https://wiki.archlinux.org/api.php?action=feedcontributions&user=Smrtz&feedformat=atomArchWiki - User contributions [en]2024-03-19T06:01:38ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Systemd-boot&diff=315861Systemd-boot2014-05-20T20:56:04Z<p>Smrtz: /* Adding boot entries */ switched "not" to "note" in second to last paragraph</p>
<hr />
<div>[[Category:Boot loaders]]<br />
[[ja:Gummiboot]]<br />
{{Related articles start}}<br />
{{Related|Arch boot process}}<br />
{{Related|Boot loaders}}<br />
{{Related|Unified Extensible Firmware Interface}}<br />
{{Related articles end}}<br />
<br />
From [http://freedesktop.org/wiki/Software/gummiboot/ Gummiboot homepage]:<br />
:''Gummiboot is a simple UEFI boot manager which executes configured EFI images. The default entry is selected by a configured pattern (glob) or an on-screen menu''.<br />
<br />
It is simple to configure, but can only start EFI executables, the Linux kernel [[EFISTUB]], UEFI Shell, grub.efi, and such.<br />
<br />
{{Warning|Gummiboot simply provides a boot menu for EFISTUB kernels. In case you have issues booting EFISTUB kernels like in {{Bug|33745}}, you should use a boot loader which does not use EFISTUB, like [[GRUB]], [[Syslinux]] or [[Bootloaders#ELILO|ELILO]].}}<br />
<br />
{{Note|In the entire article {{ic|$esp}} denotes the mountpoint of the [[UEFI#EFI System Partition|EFI System Partition]] aka ESP.}}<br />
<br />
== Installation ==<br />
<br />
For the rest of this document, we assume {{ic|$esp}} is the mount point of your EFI system partition.<br />
<br />
Install {{Pkg|gummiboot}} and install gummiboot in ESP:<br />
<br />
# mount -t efivarfs efivarfs /sys/firmware/efi/efivars # required even inside chroot if any, ignore if already mounted<br />
# pacman -S gummiboot<br />
# gummiboot --path=$esp install<br />
<br />
This will automatically copy the gummiboot binary to your EFI System Partition and create a boot entry in the EFI Boot Manager. If you are not booted via EFI, creating the boot entry will fail. You should however still be able to boot gummiboot as it copies the binary to the default EFI binary location on your ESP ({{ic|$esp/EFI/boot/bootx64.efi}} on x64 systems) (unless a non-gummiboot {{ic|$esp/EFI/boot/bootx64.efi}} is already present). <br />
<br />
{{Note|If {{ic|gummiboot}} fails to create a boot entry, check whether all the conditions mentioned [[UEFI#Requirements for UEFI Variables support to work properly|here]] are met.}}<br />
<br />
===Updating===<br />
Gummiboot assumes that your EFI System Partition is mounted on {{ic|/boot}}. If the ESP is not mounted on {{ic|/boot}}, gummiboot will not be updated automatically during pkg updates and you will have to call {{ic|1=gummiboot --path=$esp update}} after every package update. Additionally you will have to make sure that the kernel and initramfs are copied onto the ESP as gummiboot cannot load EFI binaries from other partitions. It is therefore strongly recommended to mount your ESP to {{ic|/boot}} if you use gummiboot, in which case updating will happen automatically by the {{ic|post_install}} script of {{Pkg|gummiboot}} during package updates.<br />
<br />
==Configuration ==<br />
<br />
=== Basic Configuration ===<br />
<br />
The basic configuration is kept in {{ic|$esp/loader/loader.conf}}, with just two possible configuration options:<br />
<br />
* {{ic|default}} – default entry to select (without the {{ic|.conf}} suffix); can be a wildcard like {{ic|arch-*}}<br />
<br />
* {{ic|timeout}} – menu timeout in seconds. If this is not set, the menu will only be shown when you hold the space key while booting.<br />
<br />
Example:<br />
<br />
{{hc|$esp/loader/loader.conf|<br />
default arch<br />
timeout 4<br />
}}<br />
<br />
Note that both options can be changed in the boot menu itself, which will store them as EFI variables.<br />
<br />
{{Note|If no timeout is configured, which is the default setting, and no key pressed during bootup, the default entry is executed right away.}}<br />
<br />
=== Adding boot entries ===<br />
<br />
Gummiboot searches for boot menu items in {{ic|$esp/loader/entries/*.conf}} – each file found must contain exactly one boot entry. The possible options are:<br />
<br />
* {{ic|title}} – operating system name. '''Required.'''<br />
<br />
* {{ic|version}} – kernel version, shown only when multiple entries with same title exist. Optional.<br />
<br />
* {{ic|machine-id}} – machine identifier from {{ic|/etc/machine-id}}, shown only when multiple entries with same title and version exist. Optional.<br />
<br />
* {{ic|efi}} – EFI program to start, relative to your ESP ({{ic|$esp}}); e.g. {{ic|/vmlinuz-linux}}. Either this or {{ic|linux}} (see below) is '''required.'''<br />
<br />
* {{ic|options}} – Command-line options to pass to the EFI program. Optional, but you will need at least {{ic|1=initrd=''efipath''}} and {{ic|1=root=''dev''}} if booting Linux.<br />
<br />
For Linux, you can specify {{ic|linux ''path-to-vmlinuz''}} and {{ic|initrd ''path-to-initramfs''}}; this will be automatically translated to {{ic|efi ''path''}} and {{ic|1=options initrd=''path''}} – this syntax is only supported for convenience and has no differences in function. <br />
<br />
You can find your PARTUUID with {{ic|1=blkid -s PARTUUID -o value /dev/sdxx}} (/dev/sdxx should be your root partition and not $esp)<br />
<br />
An example entry for Arch Linux:<br />
<br />
{{hc|$esp/loader/entries/arch.conf|2=<br />
title Arch Linux<br />
linux /vmlinuz-linux<br />
initrd /initramfs-linux.img<br />
options root=PARTUUID=14420948-2cea-4de7-b042-40f67c618660 rw<br />
}}<br />
<br />
Please note in the example above that PARTUUID/PARTLABEL identifies a GPT partition, and differs from UUID/LABEL, which identifies a filesystem. Using the PARTUUID/PARTLABEL is advantageous because it is invariant if you reformat the partition with another filesystem or the /dev/sd* mapping changed for some reason. It is also useful if you do not have a filesystem on the partition (or use LUKS, which does not support LABELs).<br />
<br />
An example entry for encrypted root (dm-crypt with LUKS)<br />
{{hc|$esp/loader/entries/arch-encrypted.conf|2=<br />
title Arch Linux (Encrypted)<br />
linux /path/to/vmlinuz-linux<br />
options initrd=/path/to/initramfs-linux.img cryptdevice=UUID=<UUID>:luks-<UUID> root=UUID=<luks-UUID> rw<br />
}}<br />
<br />
In the encrypted example, note that the initrd is in options -- this does not appear to be discretionary at this time. Note that UUID is used for in this example. PARTUUID should be able to replace the UUID, if so desired.<br />
<br />
You can also add other EFI programs such as {{ic|\EFI\arch\grub.efi}}.<br />
<br />
{{Note|Gummiboot will automatically check for "'''Windows Boot Manager'''" ({{ic|\EFI\Microsoft\Boot\Bootmgfw.efi}}), "'''EFI Shell'''" ({{ic|\shellx64.efi}}) and "'''EFI Default Loader'''" ({{ic|\EFI\Boot\bootx64.efi}}), and display entries for them if they are present, so you do not have to manually create entries for them. However it does not autodetect other EFI applications (unlike rEFInd), so for booting the kernel, manual config entries must be created as mentioned above.}}<br />
<br />
== Inside the boot menu ==<br />
<br />
=== Keys ===<br />
<br />
The following keys are used inside the menu:<br />
* {{ic|Up/Down}} - select entry<br />
* {{ic|Enter}} - boot the selected entry<br />
* {{ic|d}} - select the default entry to boot (stored in a non-volatile EFI variable)<br />
* {{ic|-/T}} - decrease the timeout (stored in a non-volatile EFI variable)<br />
* {{ic|+/t}} - increase the timeout (stored in a non-volatile EFI variable)<br />
* {{ic|e}} - edit the kernel command line<br />
* {{ic|v}} - show the gummiboot and UEFI version<br />
* {{ic|Q}} - quit<br />
* {{ic|P}} - print the current configuration<br />
* {{ic|h/?}} - help<br />
<br />
These hotkeys will, when pressed inside the menu or during bootup, directly boot<br />
a specific entry:<br />
<br />
* {{ic|l}} - Linux<br />
* {{ic|w}} - Windows<br />
* {{ic|a}} - OS X<br />
* {{ic|s}} - EFI Shell<br />
* {{ic|1-9}} - number of entry<br />
<br />
== Troubleshooting ==<br />
<br />
=== Manual entry using efibootmgr ===<br />
<br />
If {{ic|gummiboot install}} command failed, you can create a EFI boot entry manually using {{ic|efibootmgr}} utility:<br />
<br />
# efibootmgr -c -d /dev/sdX -p Y -l /EFI/gummiboot/gummibootx64.efi -L "Gummiboot"<br />
<br />
where {{ic|/dev/sdXY}} is the EFISYS partition.<br />
<br />
=== Menu does not appear after Windows upgrade ===<br />
<br />
For example, if you upgraded from Windows 8 to Windows 8.1, and you no longer see a boot menu after the upgrade (i.e., Windows boots immediately):<br />
* Make sure Secure Boot (BIOS setting) and Fast Startup (Windows power option setting) are both disabled.<br />
* Make sure your BIOS prefers Linux Boot Manager over Windows Boot Manager (depending on your BIOS, this might appear under a BIOS setting like Hard Disk Drive Priority).<br />
<br />
== References ==<br />
<br />
* http://freedesktop.org/wiki/Software/gummiboot/</div>Smrtzhttps://wiki.archlinux.org/index.php?title=Conky&diff=266342Conky2013-07-15T04:58:59Z<p>Smrtz: removed verifying DBE module loaded with grep | no output for command in 1.14.2</p>
<hr />
<div>[[Category:Status monitoring and notification]]<br />
[[es:Conky]]<br />
[[fr:Conky]]<br />
[[it:Conky]]<br />
[[ru:Conky]]<br />
[[tr:Conky]]<br />
[[zh-CN:Conky]]<br />
<br />
Conky is a system monitor software for the X Window System. It is available for GNU/Linux and FreeBSD. It is free software released under the terms of the GPL license. Conky is able to monitor many system variables including CPU, memory, swap, disk space, temperature, top, upload, download, system messages, and much more. It is extremely configurable, however, the configuration can be a little hard to understand. Conky is a fork of torsmo.<br />
<br />
== Installation and configuration ==<br />
<br />
* [[pacman|Install]] the {{Pkg|conky}} package which is available in the [[official repositories]].<br />
* Edit the {{ic|~/.conkyrc}} config file using an example configuration file from [http://conky.sourceforge.net/screenshots.html homeproject-screenshot]<br />
When editing your config file, you will see immediately the effect of any change as soon as you save it. There is no need to log out/log in your X session. So best is to test all kind of options, one by one, save the configuration file and see the change on your conky window, and correct if your change is unappropriated.<br />
* Alternatively, you can use the default config at {{ic|/etc/conky/conky.conf}}:<br />
$ cp /etc/conky/conky.conf ~/.conkyrc<br />
Best is to use a local {{ic|~/.conkyrc}} config.<br />
As many apps, conky will first try to look for a local {{ic|.conkyrc}} file. If this one doesn't exist, then it will read the default one in {{ic|/etc/conky}}.<br />
<br />
In case you store your configuration locally, e.g. in your home directory, you will not be able to read any log files unless you do some changes. One of the nice features of conky is to pipe to your desktop some {{ic|/var/log/}} files to read all kinds of log messages. Most of these files can only be read by {{ic|root}}, and you will thus need to {{ic|sudo}} conky. Starting conky as {{ic|root}} is not recommended, so you will need to make this following changes:<br />
$ usermod -aG log username<br />
You add {{ic|username}} to the {{ic|log group}}. Now {{ic|username}} can read log files, and you will be able to redirect log messages with conky on your desktop.<br />
<br />
* If conky does not accept changes -- e.g. minimum_size -- you made to {{ic|~/.conkyrc}} make sure you cleared {{ic|/etc/conky/conky.conf}} or commented out the relevant section.Best is to remove files in {{ic|/etc/conky/}}, as conky will keep reading them and this can give you some Xorg error messages.<br />
<br />
== AUR packages ==<br />
<br />
In addition to the basic '''conky''' package, there are various [[AUR]] packages available with extra compile options enabled:<br />
<br />
* {{App|conky-cli|Conky without X11 dependencies||{{AUR|conky-cli}}}}<br />
* {{App|conky-lua|Conky with Lua support||{{AUR|conky-lua}}}}<br />
* {{App|conky-lua-nv|Conky with both Lua and Nvidia support||{{AUR|conky-lua-nv}}}}<br />
* {{App|conky-nvidia|Conky with Nvidia support||{{AUR|conky-nvidia}}}}<br />
<br />
== Tips and tricks ==<br />
<br />
=== Enable real transparency in KDE4 and Xfce4 ===<br />
<br />
Since version 1.8.0, Conky suppports real transparency. To enable it add this line to {{ic|~/.conkyrc}}:<br />
own_window_transparent yes<br />
<br />
The above option is not desired with the {{ic|OWN_WINDOW_ARGB_VISUAL yes}} option.<br />
This replaces the {{Pkg|feh}} method described below.<br />
<br />
=== Autostart with Xfce4 ===<br />
<br />
In {{ic|.conkyrc}} file:<br />
background yes<br />
<br />
This variable will fork Conky to your background.<br />
If you want to make your window always visible on your desktop, sticky across all workspaces and not showing in your taskbar, add these arguments:<br />
own_window yes<br />
own_window_type override<br />
The override option makes your window out of control of your window manager.<br />
<br />
Add a {{ic|~/.config/autostart/conky.desktop}}:<br />
[Desktop Entry]<br />
Encoding=UTF-8<br />
Version=0.9.4<br />
Type=Application<br />
Name=conky<br />
Comment=<br />
Exec=conky -d<br />
StartupNotify=false<br />
Terminal=false<br />
Hidden=false<br />
<br />
=== Prevent flickering ===<br />
<br />
Conky needs Double Buffer Extension (DBE) support from the X server to prevent flickering because it cannot update the window fast enough without it. It can be enabled in {{ic|/etc/X11/xorg.conf}} with {{ic|Load "dbe"}} line in {{ic|Section "Module"}}. The xorg.conf file has been replaced (1.8.x patch upwards) by {{ic|/etc/X11/xorg.conf.d}} which contains the particular configuration files. ''DBE'' is loaded automatically.<br />
<br />
To enable double-buffer check to have in {{ic|~/.conkyrc}}:<br />
# Place below the other options, not below TEXT or XY<br />
double_buffer yes<br />
<br />
=== Custom colors ===<br />
<br />
Aside the classic preset colors (white, black, yellow...), you can set your own custom color using the color name code. To determine the code of a color, use a color selector app. The basic {{Pkg|gcolor2}} package in the [[Official Repositories|official repositories]] will give you the color name. It is made of a series of letters and numbers.<br />
Add this line in your configuration file for a custom color:<br />
color1 Colorname1<br />
color2 Colorname2<br />
Then, when editing the TEXT section, use custom color number previously defined.<br />
<br />
=== Dual Screen ===<br />
<br />
When using a dual screen configuration, you will need to play with two options to place your conky window.<br />
Let's say you are running a 1680X1050 pixels resolution, and you want the window on middle top of your left monitor, you will use this:<br />
alignment top_left<br />
gap_X 840<br />
The alignment option is trivial, and gap_X option is the distance, in pixels, from the left border of your screen.<br />
<br />
=== Do not minimize on Show Desktop ===<br />
<br />
'''Using Compiz:''' If the 'Show Desktop' button or key-binding minimizes Conky along with all other windows, start the Compiz configuration settings manager, go to "General Options" and uncheck the "Hide Skip Taskbar Windows" option.<br />
<br />
If you do not use Compiz, try editing {{ic|~/.conkyrc}} and adding/changing the following line:<br />
<br />
own_window_type override<br />
<br />
=== Integrate with Gnome 3 ===<br />
<br />
Some have experienced problems with Conky showing up under Gnome 3.<br />
*Add these lines to {{ic|~/.conkyrc}}:<br />
own_window yes<br />
own_window_type conky<br />
own_window_transparent yes<br />
own_window_hints undecorated,below,sticky,skip_taskbar,skip_pager<br />
<br />
If you still experience problems with transparency. You could add these lines.<br />
own_window_argb_visual yes<br />
own_window_argb_value 255<br />
<br />
=== Integrate with KDE ===<br />
<br />
Conky with screenshot configuration generate problems with icons visualization. So there are some steps to follow.<br />
* Add these lines to {{ic|~/.conkyrc}}:<br />
own_window yes<br />
own_window_type normal<br />
own_window_transparent yes<br />
own_window_hints undecorated,below,sticky,skip_taskbar,skip_pager<br />
* If this setting is on, comment it out or delete the line:<br />
minimum_size<br />
* To automatically start Conky, create this symlink:<br />
** KDE4:<br />
$ ln -s /usr/bin/conky ~/.kde4/Autostart/conkylink<br />
** KDE3:<br />
$ ln -s /usr/bin/conky ~/.kde/share/autostart/conkylink<br />
* Install the {{Pkg|feh}} package which is available in the official repositories.<br />
* Make a script to allow transparency with the desktop<br />
In KDE4 edit {{ic|~/.kde4/Autostart/fehconky}}:<br />
<br />
#!/bin/bash<br />
feh --bg-scale "$(sed -n 's/wallpaper=//p' ~/.kde4/share/config/plasma-desktop-appletsrc)"<br />
<br />
In KDE3 edit {{ic|~/.kde/share/autostart/fehconky}}:<br />
<br />
#!/bin/bash<br />
feh --bg-scale $(dcop kdesktop KBackgroundIface currentWallpaper 1)<br />
<br />
use {{ic|--bg-center}} if you use a centered wallpaper.<br />
<br />
* Make it executable:<br />
** KDE4:<br />
$ chmod +x ~/.kde4/Autostart/fehconky<br />
** KDE3:<br />
$ chmod +x ~/.kde/share/autostart/fehconky<br />
* Instead of using a script, you can add the corresponding line to the bottom of {{ic|~/.conkyrc}}<br />
** For KDE4<br />
${exec feh --bg-scale "$(sed -n 's/wallpaper=//p' ~/.kde4/share/config/plasma-desktop-appletsrc)"}<br />
** For KDE3<br />
${exec feh --bg-scale $(dcop kdesktop KBackgroundIface currentWallpaper 1)}<br />
<br />
=== Integrate with Razor-qt ===<br />
<br />
With Conky's default configuration, its window might disappear from the desktop when you click on the latter.<br />
Add these lines to: <br />
{{hc|~/.conkyrc|own_window yes<br />
own_window_class Conky<br />
own_window_type normal<br />
own_window_hints undecorated,below,sticky,skip_taskbar,skip_pager<br />
own_window_transparent yes<br />
}}<br />
<br />
=== Display package update information ===<br />
<br />
* [https://bbs.archlinux.org/viewtopic.php?id=68104 Paconky] - Displays package update information in a user-defined format. The output of this program can be included in Conky with the {{ic|<nowiki>${execpi}</nowiki>}} command.<br />
* [https://bbs.archlinux.org/viewtopic.php?id=53761 Scrolling Notifications] - Prints scrolling update notifications. From the author of Paconky.<br />
* [https://bbs.archlinux.org/viewtopic.php?id=57291 Perl Script] - Simpler and earlier script from the author of Paconky. Prints only the number of packages needing an update.<br />
* [https://bbs.archlinux.org/viewtopic.php?id=37284 Python Script] - Fairly configurable update notification program in [[Python]].<br />
* [https://bbs.archlinux.org/viewtopic.php?pid=483742#p483742 Bash Script] - [[Bash]] script for users that have enabled ShowSize.<br />
<br />
=== Display weather forecast ===<br />
<br />
See [https://bbs.archlinux.org/viewtopic.php?id=37381 this thread].<br />
<br />
=== Display RSS feeds ===<br />
<br />
Conky has the ability to display RSS feeds natively without the need for an outside script to run and output into Conky. For example, to display the titles of the ten most recent Planet Arch updates and refresh the feed every minute, you would put this into your {{ic|~/.conkyrc}} in the TEXT section:<br />
<br />
${rss https://planet.archlinux.org/rss20.xml 1 item_titles 10 }<br />
If you want to display Arch Forum rss feed, add this line:<br />
${rss https://bbs.archlinux.org/extern.php?action=feed&type=rss 1 item_titles 4}<br />
where 1 is in minutes the refresh interval (15 mn is default),4 the number of items you wish to show.<br />
<br />
=== Display Distrowatch Arch Linux ranking ===<br />
<br />
See [https://bbs.archlinux.org/viewtopic.php?id=88779 this thread].<br />
<br />
=== Display rTorrent stats ===<br />
<br />
See [https://bbs.archlinux.org/viewtopic.php?id=67304 this thread].<br />
<br />
=== Display your WordPress blog stats ===<br />
<br />
This can be achieved by using the in python written extension named [http://evilshit.wordpress.com/2013/04/20/conkypress-a-wordpress-stats-visualization-tool-for-your-desktop/ ConkyPress].<br />
<br />
=== Display number of new emails (Gmail) ===<br />
<br />
Create a file named {{ic|gmail.py}} in a convenient location (this example uses {{ic|~/.scripts/}}) with the following [[Python]] code:<br />
#!/usr/bin/env python<br />
<br />
