https://wiki.archlinux.org/api.php?action=feedcontributions&user=Pdean&feedformat=atomArchWiki - User contributions [en]2024-03-28T23:54:34ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Private_Internet_Access&diff=642172Private Internet Access2020-11-23T04:28:24Z<p>Pdean: nextgen openvpn config files</p>
<hr />
<div>[[Category:VPN providers]]<br />
[[ja:Private Internet Access]]<br />
[https://www.privateinternetaccess.com/ Private Internet Access] is a subscription-based VPN service.<br />
<br />
{{Note|In 2019, PIA merged with Kape Technologies, and this event has been surrounded by a lot of controversy, especially via reddit posts. However, since the merger, the following improvements have been made to the PIA infrastructure:<br />
* All PIA applications got released as open source: https://github.com/pia-foss<br />
* WireGuard got added to the VPN servers and VPN Apps<br />
* VPN servers got migrated from Ubuntu 14 LTS to ArchLinux<br />
* All VPN servers now are encrypted via dm-crypt, following advice from Arch devs<br />
* All VPN services now run in memory via ramdisk}}<br />
<br />
== Manual ==<br />
<br />
{{Note|<br />
* [[Disable ipv6]] since it is not supported by PIA.[https://helpdesk.privateinternetaccess.com/hc/en-us/articles/232324908-Why-Do-You-Block-IPv6-]<br />
* Ensure you are using PIA's [[DNS]] servers, listed on their website.}}<br />
<br />
=== NetworkManager applet approach ===<br />
<br />
==== Installation ====<br />
<br />
Download [https://www.privateinternetaccess.com/openvpn/openvpn-nextgen.zip OpenVPN configuration files from PIA]. Extract the ZIP file to a place in your user home directory or elsewhere that is memorable for future access. It's worth noting that even when WireGuard can be used on the Linux binary and on the app, PIA has yet to provide WireGuard files for configuration. In other words, only OpenVPN can be used when using the NetworkManager approach.<br />
<br />
Install and configure [[NetworkManager]] along with the NetworkManager applet and OpenVPN plugin.<br />
<br />
==== Configuration ====<br />
<br />
#Right click on the NetworkManager applet from your desktop environment and click Edit Connections. Click the Plus sign in the bottom left corner of the Network Connections window that appears.<br />
#When you choose a connection type, click the drop-down menu and scroll all the way down until you reach "Import a saved VPN configuration". Select that option. Now, click Create.<br />
#Navigate to the directory you extracted all of the OpenVPN files to earlier, then open one of the files from that folder. Generally speaking, you will want to open the file that is associated with the connection you specifically want.<br />
#After you have opened one of the OpenVPN files, the window that appears should be "Editing <connection type>". Type in your Username and Password that you received from Private Internet Access. There is an icon in the password box indicating user permission of the credentials; change the settings as you wish.<br />
#Now, click Advanced. Next to "Use LZO data compression", click the drop-down menu to select "adaptive" and next to "Set virtual device type", click the menu and make sure "TUN" is selected.<br />
#Next, go to the security tab and select as cipher "AES-128-CBC" and as HMAC Authentication "SHA-1".<br />
#Click the OK button at the bottom left of the window to save this change.<br />
#Go to the "IPv6 Settings" tab and select for "Method" "Ignore" since PIA blocks IPv6 addresses [https://www.privateinternetaccess.com/helpdesk/kb/articles/why-do-you-block-ipv6-2].<br />
#Click Save at the bottom right of the "Editing <connection type>" window.<br />
<br />
==== Usage ====<br />
<br />
Left click on the NetworkManager applet. There is a VPN Connections menu. Inside it should be the VPN connection you saved. Click on it to connect to Private Internet Access.<br />
<br />
When a gold lock has appeared over the NetworkManager applet, you are successfully connected to Private Internet Access. Visit [https://www.privateinternetaccess.com/ Private Internet Access] and confirm that you are connected by referring to the status message at the top of their homepage.<br />
<br />
{{Note| If the VPN asks for a password, and you would like to avoid entering the password each time you attempt to connect, be sure to click the icon in the password box as noted previously regarding permission of credentials and change it to all users.}}<br />
<br />
=== OpenVPN command line approach ===<br />
<br />
==== Installation ====<br />
<br />
Download [https://www.privateinternetaccess.com/openvpn/openvpn-strong-nextgen.zip OpenVPN configurations from PIA]. Unzip the file and move all files to {{ic|/etc/openvpn/client}}. Ensure the files have {{ic|root}} as the owner.<br />
<br />
{{Tip|To be able to use [[OpenVPN#systemd service configuration]] (e.g {{ic|systemctl start openvpn-client@''<config>''}}), rename the all the files and replace {{ic|.opvn}} extension with {{ic|.conf}} and replace spaces in configuration file names with underscores.}}<br />
<br />
==== Usage ====<br />
<br />
See [[OpenVPN#Starting OpenVPN]].<br />
<br />
{{Tip|To automatically login, append the name of the file containing your username and password immediately after {{ic|auth-user-pass}} in the configuration file(s). See this option in {{man|8|openvpn}}for more information.}}<br />
<br />
To test to see if you have successfully connected to the VPN, see [https://helpdesk.privateinternetaccess.com/hc/en-us/articles/231734668-Security-Best-Practices-Part-5-Testing-Your-Security this article].<br />
<br />
== Automatic ==<br />
<br />
=== Official installation script ===<br />
<br />
Private Internet Access has an installation script that sets up [[NetworkManager]] for use with the VPN. Download the script [http://www.privateinternetaccess.com/installer/pia-nm.sh here] and then run to set up.<br />
<br />
=== Official Linux client ===<br />
Private Internet Access now has an official client for Linux with support for Arch. Download the client from [https://www.privateinternetaccess.com/pages/download this page], unzip the file (e.g. {{ic|pia-v81-installer-linux.tar.gz}}) and run the installation script (.e.g. {{ic|# ./pia-v81-installer-linux.sh}}).<br />
<br />
=== Packages ===<br />
<br />
* {{App|piavpn-bin|Automates the official installer||{{AUR|piavpn-bin}}}}<br />
