instead.<br />
<br />
=== Not waking from suspend ===<br />
Update the BIOS to 1.0.7 to patch this issue.<br />
<br />
=== Power Drain after waking from standby ===<br />
<br />
Some users recognised ~2W more power consumption after waking up from standby. Go to the UEFI Firmware Settings (tap the F2 key when the Dell logo appears) and uncheck the 'Enable Thunderbolt Boot Support'. You may use {{Pkg|powertop}} or {{AUR|powerstat-git}} to reproduce and check this behaviour yourself. <br />
<br />
=== Popping sound on headphones/external speakers ===<br />
<br />
Power saving being enabled on the audio chip will cause the hissing and popping to appear. <br />
<br />
Have a look at [[ALSA/Troubleshooting#Pops when starting and stopping playback]] and [[ALSA/Troubleshooting#Popping sound after resuming from suspension]].<br />
<br />
If you are using {{Pkg|tlp}}, it will activate power saving by default when on battery. Edit {{ic|/etc/default/tlp}} and disable it.<br />
<br />
=== Coil Whine ===<br />
<br />
Unfortunately Dell still did not fix this issue and the sound for my model was very loud. The issue seems to be connected to the graphic card. For some users, it is possible to reduce it a lot by activating frame buffer compression "enable_fbc=1" [[Intel graphics#Module-based Powersaving Options]]. The coil whine will then start again under heavy graphic load. For the touchscreen model, this may be very often, due to the high resolution screen. In a similar vein, the display can be run at a lower resolution, again reducing the load on the graphics card.<br />
<br />
=== Freezing after waking from suspend ===<br />
<br />
Installing {{aur|xf86-video-intel-git}} is [https://bbs.archlinux.org/viewtopic.php?pid=1698282#p1698282 reported] to fix this.<br />
<br />
=== Continuous hissing sound with headphones ===<br />
<br />
Open alsamixer and set "Headphone Mic Boost" gain to 10 dB (See discussion on [https://www.reddit.com/r/Dell/comments/4j1zz4/headphones_have_static_noise_with_ubuntu_1604_on/ reddit]). Note that this does reduce the volume slightly.<br />
<br />
You may also run the equivalent command:<br />
<br />
$ amixer -c PCH cset 'name=Headphone Mic Boost Volume' 1<br />
<br />
PulseAudio will rewrite these ALSA settings. So if you use PulseAudio you should change it configs to make them permanent:<br />
<br />
# vi /usr/share/pulseaudio/alsa-mixer/paths/analog-input-headphone-mic.conf<br />
<br />
[Element Headphone Mic Boost]<br />
required-any = any<br />
switch = select<br />
# Replace "volume = merge" by:<br />
volume = 1<br />
override-map.1 = all<br />
override-map.2 = all-left,all-right<br />
<br />
# vi /usr/share/pulseaudio/alsa-mixer/paths/analog-input-internal-mic.conf<br />
<br />
[Element Headphone Mic Boost]<br />
switch = off<br />
# Replace "volume = off" by:<br />
volume = 1<br />
<br />
== See Also == <br />
<br />
* [https://bbs.archlinux.org/viewtopic.php?id=217865 Arch Forum thread for Dell XPS 13 (9360)]<br />
* [http://topics-cdn.dell.com/pdf/xps-13-9360-laptop_Service%20Manual_en-us.pdf Service Manual for Dell XPS 13 (9360)]</div>Altazar