from urllib.request import FancyURLopener<br />
<br />
username = 'your username'<br />
password = 'your password'<br />
<br />
url = 'https://%s:%s@mail.google.com/mail/feed/atom' % (username, password)<br />
<br />
opener = FancyURLopener()<br />
page = opener.open(url)<br />
<br />
contents = page.read().decode('utf-8')<br />
<br />
<br />
ifrom = contents.index('<fullcount>') + 11<br />
ito = contents.index('</fullcount>')<br />
<br />
unread = contents[ifrom:ito]<br />
<br />
print(unread)<br />
<br />
With a Google App mail account, the above username variable must contain your domain:<br />
username = 'user@yourdomain.com'<br />
{{Note|Regular Gmail users input only your username without @gmail.com}}<br />
<br />
You can also use Python's urllib as follows.<br />
import urllib.request<br />
from xml.etree import ElementTree as etree<br />
<br />
# Enter your username and password below within quotes below, in place of ****.<br />
# Set up authentication for gmail<br />
auth_handler = urllib.request.HTTPBasicAuthHandler()<br />
auth_handler.add_password(realm='New mail feed',<br />
uri='https://mail.google.com/',<br />
user= '****',<br />
passwd= '****')<br />
opener = urllib.request.build_opener(auth_handler)<br />
# ...and install it globally so it can be used with urlopen.<br />
urllib.request.install_opener(opener)<br />
<br />
gmail = 'https://mail.google.com/gmail/feed/atom'<br />
NS = '{http://purl.org/atom/ns#}'<br />
with urllib.request.urlopen(gmail) as source:<br />
tree = etree.parse(source)<br />
fullcount = tree.find(NS + 'fullcount').text<br />
print(fullcount + ' new')<br />
<br />
Add the following string to your {{ic|~/.conkyrc}} in order the check your Gmail account for new email every five minutes (300 seconds) and display:<br />
${execpi 300 python ~/.scripts/gmail.py}<br />
<br />
==== Other Methods ====<br />
<br />
The same way, but with using {{ic|grep}} and {{ic|sed}} for filtering output of {{ic|wget}}:<br />
<br />
$ wget -q -O - https://mail.google.com/a/'''domain'''/feed/atom \<br />
> --http-user='''login'''@'''domain''' \<br />
> --http-password='''password''' \ <br />
> --no-check-certificate | \<br />
> grep fullcount | sed 's/<[^0-9]*>//g'<br />
<br />
instead of words '''login, domain, password''' you must type yours data.<br />
<br />
Alternatively, you can use [http://www.stunnel.org/ stunnel] which is provided by the {{Pkg|stunnel}} package.<br />
<br />
The following configuration is taken from [http://conky.sourceforge.net/faq.html Conky's FAQ]<br />
<br />
Modify {{ic|/etc/stunnel/stunnel.conf}} as follows, and then start the {{ic|stunnel}} [[Daemon|daemon]]:<br />
# Service-level configuration for TLS server<br />
[imap]<br />
client = yes<br />
accept = 143<br />
connect = imap.gmail.com:143<br />
protocol = imap<br />
sslVersion = TLSv1<br />
# Service-level configuration for SSL server<br />
[imaps]<br />
client = yes<br />
accept = 993<br />
connect = imap.gmail.com:993<br />
<br />
The only thing left is our {{ic|~/.conkyrc}}:<br />
imap localhost username * -i 120 -p 993<br />
TEXT<br />
Inbox: ${imap_unseen}/${imap_messages}<br />
<br />
Here I used * as the password for Conky to ask for it at start, but you do not ''have'' to do it.<br />
<br />
=== Display new emails (IMAP + SSL) ===<br />
<br />
Conky has built in support for IMAP accounts but does not support SSL. This can be provided using this script from [http://www.unix.com/shell-programming-scripting/115322-perl-conky-gmail-imap-unread-message-count.html this forum post]. This requires the Perl/CPAN Modules Mail::IMAPClient and IO::Socket::SSL which are in the {{AUR|perl-mail-imapclient}} and {{Pkg|perl-io-socket-ssl}} packages<br />
<br />
Create a file named {{ic|imap.pl}} in a location to be read by Conky. In this file, add (with the appropriate changes):<br />
#!/usr/bin/perl<br />
<br />
# gimap.pl by gxmsgx<br />
# description: get the count of unread messages on imap<br />
<br />
use strict;<br />
use Mail::IMAPClient;<br />
use IO::Socket::SSL;<br />
<br />
my $username = 'example.username'; <br />
my $password = 'password123'; <br />
<br />
my $socket = IO::Socket::SSL->new(<br />
PeerAddr => 'imap.server',<br />
PeerPort => 993<br />
)<br />
or die "socket(): $@";<br />
<br />
my $client = Mail::IMAPClient->new(<br />
Socket => $socket,<br />
User => $username,<br />
Password => $password,<br />
)<br />
or die "new(): $@";<br />
<br />
if ($client->IsAuthenticated()) {<br />
my $msgct;<br />
<br />
$client->select("INBOX");<br />
$msgct = $client->unseen_count||'0';<br />
print "$msgct\n";<br />
}<br />
<br />
$client->logout();<br />
<br />
Add to {{ic|~/.conkyrc}}:<br />
${execpi 300 ~/.conky/imap.pl} <br />
or wherever you saved the file.<br />
<br />
If you use Gmail you might need to [http://www.google.com/accounts/IssuedAuthSubTokens?hide_authsub=1 generate] an application specific password.<br />
<br />
Alternatively, you can use stunnel as shown above: [[Conky#How to display the number of new emails (Gmail) in Conky]]<br />
<br />
=== Fix scrolling with UTF-8 multibyte characters ===<br />
<br />
The current version of conky (1.9.0) suffers from a bug (http://sourceforge.net/p/conky/bugs/341/) where scrolling text increments by byte, not by character, resulting in text containing multibyte characters to disappear and reappear while scrolling. A package with a patch fixing this bug can be found in the AUR: {{AUR|conky-utfscroll}}<br />
<br />
== User-contributed configuration examples ==<br />
<br />
=== Graysky ===<br />
<br />
[[http://img9.imageshack.us/img9/3153/imageffj.jpg Screenshot]].<br />
<br />
[[https://github.com/graysky2/configs/raw/master/dotfiles/.conkyrc Here]] it is - modify to fit your system. Optimized for a quad core chip w/ several hdds (although one of them is not connected for this screenshot) and an nvidia graphics card. You can easily modify this to a dual or single core system with one or whatever number of hdds.<br />
<br />
=== A sample rings script with nvidia support===<br />
<br />
{{bc|1=<br />
# -- Conky settings -- #<br />
background no<br />
update_interval 1<br />
<br />
cpu_avg_samples 2<br />
net_avg_samples 2<br />
<br />
override_utf8_locale yes<br />
<br />
double_buffer yes<br />
no_buffers yes<br />
<br />
text_buffer_size 2048<br />
imlib_cache_size 0<br />
<br />
# -- Window specifications -- #<br />
<br />
own_window yes<br />
own_window_type normal<br />
own_window_transparent yes<br />
own_window_hints undecorate,sticky,skip_taskbar,skip_pager,below<br />
<br />
border_inner_margin 0<br />
border_outer_margin 0<br />
<br />
minimum_size 320 800<br />
maximum_width 320<br />
<br />
alignment bottom_right<br />
gap_x 0<br />
gap_y 0<br />
<br />
# -- Graphics settings -- #<br />
draw_shades no<br />
draw_outline no<br />
draw_borders no<br />
draw_graph_borders yes<br />
<br />
# -- Text settings -- #<br />
use_xft yes<br />
xftfont MaiandraGD:size=24<br />
xftalpha 0.4<br />
<br />
uppercase no<br />
<br />
default_color 888888<br />
<br />
# -- Lua Load -- #<br />
lua_load ~/conky/lua/lua.lua<br />
lua_draw_hook_pre ring_stats<br />
<br />
TEXT<br />
${alignr}${voffset 53}${goto 90}${font MaiandraGD:size=11}${time %A, %d %B %Y}<br />
<br />
<br />
${voffset 5}${goto 164}${font MaiandraGD:size=16}${time %H:%M}<br />
<br />
<br />
<br />
${voffset -40}${goto 100}${font MaiandraGD:size=9}Kernel:${offset 70}Uptime:<br />
${goto 90}${font MaiandraGD:size=9}$kernel${offset 40}$uptime<br />
${voffset 57}${goto 117}${font snap:size=8}${cpu cpu0}%<br />
${goto 117}${cpu cpu1}%<br />
${goto 117}CPU<br />
${voffset 19}${goto 145}${memperc}%<br />
${goto 145}$swapperc%<br />
${goto 145}MEM<br />
${voffset 25}${goto 170}${nvidia gpufreq}<br />
${goto 170}${nvidia memfreq}<br />
${goto 170}GPU<br />
${voffset 27}${goto 198}${totaldown ppp0}<br />
${goto 198}${totalup ppp0}<br />
${goto 205}NET<br />
${voffset 21}<br />
${goto 222}${fs_used /home}<br />
${goto 230}DISK<br />
}}<br />
<br />
And the required lua.lua script:<br />
<br />
{{bc|1=<br />
--[[<br />
Ring Meters by londonali1010 (2009)<br />
<br />
This script draws percentage meters as rings. It is fully customisable; all options are described in the script.<br />
<br />
IMPORTANT: if you are using the 'cpu' function, it will cause a segmentation fault if it tries to draw a ring straight away. The if statement on line 145 uses a delay to make sure that this does not happen. It calculates the length of the delay by the number of updates since Conky started. Generally, a value of 5s is long enough, so if you update Conky every 1s, use update_num > 5 in that if statement (the default). If you only update Conky every 2s, you should change it to update_num > 3; conversely if you update Conky every 0.5s, you should use update_num > 10. ALSO, if you change your Conky, is it best to use "killall conky; conky" to update it, otherwise the update_num will not be reset and you will get an error.<br />
<br />
To call this script in Conky, use the following (assuming that you save this script to ~/scripts/rings.lua):<br />
lua_load ~/scripts/rings-v1.2.1.lua<br />
lua_draw_hook_pre ring_stats<br />
<br />
Changelog:<br />
+ v1.2.1 -- Fixed minor bug that caused script to crash if conky_parse() returns a nil value (20.10.2009)<br />
+ v1.2 -- Added option for the ending angle of the rings (07.10.2009)<br />
+ v1.1 -- Added options for the starting angle of the rings, and added the "max" variable, to allow for variables that output a numerical value rather than a percentage (29.09.2009)<br />
+ v1.0 -- Original release (28.09.2009)<br />
]]<br />
<br />
settings_table = {<br />
{<br />
-- Edit this table to customise your rings.<br />
-- You can create more rings simply by adding more elements to settings_table.<br />
-- "name" is the type of stat to display; you can choose from 'cpu', 'memperc', 'fs_used_perc', 'battery_used_perc'.<br />
name='time',<br />
-- "arg" is the argument to the stat type, e.g. if in Conky you would write ${cpu cpu0}, 'cpu0' would be the argument. If you would not use an argument in the Conky variable, use ''.<br />
arg='%I.%M',<br />
-- "max" is the maximum value of the ring. If the Conky variable outputs a percentage, use 100.<br />
max=12,<br />
-- "bg_colour" is the colour of the base ring.<br />
bg_colour=0x888888,<br />
-- "bg_alpha" is the alpha value of the base ring.<br />
bg_alpha=0.3,<br />
-- "fg_colour" is the colour of the indicator part of the ring.<br />
fg_colour=0x888888,<br />
-- "fg_alpha" is the alpha value of the indicator part of the ring.<br />
fg_alpha=0.5,<br />
-- "x" and "y" are the x and y coordinates of the centre of the ring, relative to the top left corner of the Conky window.<br />
x=191, y=145,<br />
-- "radius" is the radius of the ring.<br />
radius=32,<br />
-- "thickness" is the thickness of the ring, centred around the radius.<br />
thickness=4,<br />
-- "start_angle" is the starting angle of the ring, in degrees, clockwise from top. Value can be either positive or negative.<br />
start_angle=0,<br />
-- "end_angle" is the ending angle of the ring, in degrees, clockwise from top. Value can be either positive or negative, but must be larger (e.g. more clockwise) than start_angle.<br />
end_angle=360<br />
},<br />
{<br />
name='time',<br />
arg='%M.%S',<br />
max=60,<br />
bg_colour=0x888888,<br />
bg_alpha=0.3,<br />
fg_colour=0x888888,<br />
fg_alpha=0.5,<br />
x=191, y=145,<br />
radius=37,<br />
thickness=4,<br />
start_angle=0,<br />
end_angle=360<br />
},<br />
{<br />
name='time',<br />
arg='%S',<br />
max=60,<br />
bg_colour=0x888888,<br />
bg_alpha=0.3,<br />
fg_colour=0x888888,<br />
fg_alpha=0.5,<br />
x=191, y=145,<br />
radius=42,<br />
thickness=4,<br />
start_angle=0,<br />
end_angle=360<br />
},<br />
{<br />
name='cpu',<br />
arg='cpu0',<br />
max=100,<br />
bg_colour=0x888888,<br />
bg_alpha=0.3,<br />
fg_colour=0x888888,<br />
fg_alpha=0.5,<br />
x=140, y=300,<br />
radius=26,<br />
thickness=5,<br />
start_angle=-90,<br />
end_angle=180<br />
},<br />
{<br />
name='cpu',<br />
arg='cpu1',<br />
max=100,<br />
bg_colour=0x888888,<br />
bg_alpha=0.3,<br />
fg_colour=0x888888,<br />
fg_alpha=0.5,<br />
x=140, y=300,<br />
radius=20,<br />
thickness=5,<br />
start_angle=-90,<br />
end_angle=180<br />
},<br />
{<br />
name='memperc',<br />
arg='',<br />
max=100,<br />
bg_colour=0x888888,<br />
bg_alpha=0.3,<br />
fg_colour=0x888888,<br />
fg_alpha=0.5,<br />
x=170, y=350,<br />
radius=26,<br />
thickness=5,<br />
start_angle=-90,<br />
end_angle=180<br />
},<br />
{<br />
name='swapperc',<br />
arg='',<br />
max=100,<br />
bg_colour=0x888888,<br />
bg_alpha=0.3,<br />
fg_colour=0x888888,<br />
fg_alpha=0.5,<br />
x=170, y=350,<br />
radius=20,<br />
thickness=5,<br />
start_angle=-90,<br />
end_angle=180<br />
},<br />
{<br />
name='time',<br />
arg='%d',<br />
max=31,<br />
bg_colour=0x888888,<br />
bg_alpha=0.3,<br />
fg_colour=0x888888,<br />
fg_alpha=0.5,<br />
x=191, y=145,<br />
radius=50,<br />
thickness=5,<br />
start_angle=-140,<br />
end_angle=-30<br />
},<br />
{<br />
name='time',<br />
arg='%m',<br />
max=12,<br />
bg_colour=0x888888,<br />
bg_alpha=0.3,<br />
fg_colour=0x888888,<br />
fg_alpha=0.5,<br />
x=191, y=145,<br />
radius=50,<br />
thickness=5,<br />
start_angle=30,<br />
end_angle=140<br />
},<br />
-- {<br />
-- name='fs_used_perc',<br />
-- arg='/',<br />
-- max=100,<br />
-- bg_colour=0x888888,<br />
-- bg_alpha=0.3,<br />
-- fg_colour=0x888888,<br />
-- fg_alpha=0.5,<br />
-- x=260, y=503,<br />
-- radius=26,<br />
-- thickness=5,<br />
-- start_angle=-90,<br />
-- end_angle=180<br />
-- },<br />
{<br />
name='fs_used_perc',<br />
arg='/home',<br />
max=100,<br />
bg_colour=0x888888,<br />
bg_alpha=0.3,<br />
fg_colour=0x888888,<br />
fg_alpha=0.5,<br />
x=260, y=503,<br />
radius=20,<br />
thickness=5,<br />
start_angle=-90,<br />
end_angle=180<br />
},<br />
{<br />
name='totalup',<br />
arg='ppp0',<br />
max=2,<br />
bg_colour=0x888888,<br />
bg_alpha=0.3,<br />
fg_colour=0x888888,<br />
fg_alpha=0.5,<br />
x=230, y=452,<br />
radius=20,<br />
thickness=5,<br />
start_angle=-90,<br />
end_angle=180<br />
},<br />
{<br />
name='totaldown',<br />
arg='ppp0',<br />
max=2,<br />
bg_colour=0x888888,<br />
bg_alpha=0.3,<br />
fg_colour=0x888888,<br />
fg_alpha=0.5,<br />
x=230, y=452,<br />
radius=26,<br />
thickness=5,<br />
start_angle=-90,<br />
end_angle=180<br />
},<br />
{<br />
name='nvidia',<br />
arg='gpufreq',<br />
max=475,<br />
bg_colour=0x888888,<br />
bg_alpha=0.3,<br />
fg_colour=0x888888,<br />
fg_alpha=0.5,<br />
x=200, y=401,<br />
radius=26,<br />
thickness=5,<br />
start_angle=-90,<br />
end_angle=180<br />
},<br />
{<br />
name='nvidia',<br />
arg='memfreq',<br />
max=700,<br />
bg_colour=0x888888,<br />
bg_alpha=0.3,<br />
fg_colour=0x888888,<br />
fg_alpha=0.5,<br />
x=200, y=401,<br />
radius=20,<br />
thickness=5,<br />
start_angle=-90,<br />
end_angle=180<br />
},<br />
}<br />
<br />
require 'cairo'<br />
<br />
function rgb_to_r_g_b(colour,alpha)<br />
return ((colour / 0x10000) % 0x100) / 255., ((colour / 0x100) % 0x100) / 255., (colour % 0x100) / 255., alpha<br />
end<br />
<br />
function draw_ring(cr,t,pt)<br />
local w,h=conky_window.width,conky_window.height<br />
<br />
local xc,yc,ring_r,ring_w,sa,ea=pt['x'],pt['y'],pt['radius'],pt['thickness'],pt['start_angle'],pt['end_angle']<br />
local bgc, bga, fgc, fga=pt['bg_colour'], pt['bg_alpha'], pt['fg_colour'], pt['fg_alpha']<br />
<br />
local angle_0=sa*(2*math.pi/360)-math.pi/2<br />
local angle_f=ea*(2*math.pi/360)-math.pi/2<br />
local t_arc=t*(angle_f-angle_0)<br />
<br />
-- Draw background ring<br />
<br />
cairo_arc(cr,xc,yc,ring_r,angle_0,angle_f)<br />
cairo_set_source_rgba(cr,rgb_to_r_g_b(bgc,bga))<br />
cairo_set_line_width(cr,ring_w)<br />
cairo_stroke(cr)<br />
<br />
-- Draw indicator ring<br />
<br />
cairo_arc(cr,xc,yc,ring_r,angle_0,angle_0+t_arc)<br />
cairo_set_source_rgba(cr,rgb_to_r_g_b(fgc,fga))<br />
cairo_stroke(cr)<br />
end<br />
<br />
function conky_ring_stats()<br />
local function setup_rings(cr,pt)<br />
local str=''<br />
local value=0<br />
<br />
str=string.format('${%s %s}',pt['name'],pt['arg'])<br />
str=conky_parse(str)<br />
<br />
value=tonumber(str)<br />
if value == nil then value = 0 end<br />
pct=value/pt['max']<br />
<br />
draw_ring(cr,pct,p<nowiki><nowiki>Insert non-formatted text here</nowiki>'''Bold text'''</nowiki>t)<br />
end<br />
<br />
if conky_window==nil then return end<br />
local cs=cairo_xlib_surface_create(conky_window.display,conky_window.drawable,conky_window.visual, conky_window.width,conky_w indow.height)<br />
<br />
local cr=cairo_create(cs)<br />
<br />
local updates=conky_parse('${updates}')<br />
update_num=tonumber(updates)<br />
<br />
if update_num>5 then<br />
for i in pairs(settings_table) do<br />
setup_rings(cr,settings_table[i])<br />
end<br />
end<br />
end <br />
}}<br />
<br />
== A note about symbolic fonts ==<br />
<br />
Many of the more decorated .conkyrc's use the fonts PizzaDude Bullets and Pie Charts for Maps. They are available from the AUR as 'ttf-pizzadude-bullets' and 'ttf-piechartsformaps' respectively, or they can be found and downloaded with a quick search and manually installed using the instructions in [[Fonts]].<br />
<br />
== Fonts appear smaller than they should ==<br />
<br />
If you notice that your conky fonts appear smaller than they should, or they don't align properly, it could be caused by a default setting in the infinality freetype2 patch. This setting can cause some programs to display fonts at 72 DPI instead of 96 even if the rest of your system is set to 96. If you notice a problem open {{ic|/etc/fonts/infinality/infinality.conf}} search for the section on DPI and change 72 to 96.<br />
<br />
== Universal method to enable true transparency ==<br />
<br />
Transparency is a strange beast in Conky, but there is a way to universally apply true transparency with any environment or window manager by using xcompmgr and transset-df. Install xcompmgr from [extra] and transset-df from [community] with {{ic|pacman -S xcompmgr transset-df}}. These packages both have the same 3 dependencies, so this is the lightest method for composition available, for those of you using standalone window managers in order to achieve the leanest setup you can manage (or whatever reason you have :D)<br />
<br />
NOTE: This may conflict with any other compositing manager you are already using.<br />
<br />
Check xcompmgr documentation to help you decide which compositing options you would like to enable. The following is a common standard command.<br />
<br />
$ xcompmgr -c -t-5 -l-5 -r4.2 -o.55 &<br />
<br />
Make sure conky is running with {{ic|conky &}}. Use transset-df to enable transparency on the Conky window. Set '.5' to any value in the range 0 - 1.<br />
<br />
$ transset-df .5 -n Conky<br />
<br />
This should give your conky window true transparency. If you get an error like, <br />
{{hc|$ transset-df .5 -n Conky|No Window matching Conky exists!}}<br />
Verify that conky is running, and use xprop and click on the conky window to find the name you should pass to {{ic|transset-df}}. <br />
{{hc|$ xprop &#124; grep WM_NAME|2=WM_NAME(STRING) = "Conky (ArchitectLinux)"}}<br />
<br />
In this case, "Conky" is right, but for you it may be different, so be sure to use your output instead. If {{ic|~/.conkyrc}} has {{ic|own_window_type panel}} then this xprop invocation may show now output. Try using any of the following options instead. {{ic|<nowiki>own_window_type {dock,normal,override,desktop}</nowiki>}}<br />
<br />
Use this in {{ic|~/.xinitrc}} to have transparent conky run when you {{ic|startx}}.<br />
<br />
xcompmgr -c -t-5 -l-5 -r4.2 -o.55 &<br />
conky -d; sleep 1 && transset-df .5 -n Conky<br />
<br />
== See also ==<br />
<br />
* [http://conky.sourceforge.net/config_settings.html Official Conky Configuration Settings]<br />
* [https://bbs.archlinux.org/viewtopic.php?id=39906 Conky Configs on arch forums]<br />
* [http://conky.sourceforge.net/ Official website]<br />
* [http://freshmeat.net/projects/conky/ Conky] on [[wikipedia:Freshmeat|Freshmeat]]<br />
* [http://sourceforge.net/projects/conky/ Conky] on [[wikipedia:sourceforge.net|SourceForge]]<br />
* [irc://chat.freenode.org/conky #conky] IRC chat channel on [[wikipedia:Freenode|freenode]]<br />
* [http://novel.evilcoder.org/wiki/index.php?title=ConkyFAQ&oldid=12463 FAQ]</div>Smrtzhttps://wiki.archlinux.org/index.php?title=Beginners%27_guide/Preparation&diff=257667Beginners' guide/Preparation2013-05-18T22:45:51Z<p>Smrtz: /* Preparation */</p>
<hr />
<div><noinclude><br />
[[Category:Getting and installing Arch]]<br />
[[Category:About Arch]]<br />
[[da:Beginners' Guide/Preparation]]<br />