* {{App|[[Private Internet Access/AUR]]|Installs profiles for [[NetworkManager]], [[ConnMan]], and [[OpenVPN]]||{{AUR|private-internet-access-vpn}}}}<br />
<br />
=== vopono ===<br />
[[vopono]] is a tool to run specific applications via a VPN connection with temporary network namespaces. Automatic configuration generation is supported for PrivateInternetAccess.<br />
<br />
It includes kill switch support by default, and support for forwarding and proxying ports from the network namespace to the host so you can run daemons and servers via the VPN whilst the rest of the system is unaffected.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Internet "kill switch" ===<br />
<br />
The following [[iptables]] rules only allow network traffic through the {{ic|tun}} interface, with the exception that traffic is allowed to PIA's DNS servers and to port 1197, which is used in establishing the VPN connection:<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:10]<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i tun+ -j ACCEPT<br />
-A OUTPUT -o lo -j ACCEPT<br />
-A OUTPUT -d 209.222.18.222/32 -j ACCEPT<br />
-A OUTPUT -d 209.222.18.218/32 -j ACCEPT<br />
-A OUTPUT -p udp -m udp --dport 1197 -j ACCEPT<br />
-A OUTPUT -o tun+ -j ACCEPT<br />
-A OUTPUT -j REJECT --reject-with icmp-net-unreachable<br />
COMMIT}}<br />
<br />
This ensures that if you are disconnected from the VPN unknowingly, no network traffic is allowed in or out.<br />
<br />
If you wish to additionally access devices on your LAN, you will need to explicitly allow them. For example, to allow access to devices on {{ic|192.0.0.0/24}}, add the following two rules (before any REJECT rule):<br />
<br />
-A INPUT -s 192.168.0.0/24 -j ACCEPT<br />
-A OUTPUT -d 192.168.0.0/24 -j ACCEPT<br />
<br />
Additionally, the above rules block the ICMP protocol, which is probably not desired. See [https://bbs.archlinux.org/viewtopic.php?id=224655 this thread] for potential pitfalls of using these iptables rules as well as more details.<br />
<br />
=== Setting PIA DNS ===<br />
If you find that Network Manager is controlling your host's DNS settings, and therefore your host cannot resolve any address, you will have to manually set the DNS server and attributes.<br />
You should note a symbolic link when running the following command:<br />
<br />
ls -l /etc/resolv.conf<br />
<br />
Remove the symbolic link with {{ic|rm /etc/resolv.conf}}<br />
Then create a new {{ic|/etc/resolv.conf}} and add the following:<br />
<br />
{{hc|/etc/resolv.conf |<br />
nameserver 209.222.18.222<br />
nameserver 209.222.18.218}}<br />
<br />
{{Accuracy|Using ''resolvconf'' after editing {{ic|/etc/resolv.conf}} makes no sense. If [[openresolv]] is used then the nameservers should be set in {{ic|/etc/resolvconf.conf}}, and {{ic|/etc/resolv.conf}} should not be manually edited.}}<br />
<br />
Next regenerate resolvconf by typing:<br />
<br />
# resolvconf -u<br />
<br />
{{Style|Duplicates [[Domain name resolution#Overwriting of /etc/resolv.conf]].}}<br />
<br />
Finally make the file immutable so no other application can modify it:<br />
<br />
chattr +i /etc/resolv.conf<br />
<br />
== Troubleshooting ==<br />
<br />
=== I cannot connect to OpenVPN using PIA manager, or OpenVPN does not work ===<br />
PIA manager still uses OpenVPN under the hood, so even if you do not directly use one of the OpenVPN methods, you still need it. Firstly, check that it's installed. If you used one of the installation scripts, this should be done for you.<br />
<br />
If you are getting errors like {{ic|#<Errno::ECONNREFUSED: Connection refused - connect(2) for "127.0.0.1" port 31749>}}, that probably means TAP/TUN is not currently running. Either your kernel does not have it, in which case install a kernel which does (or compile a fresh one), or it is not currently running, in which case it needs to be started:<br />
<br />
# modprobe tun</div>Pdeanhttps://wiki.archlinux.org/index.php?title=PostGIS&diff=471770PostGIS2017-03-24T21:17:16Z<p>Pdean: page obsolete</p>
<hr />
<div>[[Category:Database management systems]]<br />
[[ja:PostGIS]]<br />
PostGIS adds support for geographic objects in the PostgreSQL database. This document describes the process for installing PostGIS and creating a template PostGIS database. It is assumed that PostgreSQL has been installed. If it hasn't, please refer to the [[PostgreSQL]] page.<br />
<br />
== Installing PostGIS ==<br />
[[Install]] the {{pkg|postgis}} package.<br />
<br />
== Installing PostGIS Extension ==<br />
Since [[PostgreSQL 9.1][http://postgis.net/docs/postgis_installation.html#make_install_postgis_extensions]], the preferred approach is to install PostGIS and enable postgis extension for each spatial database.<br />
$ psql<br />
<br />
-- verify available extensions<br />
SELECT name, default_version,installed_version <br />
FROM pg_available_extensions WHERE name LIKE 'postgis%' ;<br />
<br />
-- install extension for spatial database mygisdb<br />
\c mygisdb<br />
CREATE EXTENSION postgis;<br />
CREATE EXTENSION postgis_topology;<br />
CREATE EXTENSION fuzzystrmatch;<br />
CREATE EXTENSION postgis_tiger_geocoder;<br />
<br />
You don't need to do the below "Creating a Template PostGIS Database" step if you use PostGIS extension.<br />
<br />
* upgrade postgis extension<br />
$ psql<br />
<br />
ALTER EXTENSION postgis UPDATE TO "2.1.0";<br />
<br />
* migrate spatial database created with postgis_template<br />
Dump and drop the spatial database, re-create a spatial database with extension, and restore the dumped database. Follow http://www.postgis.net/docs/postgis_installation.html#hard_upgrade for specific commands.<br />
<br />
== Creating a Template PostGIS Database ==<br />
*Become the postgres user.<br />
$ su<br />
# su - postgres<br />
*If you haven't created a superuser for accessing PostgreSQL, you may want do that now. You will be prompted for granting permissions to that user.<br />
$ createuser [username]<br />
*Create a new database called "template_postgis".<br />
$ createdb -O [username] template_postgis -E UTF-8<br />
*PostGIS requires the pl/pgSQL language to be installed on a database.<br />
$ createlang plpgsql template_postgis<br />