[[es:Beginners' Guide/Preparation]]<br />
[[hr:Beginners' Guide/Preparation]]<br />
[[hu:Beginners' Guide/Preparation]]<br />
[[id:Beginners' Guide/Preparation]]<br />
[[it:Beginners' Guide/Preparation]]<br />
[[ja:Beginners' Guide/Preparation]]<br />
[[ko:Beginners' Guide/Preparation]]<br />
[[pl:Beginners' Guide/Preparation]]<br />
[[pt:Beginners' Guide/Preparation]]<br />
[[ro:Ghidul începătorilor/Preparare]]<br />
[[ru:Beginners' Guide/Preparation]]<br />
[[sr:Beginners' Guide/Preparation]]<br />
[[zh-CN:Beginners' Guide/Preparation]]<br />
[[zh-TW:Beginners' Guide/Preparation]]<br />
{{Tip|This is part of a multi-page article for the Beginners' Guide. '''[[Beginners' Guide|Click here]]''' if you would rather read the guide in its entirety.}}<br />
</noinclude><br />
This document will guide you through the process of installing [[Arch Linux]] using the [https://github.com/falconindy/arch-install-scripts Arch Install Scripts]. Before installing, you are advised to skim over the [[FAQ]].<br />
<br />
The community-maintained [[Main Page|ArchWiki]] is the primary resource that should be consulted if issues arise. The [[Wikipedia:IRC|IRC]] channel (irc://irc.freenode.net/#archlinux) and the [https://bbs.archlinux.org/ forums] are also excellent resources if an answer cannot be found elsewhere. In accordance with the [[The Arch Way|Arch Way]], you are encouraged to type {{ic|man ''command''}} to read the {{ic|man}} page of any command you are unfamiliar with.<br />
{{Note|Please check out #archlinux-newbie on Freenode}}<br />
<br />
== Preparation ==<br />
<br />
{{Note|If you wish to install from an existing GNU/Linux distribution, please see [[Install from Existing Linux|this article]]. This can be useful particularly if you plan to install Arch via [[VNC]] or [[SSH]] remotely.}}<br />
<br />
=== Burn or write the latest installation medium ===<br />
<br />
The latest release of the installation media can be obtained from the [https://archlinux.org/download/ Download] page. Note that the single ISO image supports both 32 and 64-bit architectures. A new ISO image is released about once every month and it is highly recommended to always use the latest ISO image.<br />
<br />
* Burn the ISO image on a CD or DVD with your preferred software.<br />
:{{Note|The quality of optical drives and the discs themselves varies greatly. Generally, using a slow burn speed is recommended for reliable burns. If you are experiencing unexpected behaviour from the disc, try burning at the lowest speed supported by your burner.}}<br />
<br />
* Or you can write the ISO image to a USB stick. For detailed instructions, see [[USB Installation Media]].<br />
<br />
==== Installing over the network ====<br />
<br />
Instead of writing the boot media to a disc or USB stick, you may alternatively boot the .iso image over the network. This works well when you already have a server set up. Please see [[Install Arch from network (via PXE)|this article]] for more information, and then continue to [[#Boot the installation medium|Boot the installation medium]].<br />
<br />
==== Installing on a virtual machine ====<br />
<br />
Installing on a [[Wikipedia:Virtual_machine|virtual machine]] is a good way to become familiar with Arch Linux and its installation procedure without leaving your current operating system and repartitioning the storage drive. It will also let you keep this Beginners' Guide open in your browser throughout the installation. Some users may find it beneficial to have an independent Arch Linux system on a virtual drive, for testing purposes.<br />
<br />
Examples of virtualization software are [[VirtualBox]], [[VMware]], [[QEMU]], [[Xen]], [[Varch]], [[Parallels]].<br />
<br />
The exact procedure for preparing a virtual machine depends on the software, but will generally follow these steps:<br />
<br />
# Create the virtual disk image that will host the operating system.<br />
# Properly configure the virtual machine parameters.<br />
# Boot the downloaded ISO image with a virtual CD drive.<br />
# Continue with [[#Boot the installation medium|Boot the installation medium]].<br />
<br />
The following articles may be helpful:<br />
<br />
* [[VirtualBox#Arch Linux guests|Arch Linux as VirtualBox guest]]<br />
* [[VirtualBox Arch Linux Guest On Physical Drive|Arch Linux as VirtualBox guest on a physical drive]]<br />
* [[Installing Arch Linux in VMware|Arch Linux as VMware guest]]<br />
* [[Moving an existing install into (or out of) a virtual machine]]<br />
<br />
=== Boot the installation medium ===<br />
<br />
First, you may have to change the boot order in your computer's BIOS. To do this, you have to press a key (usually {{Keypress|Delete}}, {{Keypress|F1}}, {{Keypress|F2}}, {{Keypress|F11}} or {{Keypress|F12}}) during the POST (Power On Self-Test) phase. Then, select "Boot Arch Linux" from the menu and press {{Keypress|Enter}} in order to begin with the installation.<br />
<br />
{{Note|The memory requirement for a basic install is 64 MB of RAM.}}<br />
<br />
{{Note|Users seeking to perform the Arch Linux installation remotely via an [[SSH]] connection are encouraged to make a few tweaks at this point to enable SSH connections directly to the live CD environment. If interested, see the [[Install from SSH]] article.}}<br />
<br />
Once you have booted into the live environment, your shell is [[Zsh]]; this will provide you advanced Tab completion, and other features as part of the [http://grml.org/zsh/ grml config].<br />
<br />
===== Testing if you are booted into UEFI mode =====<br />
<br />
In case you have a [[UEFI]] motherboard and UEFI Boot mode is enabled (and is preferred over BIOS/Legacy mode), the CD/USB will automatically launch Arch Linux kernel (EFISTUB via Gummiboot Boot Manager). To test if you have booted into UEFI mode check if directory {{ic|/sys/firmware/efi}} has been created:<br />
<br />
# ls -1 /sys/firmware/efi<br />
<br />
{{Note| For several kernels now, CONFIG_EFI_VARS has been compiled into the kernel. Thus efivars no longer exists as a module and doesn't need to be loaded manually.}}<br />
<br />
===== Troubleshooting boot problems =====<br />
<br />
* If you're using an Intel video chipset and the screen goes blank during the boot process, the problem is likely an issue with [[Kernel Mode Setting]]. A possible workaround may be achieved by rebooting and pressing {{Keypress|e}} over the entry that you're trying to boot (i686 or x86_64). At the end of the string type {{ic|nomodeset}} and press {{Keypress|Enter}}. Alternatively, try {{ic|1=video=SVIDEO-1:d}} which, if it works, will not disable kernel mode setting. See the [[Intel]] article for more information.<br />
<br />
* If the screen does ''not'' go blank and the boot process gets stuck while trying to load the kernel, press {{Keypress|Tab}} while hovering over the menu entry, type {{ic|1=acpi=off}} at the end of the string and press {{Keypress|Enter}}.<noinclude><br />
{{Beginners' Guide navigation}}</noinclude></div>Smrtzhttps://wiki.archlinux.org/index.php?title=Beginners%27_guide/Preparation&diff=257340Beginners' guide/Preparation2013-05-16T19:30:08Z<p>Smrtz: /* Troubleshooting boot problems */</p>
<hr />
<div><noinclude><br />
[[Category:Getting and installing Arch]]<br />
[[Category:About Arch]]<br />
[[da:Beginners' Guide/Preparation]]<br />
[[es:Beginners' Guide/Preparation]]<br />
[[hr:Beginners' Guide/Preparation]]<br />
[[hu:Beginners' Guide/Preparation]]<br />
[[id:Beginners' Guide/Preparation]]<br />
[[it:Beginners' Guide/Preparation]]<br />
[[ja:Beginners' Guide/Preparation]]<br />
[[ko:Beginners' Guide/Preparation]]<br />
[[pl:Beginners' Guide/Preparation]]<br />
[[pt:Beginners' Guide/Preparation]]<br />
[[ro:Ghidul începătorilor/Preparare]]<br />
[[ru:Beginners' Guide/Preparation]]<br />
[[sr:Beginners' Guide/Preparation]]<br />
[[zh-CN:Beginners' Guide/Preparation]]<br />
[[zh-TW:Beginners' Guide/Preparation]]<br />
{{Tip|This is part of a multi-page article for the Beginners' Guide. '''[[Beginners' Guide|Click here]]''' if you would rather read the guide in its entirety.}}<br />
</noinclude><br />
This document will guide you through the process of installing [[Arch Linux]] using the [https://github.com/falconindy/arch-install-scripts Arch Install Scripts]. Before installing, you are advised to skim over the [[FAQ]].<br />
<br />
The community-maintained [[Main Page|ArchWiki]] is the primary resource that should be consulted if issues arise. The [[Wikipedia:IRC|IRC]] channel (irc://irc.freenode.net/#archlinux) and the [https://bbs.archlinux.org/ forums] are also excellent resources if an answer cannot be found elsewhere. In accordance with the [[The Arch Way|Arch Way]], you are encouraged to type {{ic|man ''command''}} to read the {{ic|man}} page of any command you are unfamiliar with.<br />
== Preparation ==<br />
<br />
{{Note|If you wish to install from an existing GNU/Linux distribution, please see [[Install from Existing Linux|this article]]. This can be useful particularly if you plan to install Arch via [[VNC]] or [[SSH]] remotely.}}<br />
<br />
=== Burn or write the latest installation medium ===<br />
<br />
The latest release of the installation media can be obtained from the [https://archlinux.org/download/ Download] page. Note that the single ISO image supports both 32 and 64-bit architectures. A new ISO image is released about once every month and it is highly recommended to always use the latest ISO image.<br />
<br />
* Burn the ISO image on a CD or DVD with your preferred software.<br />
:{{Note|The quality of optical drives and the discs themselves varies greatly. Generally, using a slow burn speed is recommended for reliable burns. If you are experiencing unexpected behaviour from the disc, try burning at the lowest speed supported by your burner.}}<br />
<br />
* Or you can write the ISO image to a USB stick. For detailed instructions, see [[USB Installation Media]].<br />
<br />
==== Installing over the network ====<br />
<br />
Instead of writing the boot media to a disc or USB stick, you may alternatively boot the .iso image over the network. This works well when you already have a server set up. Please see [[Install Arch from network (via PXE)|this article]] for more information, and then continue to [[#Boot the installation medium|Boot the installation medium]].<br />
<br />
==== Installing on a virtual machine ====<br />
<br />
Installing on a [[Wikipedia:Virtual_machine|virtual machine]] is a good way to become familiar with Arch Linux and its installation procedure without leaving your current operating system and repartitioning the storage drive. It will also let you keep this Beginners' Guide open in your browser throughout the installation. Some users may find it beneficial to have an independent Arch Linux system on a virtual drive, for testing purposes.<br />
<br />
Examples of virtualization software are [[VirtualBox]], [[VMware]], [[QEMU]], [[Xen]], [[Varch]], [[Parallels]].<br />
<br />
The exact procedure for preparing a virtual machine depends on the software, but will generally follow these steps:<br />
<br />
# Create the virtual disk image that will host the operating system.<br />
# Properly configure the virtual machine parameters.<br />
# Boot the downloaded ISO image with a virtual CD drive.<br />
# Continue with [[#Boot the installation medium|Boot the installation medium]].<br />
<br />
The following articles may be helpful:<br />
<br />
* [[VirtualBox#Arch Linux guests|Arch Linux as VirtualBox guest]]<br />
* [[VirtualBox Arch Linux Guest On Physical Drive|Arch Linux as VirtualBox guest on a physical drive]]<br />
* [[Installing Arch Linux in VMware|Arch Linux as VMware guest]]<br />
* [[Moving an existing install into (or out of) a virtual machine]]<br />
<br />
=== Boot the installation medium ===<br />
<br />
First, you may have to change the boot order in your computer's BIOS. To do this, you have to press a key (usually {{Keypress|Delete}}, {{Keypress|F1}}, {{Keypress|F2}}, {{Keypress|F11}} or {{Keypress|F12}}) during the POST (Power On Self-Test) phase. Then, select "Boot Arch Linux" from the menu and press {{Keypress|Enter}} in order to begin with the installation.<br />
<br />
{{Note|The memory requirement for a basic install is 64 MB of RAM.}}<br />
<br />
{{Note|Users seeking to perform the Arch Linux installation remotely via an [[SSH]] connection are encouraged to make a few tweaks at this point to enable SSH connections directly to the live CD environment. If interested, see the [[Install from SSH]] article.}}<br />
<br />
Once you have booted into the live environment, your shell is [[Zsh]]; this will provide you advanced Tab completion, and other features as part of the [http://grml.org/zsh/ grml config].<br />
<br />
===== Testing if you are booted into UEFI mode =====<br />
<br />
In case you have a [[UEFI]] motherboard and UEFI Boot mode is enabled (and is preferred over BIOS/Legacy mode), the CD/USB will automatically launch Arch Linux kernel (EFISTUB via Gummiboot Boot Manager). To test if you have booted into UEFI mode check if directory {{ic|/sys/firmware/efi}} has been created:<br />
<br />
# ls -1 /sys/firmware/efi<br />
<br />
{{Note| For several kernels now, CONFIG_EFI_VARS has been compiled into the kernel. Thus efivars no longer exists as a module and doesn't need to be loaded manually.}}<br />
<br />
===== Troubleshooting boot problems =====<br />
<br />
* If you're using an Intel video chipset and the screen goes blank during the boot process, the problem is likely an issue with [[Kernel Mode Setting]]. A possible workaround may be achieved by rebooting and pressing {{Keypress|e}} over the entry that you're trying to boot (i686 or x86_64). At the end of the string type {{ic|nomodeset}} and press {{Keypress|Enter}}. Alternatively, try {{ic|1=video=SVIDEO-1:d}} which, if it works, will not disable kernel mode setting. See the [[Intel]] article for more information.<br />
<br />
* If the screen does ''not'' go blank and the boot process gets stuck while trying to load the kernel, press {{Keypress|Tab}} while hovering over the menu entry, type {{ic|1=acpi=off}} at the end of the string and press {{Keypress|Enter}}.<noinclude><br />
{{Beginners' Guide navigation}}</noinclude></div>Smrtzhttps://wiki.archlinux.org/index.php?title=OpenVPN&diff=185955OpenVPN2012-02-23T23:20:19Z<p>Smrtz: /* Installing OpenVPN */</p>
<hr />
<div>[[Category:Virtual Private Network (English)]]<br />
{{i18n|OpenVPN}}<br />
{{Expansion}}<br />
<br />
<!--' Todo (at least :)<br />
add support for ipv6 and L2 ethernet bridging<br />
'--><br />
<br />
This article describes a basic installation and configuration of [http://openvpn.net OpenVPN], suitable for private and small business use. For more detailed information, please see the official [http://openvpn.net/index.php/manuals/427-openvpn-22.html OpenVPN 2.2 man page] and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation].<br />
<br />
If your VPN provider gave you credentials (i.e. their cert, your cert and your key) and you want to use those to connect, much of this page can be ignored. See [[Airvpn]].<br />
<br />
OpenVPN is a robust and highly flexible [[Wikipedia:VPN|VPN]] daemon. OpenVPN supports [[Wikipedia:SSL/TLS|SSL/TLS]] security, [[Wikipedia:Bridging_(networking)|ethernet bridging]], [[Wikipedia:Transmission_Control_Protocol|TCP]] or [[Wikipedia:User_Datagram_Protocol|UDP]] [[Wikipedia:Tunneling_protocol|tunnel transport]] through [[Wikipedia:Proxy_server|proxies]] or [[Wikipedia:Network address translation|NAT]], support for dynamic IP addresses and [[Wikipedia:Dynamic_Host_Configuration_Protocol|DHCP]], scalability to hundreds or thousands of users, and portability to most major OS platforms.<br />
<br />
OpenVPN is tightly bound to the [http://http://www.openssl.org OpenSSL] library, and derives much of its crypto capabilities from it.<br />
<br />
OpenVPN supports conventional encryption using a [[Wikipedia:Pre-shared_key|pre-shared secret key]] (Static Key mode) or [[Wikipedia:Public_key|public key security]] ([[Wikipedia:SSL/TLS|SSL/TLS]] mode) using client & server certificates. OpenVPN also supports non-encrypted TCP/UDP tunnels.<br />
<br />
OpenVPN is designed to work with the [[Wikipedia:TUN/TAP|TUN/TAP]] virtual networking interface that exists on most platforms.<br />
<br />
Overall, OpenVPN aims to offer many of the key features of [[Wikipedia:Ipsec|IPSec]] but with a relatively lightweight footprint.<br />
<br />
OpenVPN was written by James Yonan and is published under the [[Wikipedia:GNU General Public License|GNU General Public License (GPL)]].<br />
<br />
<!--'<br />
==Preamble==<br />
'--><br />
<br />
==Installing OpenVPN==<br />
[[pacman|Install]] {{Pkg|OpenVPN}}, available in the [[Official Repositories]].<br />
<br />
#sudo pacman -S openvpn<br />
{{Note|The software contained in this package supports both server and client mode, so install it on all machines that need to create vpn connections.}}<br />
<br />
<!--' what does this do, and is the package still supported?<br />
You may also want to install {{AUR|openvpn-authldap-plugin}}, available in the [[Arch User Repository]].<br />
'--><br />
<br />
==Configuring the kernel==<br />
<br />
OpenVPN requires the Universal TUN/TAP device driver support. Add the tun module to the modules array in /etc/rc.conf on both servers and clients.<br />
<br />
The default Arch Linux kernel is already properly configured, but if you build your own kernel make sure that you enable the TUN/TAP module.<br />
<br />
{{hc|Kernel config file|<br />
Device Drivers ---><br />
Network device support ---><br />
[*]Network device support<br />
<M> Universal TUN/TAP device driver support }}<br />
<br />
==Public Key Infrastructure (PKI)==<br />
<br />
The first step when setting up OpenVPN is to create a [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]]. The PKI consists of:<br />
<br />
* A public master [[Wikipedia:Certificate Authority|Certificate Authority (CA)]] certificate and a private key.<br />
* A separate public certificate and private key for each server and each client.<br />
<br />
To facilitate the key/certificate creation process, OpenVPN comes with a collection of [[Wikipedia:RSA (algorithm)|RSA]] key manangement scripts (based on the openssl command line tool) known as easy-rsa.<br />
<br />
{{Note| Only .key files need to be kept secret, .crt and .csr files can be sent over insecure channels such as plaintext email.}}<br />
<br />
In this article the needed keys and certificates are created in root's home directory. This ensures that the generated files have the right ownership and permissions, thus being safe from other users.<br />
<br />
{{Note|The keys and certificates can be created on any machine. For the highest security, generate the keys on a physically secure machine disconnected from any network, and make sure that the generated ca.key private key is backed up and never accessible to anyone.}}<br />
<br />
{{Warning|Make sure that the generated files are backed up, especially the ca.key and ca.crt files, since if lost you will not be able to create any new, nor revoke any comprised keys and certificates, thus requiring the generation of a new [[Wikipedia:Certificate Authority|Certificate Authority (CA)]] certificate and key, invalidating the entire PKI infrastructure.}}<br />
<br />
===Installing the easy-rsa scripts===<br />
<br />
Install the scripts by doing the following:<br />
<br />
{{bc|# cp -r /usr/share/openvpn/easy-rsa /root}}<br />
<br />
===Creating keys and certificates===<br />
<br />
Now you need to create the needed keys and certificates.<br />
<br />
Change to the directory where you installed the scripts.<br />
<br />
{{bc|# cd /root/easy-rsa}}<br />
<br />
To ensure the consistent use of values when generating the PKI, set default values to be used by the PKI generating scripts. Edit /root/easy-rsa/vars and at a minimum set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters (do not leave any of these parameters blank). Change the KEY_SIZE parameter to 2048 for the SSL/TLS to use 2048bit RSA keys for authentication.<br />
<br />
{{hc|/root/easy-rsa/vars|<nowiki><br />
# easy-rsa parameter settings<br />
<br />
# NOTE: If you installed from an RPM,<br />
# don't edit this file in place in<br />
# /usr/share/openvpn/easy-rsa --<br />
# instead, you should copy the whole<br />
# easy-rsa directory to another location<br />
# (such as /etc/openvpn) so that your<br />
# edits will not be wiped out by a future<br />
# OpenVPN package upgrade.<br />
<br />
# This variable should point to<br />
# the top level of the easy-rsa<br />
# tree.<br />
export EASY_RSA="`pwd`"<br />
<br />
#<br />
# This variable should point to<br />
# the requested executables<br />
#<br />
export OPENSSL="openssl"<br />
export PKCS11TOOL="pkcs11-tool"<br />
export GREP="grep"<br />
<br />
<br />
# This variable should point to<br />
# the openssl.cnf file included<br />
# with easy-rsa.<br />
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`<br />
<br />
# Edit this variable to point to<br />
# your soon-to-be-created key<br />
# directory.<br />
#<br />
# WARNING: clean-all will do<br />
# a rm -rf on this directory<br />
# so make sure you define<br />
# it correctly!<br />
export KEY_DIR="$EASY_RSA/keys"<br />
<br />
# Issue rm -rf warning<br />
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR<br />
<br />
# PKCS11 fixes<br />
export PKCS11_MODULE_PATH="dummy"<br />
export PKCS11_PIN="dummy"<br />
<br />
# Increase this to 2048 if you<br />
# are paranoid. This will slow<br />
# down TLS negotiation performance<br />
# as well as the one-time DH parms<br />
# generation process.<br />
</nowiki>'''export KEY_SIZE&#61;2048'''<nowiki><br />
<br />
# In how many days should the root CA key expire?<br />
export CA_EXPIRE=3650<br />
<br />
# In how many days should certificates expire?<br />
export KEY_EXPIRE=3650<br />
<br />
# These are the default values for fields<br />
# which will be placed in the certificate.<br />
# Don't leave any of these fields blank.<br />
<br />
</nowiki><br />
'''export KEY_COUNTRY&#61;"US"'''<br />
'''export KEY_PROVINCE&#61;"CA"'''<br />
'''export KEY_CITY&#61;"Acme Acres"'''<br />
'''export KEY_ORG&#61;"Acme"'''<br />
'''export KEY_EMAIL&#61;"roadrunner@acmecorp.org"'''<br />
'''#export KEY_EMAIL&#61;mail@host.domain'''<br />
'''export KEY_CN&#61;Acme-CA'''<br />
'''export KEY_NAME&#61;Acme-CA'''<br />
'''export KEY_OU&#61;'''<nowiki>'''<br />
export PKCS11_MODULE_PATH=changeme<br />
export PKCS11_PIN=1234<br />
</nowiki>}}<br />
<br />
Export the environment variables.<br />
<br />
{{bc|# source ./vars}}<br />
<br />
Delete any previously created certificates and keys.<br />
<br />
{{bc|# ./clean-all}}<br />
<br />
{{Note| Entering a . (dot) when prompted for a value, blanks out the parameter.}}<br />
<br />
The build-ca script generates the [[Wikipedia:Certificate Authority|Certificate Authority (CA)]] certificate/key pair.<br />
<br />
{{hc|# ./build-ca|<nowiki><br />
Generating a 2048 bit RSA private key<br />
..............++++++<br />
...++++++<br />
writing new private key to 'ca.key'<br />
-----<br />
You are about to be asked to enter information that will be incorporated<br />
into your certificate request.<br />
What you are about to enter is what is called a Distinguished Name or a DN.<br />
There are quite a few fields but you can leave some blank<br />
For some fields there will be a default value,<br />
If you enter '.', the field will be left blank.<br />
-----<br />
Country Name (2 letter code) [US]:<br />
State or Province Name (full name) [CA]:<br />
Locality Name (eg, city) [Acme Acres]:<br />
Organization Name (eg, company) [Acme]:<br />
Organizational Unit Name (eg, section) []:<br />
Common Name (eg, your name or your server's hostname) [Acme-CA]:<br />
Name [Acme-CA]:<br />
Email Address [roadrunner@acmecorp.org]:<br />
</nowiki>}}<br />
<br />
The build-key-server script (followed by the server name) generates a certificate/key pair for a server. Make sure that the server name (Common Name when running the script) is unique.<br />
<br />
{{Note|Do not enter a challenge password or company name when the script prompts you for one.}}<br />
<br />
{{hc|# ./build-key-server elmer|<nowiki><br />
Generating a 2048 bit RSA private key<br />
.....................++++++<br />
.......................................................++++++<br />
writing new private key to 'elmer.key'<br />
-----<br />
You are about to be asked to enter information that will be incorporated<br />
into your certificate request.<br />
What you are about to enter is what is called a Distinguished Name or a DN.<br />
There are quite a few fields but you can leave some blank<br />
For some fields there will be a default value,<br />
If you enter '.', the field will be left blank.<br />
-----<br />
Country Name (2 letter code) [US]:<br />
State or Province Name (full name) [CA]:<br />
Locality Name (eg, city) [Acme Acres]:<br />
Organization Name (eg, company) [Acme]:<br />
Organizational Unit Name (eg, section) []:<br />
Common Name (eg, your name or your server's hostname) [elmer]:<br />
Name [Acme-CA]:<br />
Email Address [roadrunner@acmecorp.org]:<br />
<br />
Please enter the following 'extra' attributes<br />
to be sent with your certificate request<br />
A challenge password []:<br />
An optional company name []:<br />
Using configuration from /root/easy-rsa/openssl-1.0.0.cnf<br />
Check that the request matches the signature<br />
Signature ok<br />
The Subject's Distinguished Name is as follows<br />
countryName :PRINTABLE:'US'<br />
stateOrProvinceName :PRINTABLE:'CA'<br />
localityName :PRINTABLE:'Acme Acres'<br />
organizationName :PRINTABLE:'Acme'<br />
commonName :PRINTABLE:'elmer'<br />
name :PRINTABLE:'Acme-CA'<br />
emailAddress :IA5STRING:'roadrunner@acmecorp.org'<br />
Certificate is to be certified until Dec 27 19:11:59 2021 GMT (3650 days)<br />
Sign the certificate? [y/n]:y<br />
<br />
<br />
1 out of 1 certificate requests certified, commit? [y/n]y<br />
Write out database with 1 new entries<br />
Data Base Updated<br />
</nowiki>}}<br />
<br />
The build-dh script generates the [http://www.rsa.com/rsalabs/node.asp?id=2248 Diffie-Hellman parameters] .pem file needed by the server.<br />
<br />
{{Note|It would be better to generate a new one for each server, but you can use the same one for your servers if you want to.}}<br />
<br />
{{hc|# ./build-dh|<br />
Generating DH parameters, 2048 bit long safe prime, generator 2<br />
This is going to take a long time<br />
..+.............................................................................<br />
.<br />
.<br />
.<br />
............+...............+...................................................<br />
..................................................................++*++*}}<br />
<br />
The build-key script (followed by a client name) generates a certificate/key pair for a client. Make sure that the client name (Common Name when running the script) is unique.<br />
<br />
{{Note|Do not enter a challenge password or company name when the script prompts you for one.}}<br />
<br />
{{hc|# ./build-key bugs|<nowiki><br />
Generating a 2048 bit RSA private key<br />
....++++++<br />
.............................................................++++++<br />
writing new private key to 'bugs.key'<br />
-----<br />
You are about to be asked to enter information that will be incorporated<br />
into your certificate request.<br />
What you are about to enter is what is called a Distinguished Name or a DN.<br />
There are quite a few fields but you can leave some blank<br />
For some fields there will be a default value,<br />
If you enter '.', the field will be left blank.<br />
-----<br />
Country Name (2 letter code) [US]:<br />
State or Province Name (full name) [CA]:<br />
Locality Name (eg, city) [Acme Acres]:<br />
Organization Name (eg, company) [Acme]:<br />
Organizational Unit Name (eg, section) []:<br />
Common Name (eg, your name or your server's hostname) [bugs]:<br />
Name [Acme-CA]:<br />
Email Address [roadrunner@acmecorp.org]:<br />
<br />
Please enter the following 'extra' attributes<br />
to be sent with your certificate request<br />
A challenge password []:<br />
An optional company name []:<br />
Using configuration from /root/easy-rsa/openssl-1.0.0.cnf<br />
Check that the request matches the signature<br />
Signature ok<br />
The Subject's Distinguished Name is as follows<br />
countryName :PRINTABLE:'US'<br />
stateOrProvinceName :PRINTABLE:'CA'<br />
localityName :PRINTABLE:'Acme Acres'<br />
organizationName :PRINTABLE:'Acme'<br />
commonName :PRINTABLE:'bugs'<br />
name :PRINTABLE:'Acme-CA'<br />
emailAddress :IA5STRING:'roadrunner@acmecorp.org'<br />
Certificate is to be certified until Dec 27 19:18:27 2021 GMT (3650 days)<br />
Sign the certificate? [y/n]:y<br />
<br />
<br />
1 out of 1 certificate requests certified, commit? [y/n]y<br />
Write out database with 1 new entries<br />
Data Base Updated<br />
</nowiki>}}<br />
<br />
Generate a secret [[Wikipedia:HMAC|Hash-based Message Authentication Code (HMAC)]] by running:<br />
{{ic|# openvpn --genkey --secret /root/easy-rsa/keys/ta.key}}<br />
<br />
This will be used to add an additional HMAC signature to all SSL/TLS handshake packets. In addition any UDP packet not having the correct HMAC signature will be immidiately dropped, protecting against:<br />
<br />
* Portscanning.<br />
* DOS attacks on the OpenVPN UDP port.<br />
* SSL/TLS handshake initiations from unauthorized machines.<br />
* Any eventual buffer overflow vulnerabilities in the SSL/TLS implementation.<br />
<br />
All the created keys and certificates have been stored in /root/easy-rsa/keys. If you make a mistake, you can start over by running the clean-all script again.<br />
<br />
{{Warning|This will delete any previously generated keys and certificates stored in /root/easy-rsa/keys.}}<br />
<br />
{{bc|# ./clean-all}}<br />
<br />
The final step of the key creation process is to copy the files needed to the correct machines through a secure channel.<br />
<br />
{{Note|In this article the keys and certificates will be placed into /etc/openvpn on the server and the client.}}<br />
<br />
The public ca.crt certificate will be needed on all servers and clients. The private ca.key key is secret and only needed on the key generating machine.<br />
<br />
The public server.crt, and dh2048.pem, and private server.key, and ta.key files are needed on the server.<br />
<br />
The public client.crt, and private client.key, and ta.key files are needed on the client.<br />
<br />
==Configuring OpenVPN==<br />
<br />
OpenVPN is an extremely versatile software and many configurations are possible, in fact machines can be both "servers" and "clients", blurring the distinction between server and client.<br />
<br />
What really distinguishes a server from a client is the configuration file itself. The openvpn daemon startup script reads all the .conf configuration files it finds in /etc/openvpn on startup, and acts accordingly. In fact if it finds more than one configuration file it will start one OpenVPN processes per configuration file.<br />
<br />
This article explains how to setup a machine that is called the server (elmer), and a machine that connects to it is called the client (bugs). More servers and clients can easily be added, by creating more key/certificate pairs and adding more server and client configuration files.<br />
<br />
The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:<br />
<br />
* Uses [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]] for authentication.<br />
* Creates a VPN using a virtual TUN network interface (OSI L3 IP routing).<br />
* Listens for client connections on UDP port 1194 (OpenVPN's [[Wikipedia:Port_number|official IANA port number]]).<br />
* Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.<br />
<br />
For more advanced configurations, please see the official [http://openvpn.net/index.php/manuals/427-openvpn-22.html OpenVPN 2.2 man page] and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation].<br />
<br />
===The server configuration file===<br />
<br />
Copy the example server configuration file to /etc/openvpn/server.conf<br />
<br />
{{bc|# cp /usr/share/openvpn/examples/server.conf /etc/openvpn/server.conf}}<br />
<br />
Edit the following:<br />
<br />
* The ca, cert, key, and dh parameters to reflect the path and names of the keys and certificates. Specifying the paths will allow you to run the OpenVPN executable from any directory for testing purposes.<br />
* Enable the SSL/TLS HMAC handshake protection. '''Note the use of the parameter 0 for a server'''.<br />
*It is recommended to run OpenVPN with reduced privileges once it has initialized, do this by uncommenting the user and group directives.<br />
<br />
{{hc|/etc/openvpn/server.conf|<br />
ca /etc/openvpn/ca.crt<br />
cert /etc/openvpn/elmer.crt<br />
key /etc/openvpn/elmer.key<br />
<br />
dh /etc/openvpn/dh2048.pem<br />
.<br />
.<br />
tls-auth /etc/openvpn/ta.key '''0'''<br />
.<br />
.<br />
user nobody<br />
group nobody<br />
}}<br />
<br />
{{Note|Note that if the server is behind a firewall or a NAT translating router, you will have to forward the OpenVPN UDP port (1194) to the server.}}<br />
<br />
===The client configuration file===<br />
<br />
Copy the example client configuration file to /etc/openvpn/client.conf<br />
<br />
{{bc|# cp /usr/share/openvpn/examples/client.conf /etc/openvpn/client.conf}}<br />
<br />
Edit the following:<br />
<br />
* The remote directive to reflect the server's [[Wikipedia:Fully qualified domain name|Fully Qualified Domain Name]], hostname (as known to the client) or IP address.<br />
* Uncomment the user and group directives to drop privileges.<br />
* The ca, cert, and key parameters to reflect the path and names of the keys and certificates.<br />
* Enable the SSL/TLS HMAC handshake protection. '''Note the use of the parameter 1 for a client'''.<br />
<br />
{{hc|/etc/openvpn/client.conf|<br />
remote elmer.acmecorp.org 1194<br />
.<br />
.<br />
user nobody<br />
group nobody<br />
.<br />
.<br />
ca /etc/openvpn/ca.crt<br />
cert /etc/openvpn/bugs.crt<br />
key /etc/openvpn/bugs.key<br />
.<br />
.<br />
tls-auth /etc/openvpn/ta.key '''1'''<br />
}}<br />
<br />
==Testing the OpenVPN configuration==<br />
<br />
Run {{ic|# openvpn /etc/openvpn/server.conf}} on the server, and {{ic|# openvpn /etc/openvpn/client.conf}} on the client. You should see something similar to this:<br />
<br />
{{hc|# openvpn /etc/openvpn/server.conf|<nowiki><br />
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011<br />
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables<br />
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key<br />
Wed Dec 28 14:41:26 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]<br />
Wed Dec 28 14:41:26 2011 Socket Buffers: R=[126976->131072] S=[126976->131072]<br />
Wed Dec 28 14:41:26 2011 ROUTE default_gateway=10.66.0.1<br />
Wed Dec 28 14:41:26 2011 TUN/TAP device tun0 opened<br />
Wed Dec 28 14:41:26 2011 TUN/TAP TX queue length set to 100<br />
Wed Dec 28 14:41:26 2011 /usr/sbin/ip link set dev tun0 up mtu 1500<br />
Wed Dec 28 14:41:26 2011 /usr/sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2<br />
Wed Dec 28 14:41:26 2011 /usr/sbin/ip route add 10.8.0.0/24 via 10.8.0.2<br />
Wed Dec 28 14:41:26 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]<br />
Wed Dec 28 14:41:26 2011 GID set to nobody<br />
Wed Dec 28 14:41:26 2011 UID set to nobody<br />
Wed Dec 28 14:41:26 2011 UDPv4 link local (bound): [undef]:1194<br />
Wed Dec 28 14:41:26 2011 UDPv4 link remote: [undef]<br />
Wed Dec 28 14:41:26 2011 MULTI: multi_init called, r=256 v=256<br />
Wed Dec 28 14:41:26 2011 IFCONFIG POOL: base=10.8.0.4 size=62<br />
Wed Dec 28 14:41:26 2011 IFCONFIG POOL LIST<br />
Wed Dec 28 14:41:26 2011 Initialization Sequence Completed<br />
Wed Dec 28 14:41:51 2011 MULTI: multi_create_instance called<br />
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Re-using SSL/TLS context<br />
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 LZO compression initialized<br />
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]<br />
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]<br />
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Local Options hash (VER=V4): '530fdded'<br />
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Expected Remote Options hash (VER=V4): '41690919'<br />
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 TLS: Initial packet from 95.126.136.73:48904, sid=163f4a5e e0399137<br />
Wed Dec 28 14:41:53 2011 95.126.136.73:48904 VERIFY OK: depth=1, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=Acme-CA/name=Acme-CA/emailAddress=roadrunner@acmecorp.org<br />
Wed Dec 28 14:41:53 2011 95.126.136.73:48904 VERIFY OK: depth=0, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=bugs/name=Acme-CA/emailAddress=roadrunner@acmecorp.org<br />
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key<br />
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication<br />
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key<br />
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication<br />
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA<br />
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 [bugs] Peer Connection Initiated with 95.126.136.73:48904<br />
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: Learn: 10.8.0.6 -> bugs/95.126.136.73:48904<br />
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6<br />
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'<br />
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 SENT CONTROL [bugs]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)<br />
</nowiki>}}<br />
<br />
{{hc|# openvpn /etc/openvpn/client.conf|<nowiki><br />
Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011<br />
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables<br />
Wed Dec 28 14:41:50 2011 LZO compression initialized<br />
Wed Dec 28 14:41:50 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]<br />
Wed Dec 28 14:41:50 2011 Socket Buffers: R=[114688->131072] S=[114688->131072]<br />
Wed Dec 28 14:41:51 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]<br />
Wed Dec 28 14:41:51 2011 Local Options hash (VER=V4): '41690919'<br />
Wed Dec 28 14:41:51 2011 Expected Remote Options hash (VER=V4): '530fdded'<br />
Wed Dec 28 14:41:51 2011 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay<br />
Wed Dec 28 14:41:51 2011 UDPv4 link local: [undef]<br />
Wed Dec 28 14:41:51 2011 UDPv4 link remote: 85.93.204.250:1194<br />
Wed Dec 28 14:41:51 2011 TLS: Initial packet from 85.93.204.250:1194, sid=5f379f35 50c9ab11<br />
Wed Dec 28 14:41:52 2011 VERIFY OK: depth=1, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=Acme-CA/name=Acme-CA/emailAddress=roadrunner@acmecorp.org<br />
Wed Dec 28 14:41:52 2011 VERIFY OK: nsCertType=SERVER<br />
Wed Dec 28 14:41:52 2011 VERIFY OK: depth=0, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=elmer/name=Acme-CA/emailAddress=roadrunner@acmecorp.org<br />
Wed Dec 28 14:41:54 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key<br />
Wed Dec 28 14:41:54 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication<br />
Wed Dec 28 14:41:54 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key<br />
Wed Dec 28 14:41:54 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication<br />
Wed Dec 28 14:41:54 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA<br />
Wed Dec 28 14:41:54 2011 [elmer] Peer Connection Initiated with 85.93.204.250:1194<br />
Wed Dec 28 14:41:57 2011 SENT CONTROL [elmer]: 'PUSH_REQUEST' (status=1)<br />
Wed Dec 28 14:41:57 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'<br />
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: timers and/or timeouts modified<br />
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: --ifconfig/up options modified<br />
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: route options modified<br />
Wed Dec 28 14:41:57 2011 ROUTE default_gateway=10.64.64.64<br />
Wed Dec 28 14:41:57 2011 TUN/TAP device tun1 opened<br />
Wed Dec 28 14:41:57 2011 TUN/TAP TX queue length set to 100<br />
Wed Dec 28 14:41:57 2011 /usr/sbin/ip link set dev tun1 up mtu 1500<br />
Wed Dec 28 14:41:57 2011 /usr/sbin/ip addr add dev tun1 local 10.8.0.6 peer 10.8.0.5<br />
Wed Dec 28 14:41:57 2011 /usr/sbin/ip route add 10.8.0.1/32 via 10.8.0.5<br />
Wed Dec 28 14:41:57 2011 GID set to nobody<br />
Wed Dec 28 14:41:57 2011 UID set to nobody<br />
Wed Dec 28 14:41:57 2011 Initialization Sequence Completed<br />
</nowiki>}}<br />
<br />
On the server, find the IP assigned to the tunX device:<br />
<br />
{{hc|# ip addr show|<nowiki><br />
.<br />
.<br />
.<br />
40: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100<br />
link/none<br />
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0</nowiki>}}<br />
<br />
Here we see that the server end of the tunnel has been given the IP address 10.8.0.1.<br />
<br />
Do the same on the client:<br />
<br />
{{hc|# ip addr show|<nowiki><br />
.<br />
.<br />
.<br />
37: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100<br />
link/none<br />
inet 10.8.0.6 peer 10.8.0.5/32 scope global tun1</nowiki>}}<br />
<br />
And the client side has been given the IP 10.8.0.6.<br />