*Load the PostGIS spatial types for PostgreSQL and spatial reference systems. "postgis.sql" and "spatial_ref_sys.sql" are part of the installation of PostGIS, and may reside somewhere else besides "/usr/sharepostgresql/contrib/postgis-2.1/" depending on the installation. ''(Below is for default postgis 2.1 installation)''<br />
$ psql -d template_postgis -f /usr/share/postgresql/contrib/postgis-2.1/postgis.sql<br />
$ psql -d template_postgis -f /usr/share/postgresql/contrib/postgis-2.1/spatial_ref_sys.sql<br />
*Make it a real template. <br />
$ psql<br />
<br />
UPDATE pg_database SET datistemplate = TRUE WHERE datname = 'template_postgis';<br />
<br />
== Creating a PostGIS Database From the Template==<br />
*It's common practice to reserve a bare template for creating new PostGIS databases. As a PostgreSQL superuser, the following command will create a new database:<br />
$ createdb -T template_postgis [new_postgis_db]<br />
<br />
== More Resources ==<br />
For additional resources concerning PostGIS, check out the [http://postgis.net/documentation/ PostGIS Documentation].<br />
<br />
== PostGIS failing with json_tokener_error ==<br />
This happends when adding postgis as an extension. The libjson-c package has changed, and PostGIS hasn't put out a stable release with this yet. Its in 2.1.0rc1, though. The bug-report is http://trac.osgeo.org/postgis/ticket/2213<br />
<br />
The fix is to download the postgis PKGBUILD and then change the version to '2.1.0rc1'. Don't forget to change the sha256sum.</div>Pdeanhttps://wiki.archlinux.org/index.php?title=Arch-based_distributions&diff=456811Arch-based distributions2016-11-15T07:08:08Z<p>Pdean: page moved</p>
<hr />
<div>[[Category:About Arch]]<br />
[[es:Arch based distributions (active)]]<br />
[[fr:LiveCD]]<br />
[[ja:Arch ベースのディストリビューション]]<br />
[[ru:Arch based distributions (active)]]<br />
[[zh-cn:Arch based distributions (active)]]<br />
{{Related articles start}}<br />
{{Related|Arch compared to other distributions}}<br />
{{Related|Archiso}}<br />
{{Related|Archboot}}<br />
{{Related|TalkingArch}}<br />
{{Related|DeveloperWiki:TrademarkPolicy}}<br />
{{Related articles end}}<br />
<br />
{{Warning|Arch-based distributions are '''not''' supported by the Arch community or developers. See [[Code of conduct#Arch Linux distribution support *only*]]}}<br />
<br />
This is a listing of Linux distributions which are derived from Arch Linux either in whole or in part. This page is here to serve as a useful reference; for a detailed comparison, see [[w:Comparison of Linux distributions]].<br />
<br />
== Active ==<br />
<br />
Actively developed Arch derived Linux distributions.<br />
<br />
=== Desktop ===<br />
<br />
The following distributions include a pre-installed [[Desktop environment]].<br />
<br />
* [https://sourceforge.net/projects/antergos/ Antergos]<br />
* [https://arquetype.org/ Arquetype CRT]<br />
* [https://sourceforge.net/projects/alphaos/ alphaOS]<br />
* [https://sourceforge.net/projects/apricityos/ Apricity OS]<br />
* [https://sourceforge.net/projects/archbang/ ArchBang]<br />
* [https://archbox-linux.github.io/ ArchBox]<br />
* [https://sourceforge.net/projects/archex/ ArchEX]<br />
* [https://sourceforge.net/projects/arch-xferience/ Arch XFerience]<br />
* [https://sourceforge.net/projects/bbqlinux/ BBQLinux]<br />
* [http://blackarch.org/ BlackArch Linux]<br />
* [https://sourceforge.net/projects/bluestarlinux/ Bluestar Linux]<br />
* [https://sourceforge.net/projects/chakra/ Chakra]<br />
* [http://easy.open.and.free.fr/didjix/ DidJiX]<br />
* [http://frugalware.org/ Frugalware]<br />
* [https://sourceforge.net/projects/kaosx/ KaOS]<br />
* [http://www.obarun.org/index.html Obarun]<br />
* [https://sourceforge.net/projects/manjarolinux/ Manjaro Linux]<br />
* [https://sourceforge.net/projects/ninjaos/ Ninja OS]<br />
* [https://velt.io Velt OS]<br />
* [http://miraclxos.ml Miraclx OS]<br />
<br />
=== Others ===<br />
<br />
* [http://alpinelinux.org/ Alpine Linux]<br />
* [http://archlinuxarm.org/ Arch Linux ARM]<br />
* [https://arch-anywhere.org/ Arch-Anywhere]<br />
* [http://linhes.org/ LinHES]<br />
* [https://www.parabola.nu/ Parabola GNU/Linux-libre]<br />
* [https://sourceforge.net/projects/msys2/ MSYS2]<br />
* [http://ubos.net/ UBOS]<br />
* [https://www.pacbsd.org/ PacBSD]<br />
<br />
== Inactive ==<br />
<br />
These distributions are no longer developed, but show some of the history surrounding Arch Linux and the greater FOSS community. Sections show the year of the latest release.<br />
<br />
=== 2016 ===<br />
<br />
* [https://sourceforge.net/projects/architect-linux/ PacBang]<br />
<br />
=== 2015 ===<br />
<br />
* [https://sourceforge.net/projects/archassault/ ArchAssault]<br />
* [https://sourceforge.net/projects/bridgelinux/ Bridge Linux]<br />
* [http://www.kademar.org/ Kademar]<br />
* [https://sourceforge.net/projects/poliarch/ PoliArch]<br />
* [https://sourceforge.net/projects/tuxhatlinux/ Tux Hat Linux]<br />
<br />
=== 2014 ===<br />
<br />
* [https://github.com/Arch-Linux-MIPS Arch Linux MIPS]<br />
* [http://web.archive.org/web/20141217163857/http://mesklinux.org/ Mesk Linux]<br />
<br />
=== 2013 ===<br />
<br />
* [http://forum.freesco.pl/viewtopic.php?f=34&t=18935 CDN Linux]<br />
<br />
=== 2012 ===<br />
<br />
* [https://web.archive.org/web/20120614085009/http://archlinuxppc.org/ Arch Linux PPC]<br />
* [http://web.archive.org/web/20131124072119/http://www.archserver.org/ ArchServer]<br />
* [http://www.connochaetos.org/ ConnochaetOS]<br />
* [http://www.kahelos.org/ Kahel OS]<br />
* [https://web.archive.org/web/20120314025441/http://www.tommed.co.uk/ldr/ LDR]<br />
* [https://web.archive.org/web/20130727233942/http://nosonja.org/ Nosonja]<br />
<br />
=== 2011 ===<br />
<br />
* [http://www.archhurd.org/ Arch Hurd]<br />
* [http://code.google.com/p/archlive/ Archlive]<br />
* [http://ctkarch.org/ CTKArch]<br />
* [http://web.archive.org/web/20140108111301/http://k2z.com/elegance-a-arch-linux-spin-off-2/ Elegance]<br />
* [http://live.linux-gamers.net/ LinuX-gamers]<br />
<br />
=== 2010 ===<br />
<br />
* [http://www.archpwn.org/ ArchPwn]<br />
* [https://web.archive.org/web/20110202101442/http://blag.chaox.net/ Chaox]<br />
* [https://web.archive.org/web/20100125175854/http://code.google.com/p/uarch/ uArch]<br />
* [https://web.archive.org/web/20140329212256/http://www.uknow4kids.org/ UKnow4Kids]<br />
* [https://bbs.archlinux.org/viewtopic.php?pid=717249 Uzume Linux]<br />
<br />
=== 2009 ===<br />
<br />
* [http://code.google.com/p/archlinux-i586/ archlive-i586]<br />
* [http://web.archive.org/web/20150819194741/http://www.enlisy.net/en/ Enlisy]<br />
* [http://distrowatch.com/table.php?distribution=firefly Firefly Linux]<br />
* [https://web.archive.org/web/20091227101903/http://en.maryanlinux.com/ Maryan Linux 2]<br />
* [http://web.archive.org/web/20100210093146/http://www.shiftlinux.net/ Shift Linux]<br />
<br />
=== 2008 ===<br />
<br />
* [http://web.archive.org/web/20081224231003/http://rusher.webhop.org/wordpress/?page_id=143 Arch Linux Modified]<br />
* [https://web.archive.org/web/20090726221110/http://archie.dotsrc.org/ Archie]<br />
* [http://distrowatch.com/table.php?distribution=faunos FaunOS]<br />
<br />
=== 2007 ===<br />
<br />
* [http://marchlinux.wikidot.com/ March Linux]<br />
<br />
=== 2006 ===<br />
<br />
* [https://web.archive.org/web/20110728041813/http://arch-egis.berlios.de/news.php Aegis Project]<br />
* [https://web.archive.org/web/20100213030324/http://sourceforge.net/projects/freshmeat_lowarch/ Lowarch]<br />
* [https://web.archive.org/web/20070528084125/http://www.kotek.net/minimax/ Minimax]<br />
<br />
=== 2005 ===<br />
<br />
* [http://distrowatch.com/table.php?distribution=underground Underground Desktop]<br />
<br />
=== 2004 ===<br />
<br />
* [https://web.archive.org/web/20090327055005/http://www.datavibe.net/~essiene/ale/ Arch Linux Embedded Project]</div>Pdeanhttps://wiki.archlinux.org/index.php?title=OpenVPN&diff=364585OpenVPN2015-03-08T07:05:15Z<p>Pdean: </p>
<hr />
<div>[[Category:Virtual Private Network]]<br />
[[de:OpenVPN]]<br />
[[zh-CN:OpenVPN]]<br />
[[ru:OpenVPN]]<br />
<br />
This article describes a basic installation and configuration of [http://openvpn.net OpenVPN], suitable for private and small business use. For more detailed information, please see the [https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage OpenVPN 2.3 man page] and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation]. OpenVPN is a robust and highly flexible [[Wikipedia:VPN|VPN]] daemon. It supports [[Wikipedia:SSL/TLS|SSL/TLS]] security, [[Wikipedia:Bridging_(networking)|Ethernet bridging]], [[Wikipedia:Transmission_Control_Protocol|TCP]] or [[Wikipedia:User_Datagram_Protocol|UDP]] [[Wikipedia:Tunneling_protocol|tunnel transport]] through [[Wikipedia:Proxy_server|proxies]] or [[Wikipedia:Network address translation|NAT]]. Additionally it has support for dynamic IP addresses and [[Wikipedia:Dynamic_Host_Configuration_Protocol|DHCP]], scalability to hundreds or thousands of users, and portability to most major OS platforms.<br />
<br />
OpenVPN is tightly bound to the [http://www.openssl.org OpenSSL] library, and derives much of its crypto capabilities from it. It supports conventional encryption using a [[Wikipedia:Pre-shared_key|pre-shared secret key]] (Static Key mode) or [[Wikipedia:Public_key|public key security]] ([[Wikipedia:SSL/TLS|SSL/TLS]] mode) using client & server certificates. Additionally it supports unencrypted TCP/UDP tunnels.<br />
<br />
OpenVPN is designed to work with the [[Wikipedia:TUN/TAP|TUN/TAP]] virtual networking interface that exists on most platforms. Overall, it aims to offer many of the key features of [[Wikipedia:Ipsec|IPSec]] but with a relatively lightweight footprint. OpenVPN was written by James Yonan and is published under the [[Wikipedia:GNU General Public License|GNU General Public License (GPL)]].<br />
<br />
== Install OpenVPN ==<br />
<br />
[[pacman|Install]] {{Pkg|openvpn}} from the [[official repositories]].<br />
<br />
{{Note|The software contained in this package supports both server and client mode, so install it on all machines that need to create VPN connections.}}<br />
<br />
== Configure the system for TUN/TAP support ==<br />
<br />
OpenVPN requires TUN/TAP support, which is already supported and properly configured in the default kernel. If you are using the default kernel no modifications are required here. However, if you use another kernel make sure to enable the {{ic|tun}} module. <br />
<br />
If {{ic|$ zgrep CONFIG_TUN /proc/config.gz}} returns {{ic|1=CONFIG_TUN=n}}, make the following change to the kernel config file and rebuild the kernel.<br />
<br />
{{hc|Kernel config file|<br />
Device Drivers<br />
--> Network device support<br />
[M] Universal TUN/TAP device driver support}}<br />
<br />
Read [[Kernel modules]] for more information.<br />
<br />
== Connect to a VPN provided by a third party ==<br />
<br />
To connect to a VPN service provided by a third party, most of the following can most likely be ignored, especially regarding server setup. Most likely you will want to begin with [[#The client configuration file]] and skip ahead to [[#Starting OpenVPN]] after that. Use the certificates and instructions given by your provider, for instance see: [[Airvpn]].<br />
<br />
{{Note|To connect to servers of the most VPN providers that offer free service, one can plainly use [[PPTP server]] since most offers only this protocol.}}<br />
<br />
== Create a Public Key Infrastructure (PKI) from scratch ==<br />
<br />
If you are setting up OpenVPN from scratch, you will need to create a [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]].<br />
<br />
Create the needed certificates and keys by following: [[Create a Public Key Infrastructure Using the easy-rsa Scripts]].<br />
<br />
The final step of the key creation process is to copy the files needed to the correct machines through a secure channel.<br />
<br />
{{Note|The rest of this article assumes that the keys and certificates are placed in {{ic|/etc/openvpn}}.}}<br />
<br />
The public ca.crt certificate is needed on all servers and clients. The private ca.key key is secret and only needed on the key generating machine.<br />
<br />
A server needs server.crt, dh2048.pem (public), server.key, and ta.key (private).<br />
<br />
A client needs client.crt (public), client.key, and ta.key (private).<br />
<br />
== A basic L3 IP routing configuration ==<br />
<br />
{{Note|Unless otherwise explicitly stated, the rest of this article assumes this basic configuration.}}<br />
<br />
OpenVPN is an extremely versatile piece of software and many configurations are possible, in fact machines can be both "servers" and "clients", blurring the distinction between server and client.<br />