<br />
Now try pinging the interfaces.<br />
<br />
On the server:<br />
<br />
{{hc|# ping 10.8.0.6|<nowiki><br />
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.<br />
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms<br />
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=237 ms<br />
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=205 ms<br />
^C<br />
--- 10.8.0.6 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2002ms<br />
rtt min/avg/max/mdev = 205.862/227.266/238.788/15.160 ms<br />
</nowiki>}}<br />
<br />
On the client:<br />
<br />
{{hc|# ping 10.8.0.1|<nowiki><br />
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.<br />
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=158 ms<br />
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=158 ms<br />
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=157 ms<br />
^C<br />
--- 10.8.0.1 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2001ms<br />
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms<br />
</nowiki>}}<br />
<br />
You now have a working OpenVPN installation, and your client (bugs) will be able to use services on the server (elmer), and vice versa.<br />
<br />
==Starting OpenVPN==<br />
<br />
To start OpenVPN manually run:<br />
<br />
{{bc|# rc.d start openvpn}}<br />
<br />
To have your system run OpenVPN automatically at system start, add openvpn to the daemon array in /etc/rc.conf.<br />
<br />
==Advanced OpenVPN configuration==<br />
<br />
===Routing the LAN of the server to a client===<br />
<br />
Prerequisites:<br />
<br />
* The server (elmer) is on a LAN using the [[Wikipedia:Private_network#Private_IPv4_address_spaces|private class C network range]] 10.66.0.0/24.<br />
* The server's LAN network interface is called eth0.<br />
* The client (bugs) is assigned an ip address out of the address pool 10.8.0.0/24, as specified by the server directive in the server's configuration file (/etc/openvpn/server.conf):<br />
{{hc|/etc/openvpn/server.conf|server 10.8.0.0 255.255.255.0}}<br />
<br />
As OpenVPN will need to forward packets between the tun/tap device and the LAN device, edit /etc/sysctl.conf to permanently enable ipv4 packet forwarding. Takes effect at the next boot.<br />
{{hc|/etc/sysctl.conf|<nowiki><br />
# Enable packet forwarding<br />
net.ipv4.ip_forward=1<br />
</nowiki>}}<br />
<br />
To temporarily enable without rebooting do: {{bc|# echo 1 > /proc/sys/net/ipv4/ip_forward}}<br />
<br />
<!--'Investigate if scripts hooked into openvpn can do this, http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR'--><br />
As the server will have to accept traffic destined to a different IP than it's LAN interface (eth0) is configured for, it needs to be set to [[Wikipedia:Promiscuous_mode|promiscious mode]]. Add the following to /etc/rc.local: {{hc|/etc/rc.local|ip link set dev eth0 promisc on}} Takes effect at the next boot, to enable it without rebooting do: {{ic|# ip link set dev eth0 promisc on}}.<br />
<br />
To inform the client about the available subnet, add a push directive to the server configuration file:<br />
<br />
{{hc|/etc/openvpn/server.conf|push "route 10.66.0.0 255.255.255.0"}}<br />
<br />
{{Note|If the server (elmer) is not the default LAN gateway on the server side, you will have to do one of the following:<br />
* Add a static route to the LAN's default gateway (most likely the LAN's router), routing the client IP range 10.8.0.0/24 back to the server's eth0 IP address.<br />
* Add a static route to each host on the server side LAN that you want to be able to communicate with the client (bugs).<br />
* Use the iptables NAT feature to masquerade the IP packets.<br />
}}<br />
<br />
<!--'Add information on how to route several lans to the client'--><br />
<br />
===Routing the LAN of a client to the server===<br />
<br />
Prerequisites:<br />
<br />
* You must make sure that any subnets used on the client side (bugs), are unique and not in use on the server side or by any other client. In this example we will use 192.168.4.0/24 for the clients LAN.<br />
* The client's LAN network interface is called eth0.<br />
* Each client's certificate has a unique Common Name, in this case bugs.<br />
* The server may not use the duplicate-cn directive in it's config file.<br />
<br />
As OpenVPN will need to forward packets between the tun/tap device and the LAN device, edit /etc/sysctl.conf to permanently enable ipv4 packet forwarding. Takes effect at the next boot.<br />
{{hc|/etc/sysctl.conf|<nowiki><br />
# Enable packet forwarding<br />
net.ipv4.ip_forward=1<br />
</nowiki>}}<br />
<br />
To temporarily enable without rebooting do: {{bc|# echo 1 > /proc/sys/net/ipv4/ip_forward}}<br />
<br />
As the client will have to accept traffic destined to a different IP than the LAN interface is configured for, you will need to set it to [[Wikipedia:Promiscuous_mode|promiscious mode]]. Add the following to /etc/rc.local: {{hc|/etc/rc.local|ip link set dev eth0 promisc on}} Takes effect at the next boot, to enable it without rebooting do: {{ic|# ip link set dev eth0 promisc on}}.<br />
<br />
You must now create a client configuration directory on the server (elmer). When a client connects, the server process will check this directory for a file named the same as the client certificate's common name, and apply the directives to the client.<br />
<br />
{{bc|# mkdir -p /etc/openvpn/ccd}}<br />
<br />
Create a file in the client configuration directory called bugs, containing the directive iroute 192.168.4.0 255.255.255.0. This will tell the server that the 192.168.4.0/24 subnet should be routed to the client (bugs):<br />
<br />
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}<br />
<br />
Then add the directive route 192.168.4.0 255.255.255.0 to the server's configuration file /etc/openvpn/server.conf. This will tell the server that the 192.168.4.0/24 subnet should be routed from the tun device to the server process. Both are needed:<br />
<br />
{{hc|/etc/openvpn/server.conf|route 192.168.4.0 255.255.255.0}}<br />
<br />
{{Note|If the client (bugs) is not the default LAN gateway on the client side, you will need to do one of the following:<br />
* Add a static route to the client LAN's default gateway (most likely the client LAN router), routing the server's IP range 10.66.0.0/24 back to the client's eth0 IP address.<br />
* Add a static route to each host on the client side LAN that you want to be able to respond to the server.<br />
* Use the iptables NAT feature to masquerade the IP packets.<br />
}}<br />
<br />
<!--'Add information on how to route several LANs to the server side'--><br />
<!--'<br />
===Pushing DHCP options to clients===<br />
<br />
===Configuring client-specific rules and access policies===<br />
<br />
===Routing all client traffic through the server===<br />
<br />
===Running an OpenVPN server on a dynamic IP address===<br />
<br />
===Implementing a load-balancing/failover configuration===<br />
<br />
===Locking down security===<br />
<br />
====Security through obfuscation====<br />
<br />
====Port knocking====<br />
<br />
====Running in unprivileged mode====<br />
<br />
====Running in a chroot jail====<br />
<br />
====Larger RSA keys====<br />
probably better to use blowfish...<br />
<br />
Enable the 256 bit [[Wikipedia:Advanced_Encryption_Standard|AES (Advanced Encryption Standard)]] instead of the default 128 bit blowfish cryptographic cipher:<br />
{{hc|/etc/openvpn/server.conf|<br />
;cipher BF-CBC # Blowfish (default)<br />
;cipher AES-128-CBC # AES<br />
;cipher DES-EDE3-CBC # Triple-DES<br />
cipher AES-256-CBC<br />
}}<br />
<br />
Enable the 256 bit [[Wikipedia:Advanced_Encryption_Standard|AES (Advanced Encryption Standard)]] instead of the default 128 bit blowfish cryptographic cipher:<br />
{{hc|/etc/openvpn/client.conf|<br />
;cipher x<br />
cipher AES-256-CBC<br />
}}<br />
<br />
===Revoking certificates===<br />
<br />
==Configuring iptables for use with OpenVPN==<br />
<br />
Add a rule for the tun devices on both the server and the client.<br />
{{Note|That the order of the rules is important. See [[iptables]] for more information}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|-A INPUT -i tun+ -j ACCEPT}}<br />
<br />
Add a rule to accept connections on the OpenVPN UDP port (1194) on the server.<br />
{{hc|/etc/iptables/iptables.rules|-A INPUT -p udp --dport 1194 -j ACCEPT}}<br />
<br />
If you use the iptables firewall on the server (elmer) add the following rules to /etc/iptables/iptables.rules, then restart iptables:<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT<br />
-A FORWARD -s 10.8.0.0/24 -j ACCEPT<br />
-A FORWARD -j REJECT<br />
}}<br />
<br />
If you use the iptables firewall on the client (bugs) add the following rules to /etc/iptables/iptables.rules, then restart iptables:<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT<br />
-A FORWARD -s 10.8.0.0/24 -j ACCEPT<br />
-A FORWARD -j REJECT<br />
}}<br />
<br />
'--><br />
<br />
<br />
==Deprecated older wiki content==<br />
<br />
{{Accuracy}}<br />
<br />
===Using PAM and passwords to authenticate===<br />
{{bc|<br />
port 1194<br />
proto udp<br />
dev tap<br />
ca /etc/openvpn/easy-rsa/keys/ca.crt<br />
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt<br />
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key<br />
dh /etc/openvpn/easy-rsa/keys/dh2048.pem<br />
server 192.168.56.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
;learn-address ./script<br />
client-to-client<br />
;duplicate-cn<br />
keepalive 10 120<br />
;tls-auth ta.key 0<br />
comp-lzo<br />
;max-clients 100<br />
;user nobody<br />
;group nobody<br />
persist-key<br />
persist-tun<br />
status /var/log/openvpn-status.log<br />
verb 3<br />
client-cert-not-required<br />
username-as-common-name<br />
plugin /usr/lib/openvpn/openvpn-auth-pam.so login<br />
}}<br />
<br />
===Using certs to authenticate===<br />
{{bc|<br />
port 1194<br />
proto tcp<br />
dev tun0<br />
<br />
ca /etc/openvpn/easy-rsa/keys/ca.crt<br />
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt<br />
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key<br />
dh /etc/openvpn/easy-rsa/keys/dh2048.pem<br />
<br />
server 10.8.0.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
keepalive 10 120<br />
comp-lzo<br />
user nobody<br />
group nobody<br />
persist-key<br />
persist-tun<br />
status /var/log/openvpn-status.log<br />
verb 3<br />
<br />
log-append /var/log/openvpn<br />
status /tmp/vpn.status 10<br />
}}<br />
<br />
===Routing traffic through the server===<br />
<br />
Append the following to your server's openvpn.conf configuration file:<br />
{{bc|<br />
push "dhcp-option DNS 192.168.1.1"<br />
push "redirect-gateway def1"<br />
}}<br />
Change "192.168.1.1" to your external DNS IP address.<br />
<br />
Use an iptable for NAT forwarding:<br />
{{bc|<br />
echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE<br />
}}<br />
<br />
If running ArchLinux in a OpenVZ VPS environment [http://thecodeninja.net/linux/openvpn-archlinux-openvz-vps/]:<br />
{{bc|<br />
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to (venet0 ip)<br />
}}<br />
<br />
If all is well, make the changes permanent:<br />
<br />
Edit /etc/conf.d/iptables and change IPTABLES_FORWARD=1<br />
<br />
{{bc|<br />
/etc/rc.d/iptables save<br />
}}<br />
<br />
===Setting up the Client===<br />
The clientside .conf file<br />
====With password authentication====<br />
{{bc|<br />
client<br />
dev tap<br />
proto udp<br />
remote <address> 1194<br />
resolv-retry infinite<br />
nobind<br />
persist-tun<br />
comp-lzo<br />
verb 3<br />
auth-user-pass passwd<br />
ca ca.crt<br />
}}<br />
<br />
passwd file (referenced by auth-user-pass) must contain two lines:<br />
* first line - username<br />
* second - password<br />
<br />
====Certs authentication====<br />
{{bc|<br />
client<br />
remote <MYSERVER> 1194<br />
dev tun0<br />
proto tcp<br />
resolv-retry infinite<br />
nobind<br />
persist-key<br />
persist-tun<br />
verb 2<br />
ca ca.crt<br />
cert client1.crt<br />
key client1.key<br />
comp-lzo<br />
}}<br />
Copy three files from server to remote computer.<br />
ca.crt<br />
client1.crt<br />
client1.key<br />
<br />
Install the tunnel/tap module:<br />
{{bc|<br />
# sudo modprobe tun<br />
}}<br />
<br />
To have the '''tun''' module loaded automatically at boot time add it to the Modules line in /etc/rc.conf<br />
<br />
====DNS====<br />
The DNS servers used by the system are defined in '''/etc/resolv.conf'''. Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc...) However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side. To achieve this in a sensible way, install '''openresolv''', which makes it possible for more than one program to modify resolv.conf without stepping on each-other's toes. Before continuing, test openresolv by restarting your network connection and ensuring that resolv.conf states that it was generated by "resolvconf", and that your DNS resolution still works as before. You shouldn't need to configure openresolv; it should be automatically detected and used by your network system.<br />
<br />
Next, save the following script at '''/usr/share/openvpn/update-resolv-conf''':<br />
{{bc|<nowiki><br />
#!/bin/bash<br />
#<br />
# Parses DHCP options from openvpn to update resolv.conf<br />
# To use set as 'up' and 'down' script in your openvpn *.conf:<br />
# up /etc/openvpn/update-resolv-conf<br />
# down /etc/openvpn/update-resolv-conf<br />
#<br />
# Used snippets of resolvconf script by Thomas Hood <jdthood@yahoo.co.uk><br />
# and Chris Hanson<br />
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.<br />
#<br />
# 05/2006 chlauber@bnc.ch<br />
#<br />
# Example envs set from openvpn:<br />
# foreign_option_1='dhcp-option DNS 193.43.27.132'<br />
# foreign_option_2='dhcp-option DNS 193.43.27.133'<br />
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'<br />
<br />
[ -x /usr/sbin/resolvconf ] || exit 0<br />
<br />
case $script_type in<br />
<br />
up)<br />
for optionname in ${!foreign_option_*} ; do<br />
option="${!optionname}"<br />
echo $option<br />
part1=$(echo "$option" | cut -d " " -f 1)<br />
if [ "$part1" == "dhcp-option" ] ; then<br />
part2=$(echo "$option" | cut -d " " -f 2)<br />
part3=$(echo "$option" | cut -d " " -f 3)<br />
if [ "$part2" == "DNS" ] ; then<br />
IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"<br />
fi<br />
if [ "$part2" == "DOMAIN" ] ; then<br />
IF_DNS_SEARCH="$part3"<br />
fi<br />
fi<br />
done<br />
R=""<br />
if [ "$IF_DNS_SEARCH" ] ; then<br />
R="${R}search $IF_DNS_SEARCH<br />
"<br />
fi<br />
for NS in $IF_DNS_NAMESERVERS ; do<br />
R="${R}nameserver $NS<br />
"<br />
done<br />
echo -n "$R" | /usr/sbin/resolvconf -a "${dev}.inet"<br />
;;<br />
down)<br />
/usr/sbin/resolvconf -d "${dev}.inet"<br />
;;<br />
esac<br />
</nowiki>}}<br />
<br />
Remember to make the file executable with:<br />
$ chmod +x /usr/share/openvpn/update-resolv-conf<br />
Next, add the following lines to your OpenVPN client configuration file:<br />
{{bc|<br />
script-security 2<br />
up /usr/share/openvpn/update-resolv-conf<br />
down /usr/share/openvpn/update-resolv-conf<br />
}}<br />
<br />
Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection.<br />
<br />
===Connecting to the Server===<br />
You need to start the service on the server<br />
{{bc|<br />
/etc/rc.d/openvpn start<br />
}}<br />
You can add it to rc.conf to make it permanet.<br />
<br />
On the client, in the home directory create a folder that will hold your OpenVPN client config files along with the '''.crt'''/'''.key''' files. Assuming your OpenVPN config folder is called '''.openvpn''' and your client config file is '''vpn1.conf''', to connect to the server issue the following command:<br />
{{bc|<br />
cd ~/.openvpn && sudo openvpn vpn1.conf<br />
}}</div>Smrtzhttps://wiki.archlinux.org/index.php?title=OpenVPN&diff=185954OpenVPN2012-02-23T23:15:28Z<p>Smrtz: /* Installing OpenVPN */</p>
<hr />
<div>[[Category:Virtual Private Network (English)]]<br />
{{i18n|OpenVPN}}<br />
{{Expansion}}<br />
<br />
<!--' Todo (at least :)<br />
add support for ipv6 and L2 ethernet bridging<br />
'--><br />
<br />
This article describes a basic installation and configuration of [http://openvpn.net OpenVPN], suitable for private and small business use. For more detailed information, please see the official [http://openvpn.net/index.php/manuals/427-openvpn-22.html OpenVPN 2.2 man page] and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation].<br />
<br />
If your VPN provider gave you credentials (i.e. their cert, your cert and your key) and you want to use those to connect, much of this page can be ignored. See [[Airvpn]].<br />
<br />
OpenVPN is a robust and highly flexible [[Wikipedia:VPN|VPN]] daemon. OpenVPN supports [[Wikipedia:SSL/TLS|SSL/TLS]] security, [[Wikipedia:Bridging_(networking)|ethernet bridging]], [[Wikipedia:Transmission_Control_Protocol|TCP]] or [[Wikipedia:User_Datagram_Protocol|UDP]] [[Wikipedia:Tunneling_protocol|tunnel transport]] through [[Wikipedia:Proxy_server|proxies]] or [[Wikipedia:Network address translation|NAT]], support for dynamic IP addresses and [[Wikipedia:Dynamic_Host_Configuration_Protocol|DHCP]], scalability to hundreds or thousands of users, and portability to most major OS platforms.<br />
<br />
OpenVPN is tightly bound to the [http://http://www.openssl.org OpenSSL] library, and derives much of its crypto capabilities from it.<br />
<br />
OpenVPN supports conventional encryption using a [[Wikipedia:Pre-shared_key|pre-shared secret key]] (Static Key mode) or [[Wikipedia:Public_key|public key security]] ([[Wikipedia:SSL/TLS|SSL/TLS]] mode) using client & server certificates. OpenVPN also supports non-encrypted TCP/UDP tunnels.<br />
<br />
OpenVPN is designed to work with the [[Wikipedia:TUN/TAP|TUN/TAP]] virtual networking interface that exists on most platforms.<br />
<br />
Overall, OpenVPN aims to offer many of the key features of [[Wikipedia:Ipsec|IPSec]] but with a relatively lightweight footprint.<br />
<br />
OpenVPN was written by James Yonan and is published under the [[Wikipedia:GNU General Public License|GNU General Public License (GPL)]].<br />
<br />
<!--'<br />
==Preamble==<br />
'--><br />
<br />
==Installing OpenVPN==<br />
[[pacman|Install]] {{Pkg|OpenVPN}}, available in the [[Official Repositories]].<br />
<br />
<nowiki>sudo pacman -S openvpn</nowiki><br />
{{Note|The software contained in this package supports both server and client mode, so install it on all machines that need to create vpn connections.}}<br />
<br />
<!--' what does this do, and is the package still supported?<br />
You may also want to install {{AUR|openvpn-authldap-plugin}}, available in the [[Arch User Repository]].<br />
'--><br />
<br />
==Configuring the kernel==<br />
<br />
OpenVPN requires the Universal TUN/TAP device driver support. Add the tun module to the modules array in /etc/rc.conf on both servers and clients.<br />
<br />
The default Arch Linux kernel is already properly configured, but if you build your own kernel make sure that you enable the TUN/TAP module.<br />
<br />
{{hc|Kernel config file|<br />
Device Drivers ---><br />
Network device support ---><br />
[*]Network device support<br />
<M> Universal TUN/TAP device driver support }}<br />
<br />
==Public Key Infrastructure (PKI)==<br />
<br />
The first step when setting up OpenVPN is to create a [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]]. The PKI consists of:<br />
<br />
* A public master [[Wikipedia:Certificate Authority|Certificate Authority (CA)]] certificate and a private key.<br />
* A separate public certificate and private key for each server and each client.<br />
<br />
To facilitate the key/certificate creation process, OpenVPN comes with a collection of [[Wikipedia:RSA (algorithm)|RSA]] key manangement scripts (based on the openssl command line tool) known as easy-rsa.<br />
<br />
{{Note| Only .key files need to be kept secret, .crt and .csr files can be sent over insecure channels such as plaintext email.}}<br />
<br />
In this article the needed keys and certificates are created in root's home directory. This ensures that the generated files have the right ownership and permissions, thus being safe from other users.<br />
<br />
{{Note|The keys and certificates can be created on any machine. For the highest security, generate the keys on a physically secure machine disconnected from any network, and make sure that the generated ca.key private key is backed up and never accessible to anyone.}}<br />
<br />