<br />
What really distinguishes a server from a client (apart from the type of certificate used) is the configuration file itself. The OpenVPN daemon start-up script reads all the .conf configuration files it finds in {{ic|/etc/openvpn}} on start-up and acts accordingly. If it finds more than one configuration file, it will start one OpenVPN process per configuration file.<br />
<br />
This article explains how to set up a server named elmer and a client that connects to it named bugs. More servers and clients can easily be added by creating more key/certificate pairs and adding more server and client configuration files.<br />
<br />
The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:<br />
<br />
* Uses [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]] for authentication.<br />
* Creates a VPN using a virtual TUN network interface (OSI L3 IP routing).<br />
* Listens for client connections on UDP port 1194 (OpenVPN's [[Wikipedia:Port_number|official IANA port number]]).<br />
* Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.<br />
<br />
For more advanced configurations, please see the official [http://openvpn.net/index.php/manuals/427-openvpn-22.html OpenVPN 2.2 man page] and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation].<br />
<br />
=== The server configuration file ===<br />
<br />
Copy the example server configuration file to {{ic|/etc/openvpn/server.conf}}:<br />
<br />
# cp /usr/share/openvpn/examples/server.conf /etc/openvpn/server.conf<br />
<br />
Edit the following:<br />
<br />
* The {{ic|ca}}, {{ic|cert}}, {{ic|key}}, and {{ic|dh}} parameters to reflect the path and names of the keys and certificates. Specifying the paths will allow you to run the OpenVPN executable from any directory for testing purposes.<br />
* Enable the SSL/TLS HMAC handshake protection. '''Note the use of the parameter 0 for a server'''.<br />
* It is recommended to run OpenVPN with reduced privileges once it has initialized. Do this by uncommenting the {{ic|user}} and {{ic|group}} directives.<br />
<br />
{{hc|/etc/openvpn/server.conf|<br />
ca /etc/openvpn/ca.crt<br />
cert /etc/openvpn/elmer.crt<br />
key /etc/openvpn/elmer.key<br />
<br />
dh /etc/openvpn/dh2048.pem<br />
.<br />
.<br />
tls-auth /etc/openvpn/ta.key '''0'''<br />
.<br />
.<br />
user nobody<br />
group nobody<br />
}}<br />
<br />
{{Note|Note that if the server is behind a firewall or a NAT translating router, you will have to forward the OpenVPN UDP port (1194) to the server.}}<br />
<br />
=== The client configuration file ===<br />
<br />
Copy the example client configuration file to {{ic|/etc/openvpn/client.conf}}:<br />
<br />
# cp /usr/share/openvpn/examples/client.conf /etc/openvpn/client.conf<br />
<br />
Edit the following:<br />
<br />
* The {{ic|remote}} directive to reflect either the server's [[Wikipedia:Fully qualified domain name|Fully Qualified Domain Name]], hostname (as known to the client), or its IP address.<br />
* Uncomment the {{ic|user}} and {{ic|group}} directives to drop privileges.<br />
* The {{ic|ca}}, {{ic|cert}}, and {{ic|key}} parameters to reflect the path and names of the keys and certificates.<br />
* Enable the SSL/TLS HMAC handshake protection. '''Note the use of the parameter 1 for a client'''.<br />
<br />
{{hc|/etc/openvpn/client.conf|<br />
remote elmer.acmecorp.org 1194<br />
.<br />
.<br />
user nobody<br />
group nobody<br />
.<br />
.<br />
ca /etc/openvpn/ca.crt<br />
cert /etc/openvpn/bugs.crt<br />
key /etc/openvpn/bugs.key<br />
.<br />
.<br />
tls-auth /etc/openvpn/ta.key '''1'''<br />
}}<br />
<br />
=== Testing the OpenVPN configuration ===<br />
<br />
Run {{ic|# openvpn /etc/openvpn/server.conf}} on the server, and {{ic|# openvpn /etc/openvpn/client.conf}} on the client. You should see something similar to this:<br />
<br />
{{hc|# openvpn /etc/openvpn/server.conf|2=<br />
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011<br />
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables<br />
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key<br />
.<br />
.<br />
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6<br />
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'<br />
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 SENT CONTROL [bugs]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)<br />
}}<br />
<br />
{{hc|# openvpn /etc/openvpn/client.conf|2=<br />
Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011<br />
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables<br />
Wed Dec 28 14:41:50 2011 LZO compression initialized<br />
.<br />
.<br />
Wed Dec 28 14:41:57 2011 GID set to nobody<br />
Wed Dec 28 14:41:57 2011 UID set to nobody<br />
Wed Dec 28 14:41:57 2011 Initialization Sequence Completed<br />
}}<br />
<br />
On the server, find the IP address assigned to the tunX device:<br />
<br />
{{hc|# ip addr show|2=<br />
.<br />
.<br />
40: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100<br />
link/none<br />
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0<br />
}}<br />
<br />
Here we see that the server end of the tunnel has been given the IP address 10.8.0.1.<br />
<br />
Do the same on the client:<br />
<br />
{{hc|# ip addr show|2=<br />
.<br />
.<br />
37: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100<br />
link/none<br />
inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0<br />
}}<br />
<br />
And the client side has been given the IP address 10.8.0.6.<br />
<br />
Now try pinging the interfaces.<br />
<br />
On the server:<br />
<br />
{{hc|# ping -c3 10.8.0.6|2=<br />
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.<br />
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms<br />
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=237 ms<br />
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=205 ms<br />
<br />
--- 10.8.0.6 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2002ms<br />
rtt min/avg/max/mdev = 205.862/227.266/238.788/15.160 ms<br />
}}<br />
<br />
On the client:<br />
<br />
{{hc|# ping -c3 10.8.0.1|2=<br />
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.<br />
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=158 ms<br />
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=158 ms<br />
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=157 ms<br />
<br />
--- 10.8.0.1 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2001ms<br />
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms<br />
}}<br />
<br />
You now have a working OpenVPN installation, and your client (bugs) will be able to use services on the server (elmer), and vice versa.<br />
<br />
{{Note|If using a firewall, make sure that IP packets on the TUN device are not blocked.}}<br />
<br />
=== Configure the MTU with Fragment and MSS ===<br />
<br />
{{Note|If you do not configure MTU, then you will notice that small packets like ping and DNS will work, however web browsing will not work.}}<br />
<br />
Now it is time to configure the maximum segment size (MSS). In order to do this we need to discover what is the smallest MTU along the path between the client and server. In order to do this you can ping the server and disable fragmentation. Then specify the max packet size.<br />
<br />
{{hc|# ping -c5 -M do -s 1500 elmer.acmecorp.org|2=<br />
PING elmer.acmecorp.org (99.88.77.66) 1500(1528) bytes of data.<br />
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)<br />
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)<br />
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)<br />
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)<br />
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)<br />
<br />
--- core.myrelay.net ping statistics ---<br />
0 packets transmitted, 0 received, +5 errors<br />
}}<br />
<br />
We received an ICMP message telling us the MTU is 576 bytes. The means we need to fragment the UDP packets smaller then 576 bytes to allow for some UDP overhead.<br />
<br />
{{hc|# ping -c5 -M do -s 548 elmer.acmecorp.org|2=<br />
PING elmer.acmecorp.org (99.88.77.66) 548(576) bytes of data.<br />
556 bytes from 99.88.77.66: icmp_seq=1 ttl=48 time=206 ms<br />
556 bytes from 99.88.77.66: icmp_seq=2 ttl=48 time=224 ms<br />
556 bytes from 99.88.77.66: icmp_seq=3 ttl=48 time=206 ms<br />
556 bytes from 99.88.77.66: icmp_seq=4 ttl=48 time=207 ms<br />
556 bytes from 99.88.77.66: icmp_seq=5 ttl=48 time=208 ms<br />
<br />
--- myrelay.net ping statistics ---<br />
5 packets transmitted, 5 received, 0% packet loss, time 4001ms<br />
rtt min/avg/max/mdev = 206.027/210.603/224.158/6.832 ms<br />
}}<br />
<br />
After some trial and error..., we discover that we need to fragment packets on 548 bytes. In order to do this we specify this fragment size in the configuration and instruct OpenVPN to fix the Maximum Segment Size (MSS).<br />
<br />
{{hc|/etc/openvpn/client.conf|<br />
remote elmer.acmecorp.org 1194<br />
.<br />
.<br />
fragment 548<br />
mssfix<br />
.<br />
.<br />
user nobody<br />
group nobody<br />
.<br />
.<br />
ca /etc/openvpn/ca.crt<br />
cert /etc/openvpn/bugs.crt<br />
key /etc/openvpn/bugs.key<br />
.<br />
.<br />
tls-auth /etc/openvpn/ta.key '''1'''<br />
}}<br />
<br />
<br />
{{Note|The following will add about 3 minutes to OpenVPN start time. It is advisable to configure the fragment size unless your client is a laptop that will be connecting over many different networks and the bottle neck is on the client side.}}<br />
<br />
You can also allow OpenVPN to do this for you by having OpenVPN do the ping testing every time the client connects to the VPN. Be patient, since your client may not inform you about the test being run and the connection may appear as nonfunctional until finished.<br />
{{hc|/etc/openvpn/client.conf|<br />
remote elmer.acmecorp.org 1194<br />
.<br />
.<br />
mtu-test<br />
.<br />
.<br />
user nobody<br />
group nobody<br />
.<br />
.<br />
ca /etc/openvpn/ca.crt<br />
cert /etc/openvpn/bugs.crt<br />
key /etc/openvpn/bugs.key<br />
.<br />
.<br />
tls-auth /etc/openvpn/ta.key '''1'''<br />
}}<br />
<br />
=== IPv6 ===<br />
In order to connect to a server which is only available with IPv6 (for example with DS Lite), you have to change <br />
<br />
{{hc|/etc/openvpn/server.conf and /etc/openvpn/client.conf|<br />
proto udp<br />
}}<br />
<br />
to<br />
<br />
{{hc|/etc/openvpn/server.conf and /etc/openvpn/client.conf|<br />
proto udp6<br />
}}<br />
<br />
in both server.conf and client.conf (See [https://community.openvpn.net/openvpn/wiki/IPv6 OpenVPN Wiki])<br />
<br />
== Starting OpenVPN ==<br />
<br />
=== Manual startup ===<br />
<br />
To troubleshoot a VPN connection, start the client's daemon manually with {{ic|openvpn /etc/openvpn/client.conf}} as root. The server can be started the same way using it's own configuration file (e.g., {{ic|openvpn /etc/openvpn/server.conf}}).<br />
<br />
=== systemd service configuration ===<br />
<br />
To start OpenVPN automatically at system boot, either for a client or for a server, [[enable]] {{ic|openvpn@''<configuration>''.service}} on the applicable machine.<br />
<br />
For example, if the client configuration file is {{ic|/etc/openvpn/client.conf}}, the service name is {{ic|openvpn@client.service}}. Or, if the server configuration file is {{ic|/etc/openvpn/server.conf}}, the service name is {{ic|openvpn@server.service}}.<br />
<br />
=== Letting NetworkManager start a connection ===<br />
<br />
On a client you might not always need to run a VPN tunnel and/or only want to establish it for a specific NetworkManager connection. This can be done by adding a script to {{ic|/etc/NetworkManager/dispatcher.d/}}. In the following example "Provider" is the name of the NetworkManager connection:<br />
<br />
{{hc|/etc/NetworkManager/dispatcher.d/10-openvpn|2=<br />
#!/bin/bash<br />
<br />
case "$2" in<br />
up)<br />
if [ "$CONNECTION_ID" == "Provider" ]; then<br />
systemctl start openvpn@client<br />
fi<br />
;;<br />
down)<br />
systemctl stop openvpn@client<br />
;;<br />
esac}}<br />
<br />
See [[NetworkManager#Network services with NetworkManager dispatcher]] for more details.<br />
<br />
=== Gnome configuration ===<br />
<br />
If you would like to connect a client to an OpenVPN server through Gnome's built-in network configuration do the following. First, install {{ic|networkmanager-openvpn}}. Then go to the Settings menu and choose Network. Click the plus sign to add a new connection and choose VPN. From there you can choose OpenVPN and manually enter the settings, or you can choose to import [[#The client configuration file]] if you have already created one. If you followed the instructions in this article then it will be located at {{ic|/etc/openvpn/client.conf}}. To connect to the VPN simply turn the connection on.<br />