{{Warning|Make sure that the generated files are backed up, especially the ca.key and ca.crt files, since if lost you will not be able to create any new, nor revoke any comprised keys and certificates, thus requiring the generation of a new [[Wikipedia:Certificate Authority|Certificate Authority (CA)]] certificate and key, invalidating the entire PKI infrastructure.}}<br />
<br />
===Installing the easy-rsa scripts===<br />
<br />
Install the scripts by doing the following:<br />
<br />
{{bc|# cp -r /usr/share/openvpn/easy-rsa /root}}<br />
<br />
===Creating keys and certificates===<br />
<br />
Now you need to create the needed keys and certificates.<br />
<br />
Change to the directory where you installed the scripts.<br />
<br />
{{bc|# cd /root/easy-rsa}}<br />
<br />
To ensure the consistent use of values when generating the PKI, set default values to be used by the PKI generating scripts. Edit /root/easy-rsa/vars and at a minimum set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters (do not leave any of these parameters blank). Change the KEY_SIZE parameter to 2048 for the SSL/TLS to use 2048bit RSA keys for authentication.<br />
<br />
{{hc|/root/easy-rsa/vars|<nowiki><br />
# easy-rsa parameter settings<br />
<br />
# NOTE: If you installed from an RPM,<br />
# don't edit this file in place in<br />
# /usr/share/openvpn/easy-rsa --<br />
# instead, you should copy the whole<br />
# easy-rsa directory to another location<br />
# (such as /etc/openvpn) so that your<br />
# edits will not be wiped out by a future<br />
# OpenVPN package upgrade.<br />
<br />
# This variable should point to<br />
# the top level of the easy-rsa<br />
# tree.<br />
export EASY_RSA="`pwd`"<br />
<br />
#<br />
# This variable should point to<br />
# the requested executables<br />
#<br />
export OPENSSL="openssl"<br />
export PKCS11TOOL="pkcs11-tool"<br />
export GREP="grep"<br />
<br />
<br />
# This variable should point to<br />
# the openssl.cnf file included<br />
# with easy-rsa.<br />
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`<br />
<br />
# Edit this variable to point to<br />
# your soon-to-be-created key<br />
# directory.<br />
#<br />
# WARNING: clean-all will do<br />
# a rm -rf on this directory<br />
# so make sure you define<br />
# it correctly!<br />
export KEY_DIR="$EASY_RSA/keys"<br />
<br />
# Issue rm -rf warning<br />
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR<br />
<br />
# PKCS11 fixes<br />
export PKCS11_MODULE_PATH="dummy"<br />
export PKCS11_PIN="dummy"<br />
<br />
# Increase this to 2048 if you<br />
# are paranoid. This will slow<br />
# down TLS negotiation performance<br />
# as well as the one-time DH parms<br />
# generation process.<br />
</nowiki>'''export KEY_SIZE&#61;2048'''<nowiki><br />
<br />
# In how many days should the root CA key expire?<br />
export CA_EXPIRE=3650<br />
<br />
# In how many days should certificates expire?<br />
export KEY_EXPIRE=3650<br />
<br />
# These are the default values for fields<br />
# which will be placed in the certificate.<br />
# Don't leave any of these fields blank.<br />
<br />
</nowiki><br />
'''export KEY_COUNTRY&#61;"US"'''<br />
'''export KEY_PROVINCE&#61;"CA"'''<br />
'''export KEY_CITY&#61;"Acme Acres"'''<br />
'''export KEY_ORG&#61;"Acme"'''<br />
'''export KEY_EMAIL&#61;"roadrunner@acmecorp.org"'''<br />
'''#export KEY_EMAIL&#61;mail@host.domain'''<br />
'''export KEY_CN&#61;Acme-CA'''<br />
'''export KEY_NAME&#61;Acme-CA'''<br />
'''export KEY_OU&#61;'''<nowiki>'''<br />
export PKCS11_MODULE_PATH=changeme<br />
export PKCS11_PIN=1234<br />
</nowiki>}}<br />
<br />
Export the environment variables.<br />
<br />
{{bc|# source ./vars}}<br />
<br />
Delete any previously created certificates and keys.<br />
<br />
{{bc|# ./clean-all}}<br />
<br />
{{Note| Entering a . (dot) when prompted for a value, blanks out the parameter.}}<br />
<br />
The build-ca script generates the [[Wikipedia:Certificate Authority|Certificate Authority (CA)]] certificate/key pair.<br />
<br />
{{hc|# ./build-ca|<nowiki><br />
Generating a 2048 bit RSA private key<br />
..............++++++<br />
...++++++<br />
writing new private key to 'ca.key'<br />
-----<br />
You are about to be asked to enter information that will be incorporated<br />
into your certificate request.<br />
What you are about to enter is what is called a Distinguished Name or a DN.<br />
There are quite a few fields but you can leave some blank<br />
For some fields there will be a default value,<br />
If you enter '.', the field will be left blank.<br />
-----<br />
Country Name (2 letter code) [US]:<br />
State or Province Name (full name) [CA]:<br />
Locality Name (eg, city) [Acme Acres]:<br />
Organization Name (eg, company) [Acme]:<br />
Organizational Unit Name (eg, section) []:<br />
Common Name (eg, your name or your server's hostname) [Acme-CA]:<br />
Name [Acme-CA]:<br />
Email Address [roadrunner@acmecorp.org]:<br />
</nowiki>}}<br />
<br />
The build-key-server script (followed by the server name) generates a certificate/key pair for a server. Make sure that the server name (Common Name when running the script) is unique.<br />
<br />
{{Note|Do not enter a challenge password or company name when the script prompts you for one.}}<br />
<br />
{{hc|# ./build-key-server elmer|<nowiki><br />
Generating a 2048 bit RSA private key<br />
.....................++++++<br />
.......................................................++++++<br />
writing new private key to 'elmer.key'<br />
-----<br />
You are about to be asked to enter information that will be incorporated<br />
into your certificate request.<br />
What you are about to enter is what is called a Distinguished Name or a DN.<br />
There are quite a few fields but you can leave some blank<br />
For some fields there will be a default value,<br />
If you enter '.', the field will be left blank.<br />
-----<br />
Country Name (2 letter code) [US]:<br />
State or Province Name (full name) [CA]:<br />
Locality Name (eg, city) [Acme Acres]:<br />
Organization Name (eg, company) [Acme]:<br />
Organizational Unit Name (eg, section) []:<br />
Common Name (eg, your name or your server's hostname) [elmer]:<br />
Name [Acme-CA]:<br />
Email Address [roadrunner@acmecorp.org]:<br />
<br />
Please enter the following 'extra' attributes<br />
to be sent with your certificate request<br />
A challenge password []:<br />
An optional company name []:<br />
Using configuration from /root/easy-rsa/openssl-1.0.0.cnf<br />
Check that the request matches the signature<br />
Signature ok<br />
The Subject's Distinguished Name is as follows<br />
countryName :PRINTABLE:'US'<br />
stateOrProvinceName :PRINTABLE:'CA'<br />
localityName :PRINTABLE:'Acme Acres'<br />
organizationName :PRINTABLE:'Acme'<br />
commonName :PRINTABLE:'elmer'<br />
name :PRINTABLE:'Acme-CA'<br />
emailAddress :IA5STRING:'roadrunner@acmecorp.org'<br />
Certificate is to be certified until Dec 27 19:11:59 2021 GMT (3650 days)<br />
Sign the certificate? [y/n]:y<br />
<br />
<br />
1 out of 1 certificate requests certified, commit? [y/n]y<br />
Write out database with 1 new entries<br />
Data Base Updated<br />
</nowiki>}}<br />
<br />
The build-dh script generates the [http://www.rsa.com/rsalabs/node.asp?id=2248 Diffie-Hellman parameters] .pem file needed by the server.<br />
<br />
{{Note|It would be better to generate a new one for each server, but you can use the same one for your servers if you want to.}}<br />
<br />
{{hc|# ./build-dh|<br />
Generating DH parameters, 2048 bit long safe prime, generator 2<br />
This is going to take a long time<br />
..+.............................................................................<br />
.<br />
.<br />
.<br />
............+...............+...................................................<br />
..................................................................++*++*}}<br />
<br />
The build-key script (followed by a client name) generates a certificate/key pair for a client. Make sure that the client name (Common Name when running the script) is unique.<br />
<br />
{{Note|Do not enter a challenge password or company name when the script prompts you for one.}}<br />
<br />
{{hc|# ./build-key bugs|<nowiki><br />
Generating a 2048 bit RSA private key<br />
....++++++<br />
.............................................................++++++<br />
writing new private key to 'bugs.key'<br />
-----<br />
You are about to be asked to enter information that will be incorporated<br />
into your certificate request.<br />
What you are about to enter is what is called a Distinguished Name or a DN.<br />
There are quite a few fields but you can leave some blank<br />
For some fields there will be a default value,<br />
If you enter '.', the field will be left blank.<br />
-----<br />
Country Name (2 letter code) [US]:<br />
State or Province Name (full name) [CA]:<br />
Locality Name (eg, city) [Acme Acres]:<br />
Organization Name (eg, company) [Acme]:<br />
Organizational Unit Name (eg, section) []:<br />
Common Name (eg, your name or your server's hostname) [bugs]:<br />
Name [Acme-CA]:<br />
Email Address [roadrunner@acmecorp.org]:<br />
<br />
Please enter the following 'extra' attributes<br />
to be sent with your certificate request<br />
A challenge password []:<br />
An optional company name []:<br />
Using configuration from /root/easy-rsa/openssl-1.0.0.cnf<br />
Check that the request matches the signature<br />
Signature ok<br />
The Subject's Distinguished Name is as follows<br />
countryName :PRINTABLE:'US'<br />
stateOrProvinceName :PRINTABLE:'CA'<br />
localityName :PRINTABLE:'Acme Acres'<br />
organizationName :PRINTABLE:'Acme'<br />
commonName :PRINTABLE:'bugs'<br />
name :PRINTABLE:'Acme-CA'<br />
emailAddress :IA5STRING:'roadrunner@acmecorp.org'<br />
Certificate is to be certified until Dec 27 19:18:27 2021 GMT (3650 days)<br />
Sign the certificate? [y/n]:y<br />
<br />
<br />
1 out of 1 certificate requests certified, commit? [y/n]y<br />
Write out database with 1 new entries<br />
Data Base Updated<br />
</nowiki>}}<br />
<br />
Generate a secret [[Wikipedia:HMAC|Hash-based Message Authentication Code (HMAC)]] by running:<br />
{{ic|# openvpn --genkey --secret /root/easy-rsa/keys/ta.key}}<br />
<br />
This will be used to add an additional HMAC signature to all SSL/TLS handshake packets. In addition any UDP packet not having the correct HMAC signature will be immidiately dropped, protecting against:<br />
<br />
* Portscanning.<br />
* DOS attacks on the OpenVPN UDP port.<br />
* SSL/TLS handshake initiations from unauthorized machines.<br />
* Any eventual buffer overflow vulnerabilities in the SSL/TLS implementation.<br />
<br />
All the created keys and certificates have been stored in /root/easy-rsa/keys. If you make a mistake, you can start over by running the clean-all script again.<br />
<br />
{{Warning|This will delete any previously generated keys and certificates stored in /root/easy-rsa/keys.}}<br />
<br />
{{bc|# ./clean-all}}<br />
<br />
The final step of the key creation process is to copy the files needed to the correct machines through a secure channel.<br />
<br />
{{Note|In this article the keys and certificates will be placed into /etc/openvpn on the server and the client.}}<br />
<br />
The public ca.crt certificate will be needed on all servers and clients. The private ca.key key is secret and only needed on the key generating machine.<br />
<br />
The public server.crt, and dh2048.pem, and private server.key, and ta.key files are needed on the server.<br />
<br />
The public client.crt, and private client.key, and ta.key files are needed on the client.<br />
<br />
==Configuring OpenVPN==<br />
<br />
OpenVPN is an extremely versatile software and many configurations are possible, in fact machines can be both "servers" and "clients", blurring the distinction between server and client.<br />
<br />
What really distinguishes a server from a client is the configuration file itself. The openvpn daemon startup script reads all the .conf configuration files it finds in /etc/openvpn on startup, and acts accordingly. In fact if it finds more than one configuration file it will start one OpenVPN processes per configuration file.<br />
<br />
This article explains how to setup a machine that is called the server (elmer), and a machine that connects to it is called the client (bugs). More servers and clients can easily be added, by creating more key/certificate pairs and adding more server and client configuration files.<br />
<br />
The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:<br />
<br />
* Uses [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]] for authentication.<br />
* Creates a VPN using a virtual TUN network interface (OSI L3 IP routing).<br />
* Listens for client connections on UDP port 1194 (OpenVPN's [[Wikipedia:Port_number|official IANA port number]]).<br />
* Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.<br />
<br />
For more advanced configurations, please see the official [http://openvpn.net/index.php/manuals/427-openvpn-22.html OpenVPN 2.2 man page] and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation].<br />
<br />
===The server configuration file===<br />
<br />
Copy the example server configuration file to /etc/openvpn/server.conf<br />
<br />
{{bc|# cp /usr/share/openvpn/examples/server.conf /etc/openvpn/server.conf}}<br />
<br />
Edit the following:<br />
<br />
* The ca, cert, key, and dh parameters to reflect the path and names of the keys and certificates. Specifying the paths will allow you to run the OpenVPN executable from any directory for testing purposes.<br />
* Enable the SSL/TLS HMAC handshake protection. '''Note the use of the parameter 0 for a server'''.<br />
*It is recommended to run OpenVPN with reduced privileges once it has initialized, do this by uncommenting the user and group directives.<br />
<br />
{{hc|/etc/openvpn/server.conf|<br />
ca /etc/openvpn/ca.crt<br />
cert /etc/openvpn/elmer.crt<br />
key /etc/openvpn/elmer.key<br />
<br />
dh /etc/openvpn/dh2048.pem<br />
.<br />
.<br />
tls-auth /etc/openvpn/ta.key '''0'''<br />
.<br />
.<br />
user nobody<br />
group nobody<br />
}}<br />
<br />
{{Note|Note that if the server is behind a firewall or a NAT translating router, you will have to forward the OpenVPN UDP port (1194) to the server.}}<br />
<br />
===The client configuration file===<br />
<br />
Copy the example client configuration file to /etc/openvpn/client.conf<br />
<br />
{{bc|# cp /usr/share/openvpn/examples/client.conf /etc/openvpn/client.conf}}<br />
<br />
Edit the following:<br />
<br />
* The remote directive to reflect the server's [[Wikipedia:Fully qualified domain name|Fully Qualified Domain Name]], hostname (as known to the client) or IP address.<br />
* Uncomment the user and group directives to drop privileges.<br />
* The ca, cert, and key parameters to reflect the path and names of the keys and certificates.<br />
* Enable the SSL/TLS HMAC handshake protection. '''Note the use of the parameter 1 for a client'''.<br />
<br />
{{hc|/etc/openvpn/client.conf|<br />
remote elmer.acmecorp.org 1194<br />
.<br />
.<br />
user nobody<br />
group nobody<br />
.<br />
.<br />
ca /etc/openvpn/ca.crt<br />
cert /etc/openvpn/bugs.crt<br />
key /etc/openvpn/bugs.key<br />
.<br />
.<br />
tls-auth /etc/openvpn/ta.key '''1'''<br />
}}<br />
<br />
==Testing the OpenVPN configuration==<br />
<br />
Run {{ic|# openvpn /etc/openvpn/server.conf}} on the server, and {{ic|# openvpn /etc/openvpn/client.conf}} on the client. You should see something similar to this:<br />
<br />
{{hc|# openvpn /etc/openvpn/server.conf|<nowiki><br />
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011<br />
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables<br />
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key<br />
Wed Dec 28 14:41:26 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]<br />
Wed Dec 28 14:41:26 2011 Socket Buffers: R=[126976->131072] S=[126976->131072]<br />
Wed Dec 28 14:41:26 2011 ROUTE default_gateway=10.66.0.1<br />
Wed Dec 28 14:41:26 2011 TUN/TAP device tun0 opened<br />
Wed Dec 28 14:41:26 2011 TUN/TAP TX queue length set to 100<br />
Wed Dec 28 14:41:26 2011 /usr/sbin/ip link set dev tun0 up mtu 1500<br />
Wed Dec 28 14:41:26 2011 /usr/sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2<br />
Wed Dec 28 14:41:26 2011 /usr/sbin/ip route add 10.8.0.0/24 via 10.8.0.2<br />
Wed Dec 28 14:41:26 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]<br />
Wed Dec 28 14:41:26 2011 GID set to nobody<br />
Wed Dec 28 14:41:26 2011 UID set to nobody<br />
Wed Dec 28 14:41:26 2011 UDPv4 link local (bound): [undef]:1194<br />
Wed Dec 28 14:41:26 2011 UDPv4 link remote: [undef]<br />
Wed Dec 28 14:41:26 2011 MULTI: multi_init called, r=256 v=256<br />
Wed Dec 28 14:41:26 2011 IFCONFIG POOL: base=10.8.0.4 size=62<br />
Wed Dec 28 14:41:26 2011 IFCONFIG POOL LIST<br />
Wed Dec 28 14:41:26 2011 Initialization Sequence Completed<br />
Wed Dec 28 14:41:51 2011 MULTI: multi_create_instance called<br />
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Re-using SSL/TLS context<br />
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 LZO compression initialized<br />
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]<br />
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]<br />
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Local Options hash (VER=V4): '530fdded'<br />
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Expected Remote Options hash (VER=V4): '41690919'<br />
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 TLS: Initial packet from 95.126.136.73:48904, sid=163f4a5e e0399137<br />
Wed Dec 28 14:41:53 2011 95.126.136.73:48904 VERIFY OK: depth=1, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=Acme-CA/name=Acme-CA/emailAddress=roadrunner@acmecorp.org<br />
Wed Dec 28 14:41:53 2011 95.126.136.73:48904 VERIFY OK: depth=0, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=bugs/name=Acme-CA/emailAddress=roadrunner@acmecorp.org<br />
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key<br />
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication<br />
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key<br />
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication<br />
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA<br />
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 [bugs] Peer Connection Initiated with 95.126.136.73:48904<br />
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: Learn: 10.8.0.6 -> bugs/95.126.136.73:48904<br />
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6<br />
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'<br />
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 SENT CONTROL [bugs]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)<br />
</nowiki>}}<br />
<br />
{{hc|# openvpn /etc/openvpn/client.conf|<nowiki><br />
Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011<br />
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables<br />
Wed Dec 28 14:41:50 2011 LZO compression initialized<br />
Wed Dec 28 14:41:50 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]<br />
Wed Dec 28 14:41:50 2011 Socket Buffers: R=[114688->131072] S=[114688->131072]<br />
Wed Dec 28 14:41:51 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]<br />
Wed Dec 28 14:41:51 2011 Local Options hash (VER=V4): '41690919'<br />
Wed Dec 28 14:41:51 2011 Expected Remote Options hash (VER=V4): '530fdded'<br />
Wed Dec 28 14:41:51 2011 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay<br />
Wed Dec 28 14:41:51 2011 UDPv4 link local: [undef]<br />
Wed Dec 28 14:41:51 2011 UDPv4 link remote: 85.93.204.250:1194<br />
Wed Dec 28 14:41:51 2011 TLS: Initial packet from 85.93.204.250:1194, sid=5f379f35 50c9ab11<br />
Wed Dec 28 14:41:52 2011 VERIFY OK: depth=1, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=Acme-CA/name=Acme-CA/emailAddress=roadrunner@acmecorp.org<br />
Wed Dec 28 14:41:52 2011 VERIFY OK: nsCertType=SERVER<br />
Wed Dec 28 14:41:52 2011 VERIFY OK: depth=0, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=elmer/name=Acme-CA/emailAddress=roadrunner@acmecorp.org<br />
Wed Dec 28 14:41:54 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key<br />
Wed Dec 28 14:41:54 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication<br />
Wed Dec 28 14:41:54 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key<br />
Wed Dec 28 14:41:54 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication<br />
Wed Dec 28 14:41:54 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA<br />
Wed Dec 28 14:41:54 2011 [elmer] Peer Connection Initiated with 85.93.204.250:1194<br />
Wed Dec 28 14:41:57 2011 SENT CONTROL [elmer]: 'PUSH_REQUEST' (status=1)<br />