<br />
== Routing all client traffic through the server ==<br />
<br />
{{Note|There are potential pitfalls when routing all traffic through a VPN server. Refer to [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect the OpenVPN documenation on this topic] for more information.}}<br />
<br />
By default only traffic directly to and from an OpenVPN server passes through the VPN. To have all traffic, including web traffic, pass through the VPN do the following. First add the following to your server's configuration file (i.e., {{ic|/etc/openvpn/server.conf}}) [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect]:<br />
<br />
push "redirect-gateway def1"<br />
push "dhcp-option DNS 10.8.0.1"<br />
<br />
Change "10.8.0.1" to your preferred DNS IP address.<br />
<br />
If you have problems with non responsive DNS after connecting to server, install [[BIND]] as simple DNS forwarder and push the IP address of the OpenVPN server as DNS to clients. <br />
<br />
Now you need to enable [[#IPv4 forwarding]] on the server.<br />
<br />
In addition to above, your server's firewall will need to be set up to allow VPN traffic through it, which is described below for both [[ufw]] and [[iptables]].<br />
<br />
=== Firewall configuration ===<br />
<br />
==== ufw ====<br />
<br />
In order to configure your ufw settings for VPN traffic first add the following to {{ic|/etc/default/ufw}}:<br />
<br />
{{hc|/etc/default/ufw|2=<br />
DEFAULT_FORWARD_POLICY="ACCEPT"<br />
}}<br />
<br />
Now change {{ic|/etc/ufw/before.rules}}, and add the following code after the header and before the "*filter" line. Don't forget to change the IP/subnet mask to match the one in {{ic|/etc/openvpn/server.conf}}.<br />
<br />
{{hc|/etc/ufw/before.rules|2=<br />
# NAT (Network Address Translation) table rules<br />
*nat<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Allow traffic from clients to enp1s0<br />
-A POSTROUTING -s 10.8.0.0/24 -o enp1s0 -j MASQUERADE<br />
<br />
# don't delete the "COMMIT" line or the NAT table rules above won't be processed<br />
COMMIT<br />
}}<br />
<br />
Lastly, open OpenVPN port 1194:<br />
<br />
ufw allow 1194<br />
<br />
==== iptables ====<br />
<br />
In order to allow VPN traffic through your iptables firewall of your server, first create an iptables rule for NAT forwarding [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect] on the server:<br />
<br />
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE<br />
<br />
If you have difficulty pinging the server through the VPN, you may need to add explicit rules to open up TUN/TAP interfaces to all traffic. If that is the case, do the following [https://community.openvpn.net/openvpn/wiki/255-qconnection-initiated-with-xxxxq-but-i-cannot-ping-the-server-through-the-vpn]:<br />
<br />
{{Warning|There are security implications for the following rules if you don't trust all clients which connect to the server. Refer to the [https://community.openvpn.net/openvpn/wiki/255-qconnection-initiated-with-xxxxq-but-i-cannot-ping-the-server-through-the-vpn OpenVPN documentation on this topic] for more details.}}<br />
<br />
# Allow TUN interface connections to OpenVPN server<br />
iptables -A INPUT -i tun+ -j ACCEPT<br />
# Allow TUN interface connections to be forwarded through other interfaces<br />
iptables -A FORWARD -i tun+ -j ACCEPT<br />
# Allow TAP interface connections to OpenVPN server<br />
iptables -A INPUT -i tap+ -j ACCEPT<br />
# Allow TAP interface connections to be forwarded through other interfaces<br />
iptables -A FORWARD -i tap+ -j ACCEPT<br />
<br />
Additionally edit {{ic|/etc/conf.d/iptables}} and change IPTABLES_FORWARD=1. <br />
<br />
When you are satisfied make the changes permanent in the [[iptables#Configuration file]].<br />
<br />
== L3 IPv4 routing==<br />
<br />
This section describes how to connect client/server LANs to each other using L3 IPv4 routing.<br />
<br />
=== Prerequisites for routing a LAN ===<br />
<br />
==== IPv4 forwarding ====<br />
<br />
For a host to be able to forward IPv4 packets between the LAN and VPN, it must be able to forward the packets between its NIC and its tun/tap device.<br />
<br />
Edit or create {{ic|etc/sysctl.d/99-sysctl.conf}} to permanently enable IPv4 packet forwarding (takes effect at the next boot):<br />
<br />
{{hc|/etc/sysctl.d/99-sysctl.conf|2=<br />
# Enable packet forwarding<br />
net.ipv4.ip_forward=1<br />
}}<br />
<br />
{{Tip|To temporarily enable without rebooting: {{ic|# echo 1 > /proc/sys/net/ipv4/ip_forward}}}}<br />
<br />
==== Routing tables ====<br />
<br />
{{Accuracy|Investigate if a routing protocol like RIP, QUAGGA, BIRD, etc can be used}}<br />
<br />
By default, all IP packets on a LAN addressed to a different subnet get sent to the default gateway. If the LAN/VPN gateway is also the default gateway, there is no problem and the packets get properly forwarded. If not, the gateway has no way of knowing where to send the packets. There are a couple of solutions to this problem.<br />
<br />
* Add a static route to the default gateway routing the VPN subnet to the LAN/VPN gateway's IP address.<br />
* Add a static route on each host on the LAN that needs to send IP packets back to the VPN.<br />
* Use [[iptables]]' NAT feature on the LAN/VPN gateway to masquerade the incoming VPN IP packets.<br />
<br />
=== Connect the server LAN to a client ===<br />
<br />
The server is on a LAN using the 10.66.0.0/24 subnet. To inform the client about the available subnet, add a push directive to the server configuration file:{{hc|/etc/openvpn/server.conf|push "route 10.66.0.0 255.255.255.0"}}<br />
<br />
{{Note|To route more LANs from the server to the client, add more push directives to the server configuration file, but keep in mind that the server side LANs will need to know how to route to the client.<br />
}}<br />
<br />
=== Connect the client LAN to a server ===<br />
<br />
Prerequisites:<br />
<br />
* Any subnets used on the client side, must be unique and not in use on the server or by any other client. In this example we will use 192.168.4.0/24 for the clients LAN.<br />
* Each client's certificate has a unique Common Name, in this case bugs.<br />
* The server may not use the duplicate-cn directive in its config file.<br />
<br />