Wed Dec 28 14:41:57 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'<br />
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: timers and/or timeouts modified<br />
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: --ifconfig/up options modified<br />
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: route options modified<br />
Wed Dec 28 14:41:57 2011 ROUTE default_gateway=10.64.64.64<br />
Wed Dec 28 14:41:57 2011 TUN/TAP device tun1 opened<br />
Wed Dec 28 14:41:57 2011 TUN/TAP TX queue length set to 100<br />
Wed Dec 28 14:41:57 2011 /usr/sbin/ip link set dev tun1 up mtu 1500<br />
Wed Dec 28 14:41:57 2011 /usr/sbin/ip addr add dev tun1 local 10.8.0.6 peer 10.8.0.5<br />
Wed Dec 28 14:41:57 2011 /usr/sbin/ip route add 10.8.0.1/32 via 10.8.0.5<br />
Wed Dec 28 14:41:57 2011 GID set to nobody<br />
Wed Dec 28 14:41:57 2011 UID set to nobody<br />
Wed Dec 28 14:41:57 2011 Initialization Sequence Completed<br />
</nowiki>}}<br />
<br />
On the server, find the IP assigned to the tunX device:<br />
<br />
{{hc|# ip addr show|<nowiki><br />
.<br />
.<br />
.<br />
40: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100<br />
link/none<br />
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0</nowiki>}}<br />
<br />
Here we see that the server end of the tunnel has been given the IP address 10.8.0.1.<br />
<br />
Do the same on the client:<br />
<br />
{{hc|# ip addr show|<nowiki><br />
.<br />
.<br />
.<br />
37: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100<br />
link/none<br />
inet 10.8.0.6 peer 10.8.0.5/32 scope global tun1</nowiki>}}<br />
<br />
And the client side has been given the IP 10.8.0.6.<br />
<br />
Now try pinging the interfaces.<br />
<br />
On the server:<br />
<br />
{{hc|# ping 10.8.0.6|<nowiki><br />
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.<br />
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms<br />
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=237 ms<br />
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=205 ms<br />
^C<br />
--- 10.8.0.6 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2002ms<br />
rtt min/avg/max/mdev = 205.862/227.266/238.788/15.160 ms<br />
</nowiki>}}<br />
<br />
On the client:<br />
<br />
{{hc|# ping 10.8.0.1|<nowiki><br />
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.<br />
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=158 ms<br />
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=158 ms<br />
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=157 ms<br />
^C<br />
--- 10.8.0.1 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2001ms<br />
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms<br />
</nowiki>}}<br />
<br />
You now have a working OpenVPN installation, and your client (bugs) will be able to use services on the server (elmer), and vice versa.<br />
<br />
==Starting OpenVPN==<br />
<br />
To start OpenVPN manually run:<br />
<br />
{{bc|# rc.d start openvpn}}<br />
<br />
To have your system run OpenVPN automatically at system start, add openvpn to the daemon array in /etc/rc.conf.<br />
<br />
==Advanced OpenVPN configuration==<br />
<br />
===Routing the LAN of the server to a client===<br />
<br />
Prerequisites:<br />
<br />
* The server (elmer) is on a LAN using the [[Wikipedia:Private_network#Private_IPv4_address_spaces|private class C network range]] 10.66.0.0/24.<br />
* The server's LAN network interface is called eth0.<br />
* The client (bugs) is assigned an ip address out of the address pool 10.8.0.0/24, as specified by the server directive in the server's configuration file (/etc/openvpn/server.conf):<br />
{{hc|/etc/openvpn/server.conf|server 10.8.0.0 255.255.255.0}}<br />
<br />
As OpenVPN will need to forward packets between the tun/tap device and the LAN device, edit /etc/sysctl.conf to permanently enable ipv4 packet forwarding. Takes effect at the next boot.<br />
{{hc|/etc/sysctl.conf|<nowiki><br />
# Enable packet forwarding<br />
net.ipv4.ip_forward=1<br />
</nowiki>}}<br />
<br />
To temporarily enable without rebooting do: {{bc|# echo 1 > /proc/sys/net/ipv4/ip_forward}}<br />
<br />
<!--'Investigate if scripts hooked into openvpn can do this, http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR'--><br />
As the server will have to accept traffic destined to a different IP than it's LAN interface (eth0) is configured for, it needs to be set to [[Wikipedia:Promiscuous_mode|promiscious mode]]. Add the following to /etc/rc.local: {{hc|/etc/rc.local|ip link set dev eth0 promisc on}} Takes effect at the next boot, to enable it without rebooting do: {{ic|# ip link set dev eth0 promisc on}}.<br />
<br />
To inform the client about the available subnet, add a push directive to the server configuration file:<br />
<br />
{{hc|/etc/openvpn/server.conf|push "route 10.66.0.0 255.255.255.0"}}<br />
<br />
{{Note|If the server (elmer) is not the default LAN gateway on the server side, you will have to do one of the following:<br />
* Add a static route to the LAN's default gateway (most likely the LAN's router), routing the client IP range 10.8.0.0/24 back to the server's eth0 IP address.<br />
* Add a static route to each host on the server side LAN that you want to be able to communicate with the client (bugs).<br />
* Use the iptables NAT feature to masquerade the IP packets.<br />
}}<br />
<br />
<!--'Add information on how to route several lans to the client'--><br />
<br />
===Routing the LAN of a client to the server===<br />
<br />
Prerequisites:<br />
<br />
* You must make sure that any subnets used on the client side (bugs), are unique and not in use on the server side or by any other client. In this example we will use 192.168.4.0/24 for the clients LAN.<br />
* The client's LAN network interface is called eth0.<br />
* Each client's certificate has a unique Common Name, in this case bugs.<br />
* The server may not use the duplicate-cn directive in it's config file.<br />
<br />
As OpenVPN will need to forward packets between the tun/tap device and the LAN device, edit /etc/sysctl.conf to permanently enable ipv4 packet forwarding. Takes effect at the next boot.<br />
{{hc|/etc/sysctl.conf|<nowiki><br />
# Enable packet forwarding<br />
net.ipv4.ip_forward=1<br />
</nowiki>}}<br />
<br />
To temporarily enable without rebooting do: {{bc|# echo 1 > /proc/sys/net/ipv4/ip_forward}}<br />
<br />
As the client will have to accept traffic destined to a different IP than the LAN interface is configured for, you will need to set it to [[Wikipedia:Promiscuous_mode|promiscious mode]]. Add the following to /etc/rc.local: {{hc|/etc/rc.local|ip link set dev eth0 promisc on}} Takes effect at the next boot, to enable it without rebooting do: {{ic|# ip link set dev eth0 promisc on}}.<br />
<br />
You must now create a client configuration directory on the server (elmer). When a client connects, the server process will check this directory for a file named the same as the client certificate's common name, and apply the directives to the client.<br />
<br />
{{bc|# mkdir -p /etc/openvpn/ccd}}<br />
<br />
Create a file in the client configuration directory called bugs, containing the directive iroute 192.168.4.0 255.255.255.0. This will tell the server that the 192.168.4.0/24 subnet should be routed to the client (bugs):<br />
<br />
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}<br />
<br />
Then add the directive route 192.168.4.0 255.255.255.0 to the server's configuration file /etc/openvpn/server.conf. This will tell the server that the 192.168.4.0/24 subnet should be routed from the tun device to the server process. Both are needed:<br />
<br />
{{hc|/etc/openvpn/server.conf|route 192.168.4.0 255.255.255.0}}<br />
<br />
{{Note|If the client (bugs) is not the default LAN gateway on the client side, you will need to do one of the following:<br />
* Add a static route to the client LAN's default gateway (most likely the client LAN router), routing the server's IP range 10.66.0.0/24 back to the client's eth0 IP address.<br />
* Add a static route to each host on the client side LAN that you want to be able to respond to the server.<br />
* Use the iptables NAT feature to masquerade the IP packets.<br />
}}<br />
<br />
<!--'Add information on how to route several LANs to the server side'--><br />
<!--'<br />
===Pushing DHCP options to clients===<br />
<br />
===Configuring client-specific rules and access policies===<br />
<br />
===Routing all client traffic through the server===<br />
<br />
===Running an OpenVPN server on a dynamic IP address===<br />
<br />
===Implementing a load-balancing/failover configuration===<br />
<br />
===Locking down security===<br />
<br />
====Security through obfuscation====<br />
<br />
====Port knocking====<br />
<br />
====Running in unprivileged mode====<br />
<br />
====Running in a chroot jail====<br />
<br />
====Larger RSA keys====<br />
probably better to use blowfish...<br />
<br />
Enable the 256 bit [[Wikipedia:Advanced_Encryption_Standard|AES (Advanced Encryption Standard)]] instead of the default 128 bit blowfish cryptographic cipher:<br />
{{hc|/etc/openvpn/server.conf|<br />
;cipher BF-CBC # Blowfish (default)<br />
;cipher AES-128-CBC # AES<br />
;cipher DES-EDE3-CBC # Triple-DES<br />
cipher AES-256-CBC<br />
}}<br />
<br />
Enable the 256 bit [[Wikipedia:Advanced_Encryption_Standard|AES (Advanced Encryption Standard)]] instead of the default 128 bit blowfish cryptographic cipher:<br />
{{hc|/etc/openvpn/client.conf|<br />
;cipher x<br />
cipher AES-256-CBC<br />
}}<br />
<br />
===Revoking certificates===<br />
<br />
==Configuring iptables for use with OpenVPN==<br />
<br />
Add a rule for the tun devices on both the server and the client.<br />
{{Note|That the order of the rules is important. See [[iptables]] for more information}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|-A INPUT -i tun+ -j ACCEPT}}<br />
<br />
Add a rule to accept connections on the OpenVPN UDP port (1194) on the server.<br />
{{hc|/etc/iptables/iptables.rules|-A INPUT -p udp --dport 1194 -j ACCEPT}}<br />
<br />
If you use the iptables firewall on the server (elmer) add the following rules to /etc/iptables/iptables.rules, then restart iptables:<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT<br />
-A FORWARD -s 10.8.0.0/24 -j ACCEPT<br />
-A FORWARD -j REJECT<br />
}}<br />
<br />
If you use the iptables firewall on the client (bugs) add the following rules to /etc/iptables/iptables.rules, then restart iptables:<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT<br />
-A FORWARD -s 10.8.0.0/24 -j ACCEPT<br />
-A FORWARD -j REJECT<br />
}}<br />
<br />
'--><br />
<br />
<br />
==Deprecated older wiki content==<br />
<br />
{{Accuracy}}<br />
<br />
===Using PAM and passwords to authenticate===<br />
{{bc|<br />
port 1194<br />
proto udp<br />
dev tap<br />
ca /etc/openvpn/easy-rsa/keys/ca.crt<br />
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt<br />
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key<br />
dh /etc/openvpn/easy-rsa/keys/dh2048.pem<br />
server 192.168.56.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
;learn-address ./script<br />
client-to-client<br />
;duplicate-cn<br />
keepalive 10 120<br />
;tls-auth ta.key 0<br />
comp-lzo<br />
;max-clients 100<br />
;user nobody<br />
;group nobody<br />
persist-key<br />
persist-tun<br />
status /var/log/openvpn-status.log<br />
verb 3<br />
client-cert-not-required<br />
username-as-common-name<br />
plugin /usr/lib/openvpn/openvpn-auth-pam.so login<br />
}}<br />
<br />
===Using certs to authenticate===<br />
{{bc|<br />
port 1194<br />
proto tcp<br />
dev tun0<br />
<br />
ca /etc/openvpn/easy-rsa/keys/ca.crt<br />
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt<br />
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key<br />
dh /etc/openvpn/easy-rsa/keys/dh2048.pem<br />
<br />
server 10.8.0.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
keepalive 10 120<br />
comp-lzo<br />
user nobody<br />
group nobody<br />
persist-key<br />
persist-tun<br />
status /var/log/openvpn-status.log<br />
verb 3<br />
<br />
log-append /var/log/openvpn<br />
status /tmp/vpn.status 10<br />
}}<br />
<br />
===Routing traffic through the server===<br />
<br />
Append the following to your server's openvpn.conf configuration file:<br />
{{bc|<br />
push "dhcp-option DNS 192.168.1.1"<br />
push "redirect-gateway def1"<br />
}}<br />
Change "192.168.1.1" to your external DNS IP address.<br />
<br />
Use an iptable for NAT forwarding:<br />
{{bc|<br />
echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE<br />
}}<br />
<br />
If running ArchLinux in a OpenVZ VPS environment [http://thecodeninja.net/linux/openvpn-archlinux-openvz-vps/]:<br />
{{bc|<br />
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to (venet0 ip)<br />
}}<br />
<br />
If all is well, make the changes permanent:<br />
<br />
Edit /etc/conf.d/iptables and change IPTABLES_FORWARD=1<br />
<br />
{{bc|<br />
/etc/rc.d/iptables save<br />
}}<br />
<br />
===Setting up the Client===<br />
The clientside .conf file<br />
====With password authentication====<br />
{{bc|<br />
client<br />
dev tap<br />
proto udp<br />
remote <address> 1194<br />
resolv-retry infinite<br />
nobind<br />
persist-tun<br />
comp-lzo<br />
verb 3<br />
auth-user-pass passwd<br />
ca ca.crt<br />
}}<br />
<br />
passwd file (referenced by auth-user-pass) must contain two lines:<br />
* first line - username<br />
* second - password<br />
<br />
====Certs authentication====<br />
{{bc|<br />
client<br />
remote <MYSERVER> 1194<br />
dev tun0<br />
proto tcp<br />
resolv-retry infinite<br />
nobind<br />
persist-key<br />
persist-tun<br />
verb 2<br />
ca ca.crt<br />
cert client1.crt<br />
key client1.key<br />
comp-lzo<br />
}}<br />
Copy three files from server to remote computer.<br />
ca.crt<br />
client1.crt<br />
client1.key<br />
<br />
Install the tunnel/tap module:<br />
{{bc|<br />
# sudo modprobe tun<br />
}}<br />
<br />
To have the '''tun''' module loaded automatically at boot time add it to the Modules line in /etc/rc.conf<br />
<br />
====DNS====<br />
The DNS servers used by the system are defined in '''/etc/resolv.conf'''. Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc...) However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side. To achieve this in a sensible way, install '''openresolv''', which makes it possible for more than one program to modify resolv.conf without stepping on each-other's toes. Before continuing, test openresolv by restarting your network connection and ensuring that resolv.conf states that it was generated by "resolvconf", and that your DNS resolution still works as before. You shouldn't need to configure openresolv; it should be automatically detected and used by your network system.<br />
<br />
Next, save the following script at '''/usr/share/openvpn/update-resolv-conf''':<br />
{{bc|<nowiki><br />
#!/bin/bash<br />
#<br />
# Parses DHCP options from openvpn to update resolv.conf<br />
# To use set as 'up' and 'down' script in your openvpn *.conf:<br />
# up /etc/openvpn/update-resolv-conf<br />
# down /etc/openvpn/update-resolv-conf<br />
#<br />
# Used snippets of resolvconf script by Thomas Hood <jdthood@yahoo.co.uk><br />
# and Chris Hanson<br />
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.<br />
#<br />
# 05/2006 chlauber@bnc.ch<br />
#<br />
# Example envs set from openvpn:<br />
# foreign_option_1='dhcp-option DNS 193.43.27.132'<br />
# foreign_option_2='dhcp-option DNS 193.43.27.133'<br />
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'<br />
<br />
[ -x /usr/sbin/resolvconf ] || exit 0<br />
<br />
case $script_type in<br />
<br />
up)<br />
for optionname in ${!foreign_option_*} ; do<br />
option="${!optionname}"<br />
echo $option<br />
part1=$(echo "$option" | cut -d " " -f 1)<br />
if [ "$part1" == "dhcp-option" ] ; then<br />
part2=$(echo "$option" | cut -d " " -f 2)<br />
part3=$(echo "$option" | cut -d " " -f 3)<br />
if [ "$part2" == "DNS" ] ; then<br />
IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"<br />
fi<br />
if [ "$part2" == "DOMAIN" ] ; then<br />
IF_DNS_SEARCH="$part3"<br />
fi<br />
fi<br />
done<br />
R=""<br />
if [ "$IF_DNS_SEARCH" ] ; then<br />
R="${R}search $IF_DNS_SEARCH<br />
"<br />
fi<br />
for NS in $IF_DNS_NAMESERVERS ; do<br />
R="${R}nameserver $NS<br />
"<br />
done<br />
echo -n "$R" | /usr/sbin/resolvconf -a "${dev}.inet"<br />
;;<br />
down)<br />
/usr/sbin/resolvconf -d "${dev}.inet"<br />
;;<br />
esac<br />
</nowiki>}}<br />
<br />
Remember to make the file executable with:<br />
$ chmod +x /usr/share/openvpn/update-resolv-conf<br />
Next, add the following lines to your OpenVPN client configuration file:<br />
{{bc|<br />
script-security 2<br />
up /usr/share/openvpn/update-resolv-conf<br />
down /usr/share/openvpn/update-resolv-conf<br />
}}<br />
<br />
Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection.<br />
<br />
===Connecting to the Server===<br />
You need to start the service on the server<br />
{{bc|<br />
/etc/rc.d/openvpn start<br />
}}<br />
You can add it to rc.conf to make it permanet.<br />
<br />
On the client, in the home directory create a folder that will hold your OpenVPN client config files along with the '''.crt'''/'''.key''' files. Assuming your OpenVPN config folder is called '''.openvpn''' and your client config file is '''vpn1.conf''', to connect to the server issue the following command:<br />
{{bc|<br />
cd ~/.openvpn && sudo openvpn vpn1.conf<br />
}}</div>Smrtzhttps://wiki.archlinux.org/index.php?title=OpenVPN&diff=185953OpenVPN2012-02-23T23:14:58Z<p>Smrtz: /* Installing OpenVPN */</p>
<hr />
<div>[[Category:Virtual Private Network (English)]]<br />
{{i18n|OpenVPN}}<br />
{{Expansion}}<br />
<br />
<!--' Todo (at least :)<br />
add support for ipv6 and L2 ethernet bridging<br />
'--><br />
<br />
This article describes a basic installation and configuration of [http://openvpn.net OpenVPN], suitable for private and small business use. For more detailed information, please see the official [http://openvpn.net/index.php/manuals/427-openvpn-22.html OpenVPN 2.2 man page] and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation].<br />
<br />
If your VPN provider gave you credentials (i.e. their cert, your cert and your key) and you want to use those to connect, much of this page can be ignored. See [[Airvpn]].<br />
<br />
OpenVPN is a robust and highly flexible [[Wikipedia:VPN|VPN]] daemon. OpenVPN supports [[Wikipedia:SSL/TLS|SSL/TLS]] security, [[Wikipedia:Bridging_(networking)|ethernet bridging]], [[Wikipedia:Transmission_Control_Protocol|TCP]] or [[Wikipedia:User_Datagram_Protocol|UDP]] [[Wikipedia:Tunneling_protocol|tunnel transport]] through [[Wikipedia:Proxy_server|proxies]] or [[Wikipedia:Network address translation|NAT]], support for dynamic IP addresses and [[Wikipedia:Dynamic_Host_Configuration_Protocol|DHCP]], scalability to hundreds or thousands of users, and portability to most major OS platforms.<br />
<br />
OpenVPN is tightly bound to the [http://http://www.openssl.org OpenSSL] library, and derives much of its crypto capabilities from it.<br />
<br />
OpenVPN supports conventional encryption using a [[Wikipedia:Pre-shared_key|pre-shared secret key]] (Static Key mode) or [[Wikipedia:Public_key|public key security]] ([[Wikipedia:SSL/TLS|SSL/TLS]] mode) using client & server certificates. OpenVPN also supports non-encrypted TCP/UDP tunnels.<br />
<br />
OpenVPN is designed to work with the [[Wikipedia:TUN/TAP|TUN/TAP]] virtual networking interface that exists on most platforms.<br />
<br />
Overall, OpenVPN aims to offer many of the key features of [[Wikipedia:Ipsec|IPSec]] but with a relatively lightweight footprint.<br />
<br />
OpenVPN was written by James Yonan and is published under the [[Wikipedia:GNU General Public License|GNU General Public License (GPL)]].<br />
<br />
<!--'<br />
==Preamble==<br />
'--><br />
<br />
==Installing OpenVPN==<br />
[[pacman|Install]] {{Pkg|OpenVPN}}, available in the [[Official Repositories]].<br />
<nowiki>sudo pacman -S openvpn</nowiki><br />
{{Note|The software contained in this package supports both server and client mode, so install it on all machines that need to create vpn connections.}}<br />
<br />
<!--' what does this do, and is the package still supported?<br />
You may also want to install {{AUR|openvpn-authldap-plugin}}, available in the [[Arch User Repository]].<br />
'--><br />
<br />
==Configuring the kernel==<br />
<br />
OpenVPN requires the Universal TUN/TAP device driver support. Add the tun module to the modules array in /etc/rc.conf on both servers and clients.<br />
<br />