Create a client configuration directory on the server. It will be searched for a file named the same as the client's common name, and the directives will be applied to the client when it connects.<br />
<br />
# mkdir -p /etc/openvpn/ccd<br />
<br />
Create a file in the client configuration directory called bugs, containing the {{ic|iroute 192.168.4.0 255.255.255.0}} directive. It tells the server what subnet should be routed to the client:<br />
<br />
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}<br />
<br />
Add the client-config-dir and the {{ic|route 192.168.4.0 255.255.255.0}} directive to the server configuration file. It tells the server what subnet should be routed from the tun device to the server LAN:<br />
<br />
{{hc|/etc/openvpn/server.conf|<br />
client-config-dir ccd<br />
route 192.168.4.0 255.255.255.0<br />
}}<br />
<br />
{{Note|To route more LANs from the client to the server, add more iroute and route directives to the appropriate configuration files, but keep in mind that the client side LANs will need to know how to route to the server.<br />
}}<br />
<br />
=== Connect both the client and server LANs ===<br />
<br />
Combine the two previous sections:<br />
<br />
{{hc|/etc/openvpn/server.conf|<br />
push "route 10.66.0.0 255.255.255.0"<br />
.<br />
.<br />
client-config-dir ccd<br />
route 192.168.4.0 255.255.255.0<br />
}}<br />
<br />
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}<br />
<br />
{{Note|Remember to make sure that all the LANs or the needed hosts can route to all the destinations.}}<br />
<br />
=== Connect clients and client LANs ===<br />
<br />
By default clients will not see each other. To allow IP packets to flow between clients and/or client LANs, add a client-to-client directive to the server configuration file: {{hc|/etc/openvpn/server.conf|client-to-client}}<br />
<br />
In order for another client or client LAN to see a specific client LAN, you will need to add a push directive for each client subnet to the server configuration file (this will make the server announce the available subnet(s) to other clients):<br />
<br />
{{hc|/etc/openvpn/server.conf|<br />
client-to-client<br />
push "route 192.168.4.0 255.255.255.0"<br />
push "route 192.168.5.0 255.255.255.0"<br />
.<br />
.<br />
}}<br />
<br />
{{Note|As always, make sure that the routing is properly configured.}}<br />
<br />
== DNS ==<br />
<br />
<br />
The DNS servers used by the system are defined in {{ic|/etc/resolv.conf}}. Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc...) However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side. To achieve this in a sensible way, install {{pkg|openresolv}}, which makes it possible for more than one program to modify resolv.conf without stepping on each-other's toes. Before continuing, test openresolv by restarting your network connection and ensuring that resolv.conf states that it was generated by "resolvconf", and that your DNS resolution still works as before. You should not need to configure openresolv; it should be automatically detected and used by your network system.<br />
<br />
Next, save the following script at {{ic|/etc/openvpn/update-resolv-conf.sh}}:[https://raw.githubusercontent.com/masterkorp/openvpn-update-resolv-conf/master/update-resolv-conf.sh]<br />
<br />
Remember to make the file executable with:<br />
<br />
$ chmod +x /etc/openvpn/update-resolv-conf.sh<br />
<br />
<br />
Next, add the following lines to your OpenVPN client configuration file:<br />
<br />
script-security 2 <br />
up /etc/openvpn/update-resolv-conf.sh<br />
down /etc/openvpn/update-resolv-conf.sh<br />
<br />
Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection. <br />
<br />
[https://github.com/masterkorp/openvpn-update-resolv-conf Update resolv conf script github repository]<br />
<br />
'''''Caveat''''': The script will fail to restore the original DNS settings if your OpenVPN client configuration is set-up to drop root privileges after connection. To avoid running OpenVPN as root you can add a locked-down user which only is allowed to use [[Sudo#Example Entries|''sudo'']] on ''resolvconf''. Then you have to change the {{ic|RESOLVCONF}} variable in the script to {{ic|1=RESOLVCONF=/usr/bin/sudo /usr/bin/resolvconf}} and the DNS restoration on disconnect should work with the generally dropped root privileges as well.<br />
<br />
== L2 Ethernet bridging ==<br />
<br />
{{Expansion|Please add a well thought out section on L2 bridging.}}<br />
<br />
For now see: [[OpenVPN Bridge]]<br />
<br />
== Troubleshooting ==<br />
<br />
=== Resolve issues ===<br />
<br />
If you are having resolve issues when starting your profile:<br />
{{hc|# journalctl _SYSTEMD_UNIT&#61;openvpn@''profile''.service|<br />
RESOLVE: Cannot resolve host address: example.com: Name or service not known<br />
}}<br />
<br />
{{Accuracy|1=Ordering "After=network.target" does not work universally. See [http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ network.target]. Further, not the original unit in {{ic|/usr/lib}} should be modified but a copy, cross-referencing [[Systemd#Editing provided unit files]].}}<br />
Then, '''only if your network setup can be started before OpenVPN''', you should force OpenVPN to wait for the network by adding {{ic|1=Requires=network.target}} and {{ic|1=After=network.target}} to the OpenVPN systemd service file:<br />
{{hc|/usr/lib/systemd/system/openvpn@.service|<nowiki><br />
[Unit]<br />
Description=OpenVPN connection to %i<br />
Requires=network.target<br />
After=network.target<br />
...</nowiki><br />
}}<br />
Don't forget to restart OpenVPN:<br />
# systemctl daemon-reload<br />
# systemctl restart openvpn@''profile''<br />
<br />
=== Client daemon not restarting after suspend ===<br />
<br />
If you put your client system to sleep, and on resume openvpn doesn't restart, resulting in broken connectivity, create the following file:<br />
<br />
{{hc|/usr/lib/systemd/system-sleep/vpn.sh|2=<br />
#!/bin/sh<br />
if [ "$1" == "pre" ]<br />
then<br />
killall openvpn<br />
fi<br />
}}<br />
<br />
Make it executable {{ic|chmod a+x /usr/lib/systemd/system-sleep/vpn.sh}}<br />
<br />
{{hc|/etc/systemd/system/openvpn@.service.d/restart.conf|2=<br />
[Service]<br />
Restart=always<br />
}}<br />
<br />
== See Also ==<br />
* [https://openvpn.net/index.php/open-source.html OpenVPN Official Site]</div>Pdean