The default Arch Linux kernel is already properly configured, but if you build your own kernel make sure that you enable the TUN/TAP module.<br />
<br />
{{hc|Kernel config file|<br />
Device Drivers ---><br />
Network device support ---><br />
[*]Network device support<br />
<M> Universal TUN/TAP device driver support }}<br />
<br />
==Public Key Infrastructure (PKI)==<br />
<br />
The first step when setting up OpenVPN is to create a [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]]. The PKI consists of:<br />
<br />
* A public master [[Wikipedia:Certificate Authority|Certificate Authority (CA)]] certificate and a private key.<br />
* A separate public certificate and private key for each server and each client.<br />
<br />
To facilitate the key/certificate creation process, OpenVPN comes with a collection of [[Wikipedia:RSA (algorithm)|RSA]] key manangement scripts (based on the openssl command line tool) known as easy-rsa.<br />
<br />
{{Note| Only .key files need to be kept secret, .crt and .csr files can be sent over insecure channels such as plaintext email.}}<br />
<br />
In this article the needed keys and certificates are created in root's home directory. This ensures that the generated files have the right ownership and permissions, thus being safe from other users.<br />
<br />
{{Note|The keys and certificates can be created on any machine. For the highest security, generate the keys on a physically secure machine disconnected from any network, and make sure that the generated ca.key private key is backed up and never accessible to anyone.}}<br />
<br />
{{Warning|Make sure that the generated files are backed up, especially the ca.key and ca.crt files, since if lost you will not be able to create any new, nor revoke any comprised keys and certificates, thus requiring the generation of a new [[Wikipedia:Certificate Authority|Certificate Authority (CA)]] certificate and key, invalidating the entire PKI infrastructure.}}<br />
<br />
===Installing the easy-rsa scripts===<br />
<br />
Install the scripts by doing the following:<br />
<br />
{{bc|# cp -r /usr/share/openvpn/easy-rsa /root}}<br />
<br />
===Creating keys and certificates===<br />
<br />
Now you need to create the needed keys and certificates.<br />
<br />
Change to the directory where you installed the scripts.<br />
<br />
{{bc|# cd /root/easy-rsa}}<br />
<br />
To ensure the consistent use of values when generating the PKI, set default values to be used by the PKI generating scripts. Edit /root/easy-rsa/vars and at a minimum set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters (do not leave any of these parameters blank). Change the KEY_SIZE parameter to 2048 for the SSL/TLS to use 2048bit RSA keys for authentication.<br />
<br />
{{hc|/root/easy-rsa/vars|<nowiki><br />
# easy-rsa parameter settings<br />
<br />
# NOTE: If you installed from an RPM,<br />
# don't edit this file in place in<br />
# /usr/share/openvpn/easy-rsa --<br />
# instead, you should copy the whole<br />
# easy-rsa directory to another location<br />
# (such as /etc/openvpn) so that your<br />
# edits will not be wiped out by a future<br />
# OpenVPN package upgrade.<br />
<br />
# This variable should point to<br />
# the top level of the easy-rsa<br />
# tree.<br />
export EASY_RSA="`pwd`"<br />
<br />
#<br />
# This variable should point to<br />
# the requested executables<br />
#<br />
export OPENSSL="openssl"<br />
export PKCS11TOOL="pkcs11-tool"<br />
export GREP="grep"<br />
<br />
<br />
# This variable should point to<br />
# the openssl.cnf file included<br />
# with easy-rsa.<br />
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`<br />
<br />
# Edit this variable to point to<br />
# your soon-to-be-created key<br />
# directory.<br />
#<br />
# WARNING: clean-all will do<br />
# a rm -rf on this directory<br />
# so make sure you define<br />
# it correctly!<br />
export KEY_DIR="$EASY_RSA/keys"<br />
<br />
# Issue rm -rf warning<br />
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR<br />
<br />
# PKCS11 fixes<br />
export PKCS11_MODULE_PATH="dummy"<br />
export PKCS11_PIN="dummy"<br />
<br />
# Increase this to 2048 if you<br />
# are paranoid. This will slow<br />
# down TLS negotiation performance<br />
# as well as the one-time DH parms<br />
# generation process.<br />
</nowiki>'''export KEY_SIZE&#61;2048'''<nowiki><br />
<br />
# In how many days should the root CA key expire?<br />
export CA_EXPIRE=3650<br />
<br />
# In how many days should certificates expire?<br />
export KEY_EXPIRE=3650<br />
<br />
# These are the default values for fields<br />
# which will be placed in the certificate.<br />
# Don't leave any of these fields blank.<br />
<br />
</nowiki><br />
'''export KEY_COUNTRY&#61;"US"'''<br />
'''export KEY_PROVINCE&#61;"CA"'''<br />
'''export KEY_CITY&#61;"Acme Acres"'''<br />
'''export KEY_ORG&#61;"Acme"'''<br />
'''export KEY_EMAIL&#61;"roadrunner@acmecorp.org"'''<br />
'''#export KEY_EMAIL&#61;mail@host.domain'''<br />
'''export KEY_CN&#61;Acme-CA'''<br />
'''export KEY_NAME&#61;Acme-CA'''<br />
'''export KEY_OU&#61;'''<nowiki>'''<br />
export PKCS11_MODULE_PATH=changeme<br />
export PKCS11_PIN=1234<br />
</nowiki>}}<br />
<br />
Export the environment variables.<br />
<br />
{{bc|# source ./vars}}<br />
<br />
Delete any previously created certificates and keys.<br />
<br />
{{bc|# ./clean-all}}<br />
<br />
{{Note| Entering a . (dot) when prompted for a value, blanks out the parameter.}}<br />
<br />
The build-ca script generates the [[Wikipedia:Certificate Authority|Certificate Authority (CA)]] certificate/key pair.<br />
<br />
{{hc|# ./build-ca|<nowiki><br />
Generating a 2048 bit RSA private key<br />
..............++++++<br />
...++++++<br />
writing new private key to 'ca.key'<br />
-----<br />
You are about to be asked to enter information that will be incorporated<br />
into your certificate request.<br />
What you are about to enter is what is called a Distinguished Name or a DN.<br />
There are quite a few fields but you can leave some blank<br />
For some fields there will be a default value,<br />
If you enter '.', the field will be left blank.<br />
-----<br />
Country Name (2 letter code) [US]:<br />
State or Province Name (full name) [CA]:<br />
Locality Name (eg, city) [Acme Acres]:<br />
Organization Name (eg, company) [Acme]:<br />
Organizational Unit Name (eg, section) []:<br />
Common Name (eg, your name or your server's hostname) [Acme-CA]:<br />
Name [Acme-CA]:<br />
Email Address [roadrunner@acmecorp.org]:<br />
</nowiki>}}<br />
<br />
The build-key-server script (followed by the server name) generates a certificate/key pair for a server. Make sure that the server name (Common Name when running the script) is unique.<br />
<br />
{{Note|Do not enter a challenge password or company name when the script prompts you for one.}}<br />
<br />
{{hc|# ./build-key-server elmer|<nowiki><br />
Generating a 2048 bit RSA private key<br />
.....................++++++<br />
.......................................................++++++<br />
writing new private key to 'elmer.key'<br />
-----<br />
You are about to be asked to enter information that will be incorporated<br />
into your certificate request.<br />
What you are about to enter is what is called a Distinguished Name or a DN.<br />
There are quite a few fields but you can leave some blank<br />
For some fields there will be a default value,<br />
If you enter '.', the field will be left blank.<br />
-----<br />
Country Name (2 letter code) [US]:<br />
State or Province Name (full name) [CA]:<br />
Locality Name (eg, city) [Acme Acres]:<br />
Organization Name (eg, company) [Acme]:<br />
Organizational Unit Name (eg, section) []:<br />
Common Name (eg, your name or your server's hostname) [elmer]:<br />
Name [Acme-CA]:<br />
Email Address [roadrunner@acmecorp.org]:<br />
<br />
Please enter the following 'extra' attributes<br />
to be sent with your certificate request<br />
A challenge password []:<br />
An optional company name []:<br />
Using configuration from /root/easy-rsa/openssl-1.0.0.cnf<br />
Check that the request matches the signature<br />
Signature ok<br />
The Subject's Distinguished Name is as follows<br />
countryName :PRINTABLE:'US'<br />
stateOrProvinceName :PRINTABLE:'CA'<br />
localityName :PRINTABLE:'Acme Acres'<br />
organizationName :PRINTABLE:'Acme'<br />
commonName :PRINTABLE:'elmer'<br />
name :PRINTABLE:'Acme-CA'<br />
emailAddress :IA5STRING:'roadrunner@acmecorp.org'<br />
Certificate is to be certified until Dec 27 19:11:59 2021 GMT (3650 days)<br />
Sign the certificate? [y/n]:y<br />
<br />
<br />
1 out of 1 certificate requests certified, commit? [y/n]y<br />
Write out database with 1 new entries<br />
Data Base Updated<br />
</nowiki>}}<br />
<br />
The build-dh script generates the [http://www.rsa.com/rsalabs/node.asp?id=2248 Diffie-Hellman parameters] .pem file needed by the server.<br />
<br />
{{Note|It would be better to generate a new one for each server, but you can use the same one for your servers if you want to.}}<br />
<br />
{{hc|# ./build-dh|<br />
Generating DH parameters, 2048 bit long safe prime, generator 2<br />
This is going to take a long time<br />
..+.............................................................................<br />
.<br />
.<br />
.<br />
............+...............+...................................................<br />
..................................................................++*++*}}<br />
<br />
The build-key script (followed by a client name) generates a certificate/key pair for a client. Make sure that the client name (Common Name when running the script) is unique.<br />
<br />
{{Note|Do not enter a challenge password or company name when the script prompts you for one.}}<br />
<br />
{{hc|# ./build-key bugs|<nowiki><br />
Generating a 2048 bit RSA private key<br />
....++++++<br />
.............................................................++++++<br />
writing new private key to 'bugs.key'<br />
-----<br />
You are about to be asked to enter information that will be incorporated<br />
into your certificate request.<br />
What you are about to enter is what is called a Distinguished Name or a DN.<br />
There are quite a few fields but you can leave some blank<br />
For some fields there will be a default value,<br />
If you enter '.', the field will be left blank.<br />
-----<br />
Country Name (2 letter code) [US]:<br />
State or Province Name (full name) [CA]:<br />
Locality Name (eg, city) [Acme Acres]:<br />
Organization Name (eg, company) [Acme]:<br />
Organizational Unit Name (eg, section) []:<br />
Common Name (eg, your name or your server's hostname) [bugs]:<br />
Name [Acme-CA]:<br />
Email Address [roadrunner@acmecorp.org]:<br />
<br />
Please enter the following 'extra' attributes<br />
to be sent with your certificate request<br />
A challenge password []:<br />
An optional company name []:<br />
Using configuration from /root/easy-rsa/openssl-1.0.0.cnf<br />
Check that the request matches the signature<br />
Signature ok<br />
The Subject's Distinguished Name is as follows<br />
countryName :PRINTABLE:'US'<br />
stateOrProvinceName :PRINTABLE:'CA'<br />
localityName :PRINTABLE:'Acme Acres'<br />
organizationName :PRINTABLE:'Acme'<br />
commonName :PRINTABLE:'bugs'<br />
name :PRINTABLE:'Acme-CA'<br />
emailAddress :IA5STRING:'roadrunner@acmecorp.org'<br />
Certificate is to be certified until Dec 27 19:18:27 2021 GMT (3650 days)<br />
Sign the certificate? [y/n]:y<br />
<br />
<br />
1 out of 1 certificate requests certified, commit? [y/n]y<br />
Write out database with 1 new entries<br />
Data Base Updated<br />
</nowiki>}}<br />
<br />
Generate a secret [[Wikipedia:HMAC|Hash-based Message Authentication Code (HMAC)]] by running:<br />
{{ic|# openvpn --genkey --secret /root/easy-rsa/keys/ta.key}}<br />
<br />
This will be used to add an additional HMAC signature to all SSL/TLS handshake packets. In addition any UDP packet not having the correct HMAC signature will be immidiately dropped, protecting against:<br />
<br />
* Portscanning.<br />
* DOS attacks on the OpenVPN UDP port.<br />
* SSL/TLS handshake initiations from unauthorized machines.<br />
* Any eventual buffer overflow vulnerabilities in the SSL/TLS implementation.<br />
<br />
All the created keys and certificates have been stored in /root/easy-rsa/keys. If you make a mistake, you can start over by running the clean-all script again.<br />
<br />
{{Warning|This will delete any previously generated keys and certificates stored in /root/easy-rsa/keys.}}<br />
<br />
{{bc|# ./clean-all}}<br />
<br />
The final step of the key creation process is to copy the files needed to the correct machines through a secure channel.<br />
<br />
{{Note|In this article the keys and certificates will be placed into /etc/openvpn on the server and the client.}}<br />
<br />
The public ca.crt certificate will be needed on all servers and clients. The private ca.key key is secret and only needed on the key generating machine.<br />
<br />
The public server.crt, and dh2048.pem, and private server.key, and ta.key files are needed on the server.<br />
<br />
The public client.crt, and private client.key, and ta.key files are needed on the client.<br />
<br />
==Configuring OpenVPN==<br />
<br />
OpenVPN is an extremely versatile software and many configurations are possible, in fact machines can be both "servers" and "clients", blurring the distinction between server and client.<br />
<br />
What really distinguishes a server from a client is the configuration file itself. The openvpn daemon startup script reads all the .conf configuration files it finds in /etc/openvpn on startup, and acts accordingly. In fact if it finds more than one configuration file it will start one OpenVPN processes per configuration file.<br />
<br />
This article explains how to setup a machine that is called the server (elmer), and a machine that connects to it is called the client (bugs). More servers and clients can easily be added, by creating more key/certificate pairs and adding more server and client configuration files.<br />
<br />
The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:<br />
<br />
* Uses [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]] for authentication.<br />
* Creates a VPN using a virtual TUN network interface (OSI L3 IP routing).<br />
* Listens for client connections on UDP port 1194 (OpenVPN's [[Wikipedia:Port_number|official IANA port number]]).<br />
* Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.<br />
<br />
For more advanced configurations, please see the official [http://openvpn.net/index.php/manuals/427-openvpn-22.html OpenVPN 2.2 man page] and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation].<br />
<br />
===The server configuration file===<br />
<br />
Copy the example server configuration file to /etc/openvpn/server.conf<br />
<br />
{{bc|# cp /usr/share/openvpn/examples/server.conf /etc/openvpn/server.conf}}<br />
<br />
Edit the following:<br />
<br />
* The ca, cert, key, and dh parameters to reflect the path and names of the keys and certificates. Specifying the paths will allow you to run the OpenVPN executable from any directory for testing purposes.<br />
* Enable the SSL/TLS HMAC handshake protection. '''Note the use of the parameter 0 for a server'''.<br />
*It is recommended to run OpenVPN with reduced privileges once it has initialized, do this by uncommenting the user and group directives.<br />
<br />
{{hc|/etc/openvpn/server.conf|<br />
ca /etc/openvpn/ca.crt<br />
cert /etc/openvpn/elmer.crt<br />
key /etc/openvpn/elmer.key<br />
<br />
dh /etc/openvpn/dh2048.pem<br />
.<br />
.<br />
tls-auth /etc/openvpn/ta.key '''0'''<br />
.<br />
.<br />
user nobody<br />
group nobody<br />
}}<br />
<br />
{{Note|Note that if the server is behind a firewall or a NAT translating router, you will have to forward the OpenVPN UDP port (1194) to the server.}}<br />
<br />
===The client configuration file===<br />
<br />
Copy the example client configuration file to /etc/openvpn/client.conf<br />
<br />
{{bc|# cp /usr/share/openvpn/examples/client.conf /etc/openvpn/client.conf}}<br />
<br />
Edit the following:<br />
<br />
* The remote directive to reflect the server's [[Wikipedia:Fully qualified domain name|Fully Qualified Domain Name]], hostname (as known to the client) or IP address.<br />
* Uncomment the user and group directives to drop privileges.<br />
* The ca, cert, and key parameters to reflect the path and names of the keys and certificates.<br />
* Enable the SSL/TLS HMAC handshake protection. '''Note the use of the parameter 1 for a client'''.<br />
<br />
{{hc|/etc/openvpn/client.conf|<br />
remote elmer.acmecorp.org 1194<br />
.<br />
.<br />
user nobody<br />
group nobody<br />
.<br />
.<br />
ca /etc/openvpn/ca.crt<br />
cert /etc/openvpn/bugs.crt<br />
key /etc/openvpn/bugs.key<br />
.<br />
.<br />
tls-auth /etc/openvpn/ta.key '''1'''<br />
}}<br />
<br />
==Testing the OpenVPN configuration==<br />
<br />
Run {{ic|# openvpn /etc/openvpn/server.conf}} on the server, and {{ic|# openvpn /etc/openvpn/client.conf}} on the client. You should see something similar to this:<br />
<br />
{{hc|# openvpn /etc/openvpn/server.conf|<nowiki><br />
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011<br />
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables<br />
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key<br />
Wed Dec 28 14:41:26 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]<br />
Wed Dec 28 14:41:26 2011 Socket Buffers: R=[126976->131072] S=[126976->131072]<br />
Wed Dec 28 14:41:26 2011 ROUTE default_gateway=10.66.0.1<br />
Wed Dec 28 14:41:26 2011 TUN/TAP device tun0 opened<br />
Wed Dec 28 14:41:26 2011 TUN/TAP TX queue length set to 100<br />
Wed Dec 28 14:41:26 2011 /usr/sbin/ip link set dev tun0 up mtu 1500<br />
Wed Dec 28 14:41:26 2011 /usr/sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2<br />
Wed Dec 28 14:41:26 2011 /usr/sbin/ip route add 10.8.0.0/24 via 10.8.0.2<br />
Wed Dec 28 14:41:26 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]<br />
Wed Dec 28 14:41:26 2011 GID set to nobody<br />
Wed Dec 28 14:41:26 2011 UID set to nobody<br />
Wed Dec 28 14:41:26 2011 UDPv4 link local (bound): [undef]:1194<br />
Wed Dec 28 14:41:26 2011 UDPv4 link remote: [undef]<br />
Wed Dec 28 14:41:26 2011 MULTI: multi_init called, r=256 v=256<br />
Wed Dec 28 14:41:26 2011 IFCONFIG POOL: base=10.8.0.4 size=62<br />
Wed Dec 28 14:41:26 2011 IFCONFIG POOL LIST<br />
Wed Dec 28 14:41:26 2011 Initialization Sequence Completed<br />
Wed Dec 28 14:41:51 2011 MULTI: multi_create_instance called<br />
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Re-using SSL/TLS context<br />
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 LZO compression initialized<br />
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]<br />
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]<br />
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Local Options hash (VER=V4): '530fdded'<br />
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Expected Remote Options hash (VER=V4): '41690919'<br />
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 TLS: Initial packet from 95.126.136.73:48904, sid=163f4a5e e0399137<br />
Wed Dec 28 14:41:53 2011 95.126.136.73:48904 VERIFY OK: depth=1, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=Acme-CA/name=Acme-CA/emailAddress=roadrunner@acmecorp.org<br />
Wed Dec 28 14:41:53 2011 95.126.136.73:48904 VERIFY OK: depth=0, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=bugs/name=Acme-CA/emailAddress=roadrunner@acmecorp.org<br />
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key<br />
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication<br />
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key<br />
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication<br />
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA<br />
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 [bugs] Peer Connection Initiated with 95.126.136.73:48904<br />
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: Learn: 10.8.0.6 -> bugs/95.126.136.73:48904<br />
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6<br />
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'<br />
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 SENT CONTROL [bugs]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)<br />
</nowiki>}}<br />
<br />
{{hc|# openvpn /etc/openvpn/client.conf|<nowiki><br />
Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011<br />
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables<br />
Wed Dec 28 14:41:50 2011 LZO compression initialized<br />
Wed Dec 28 14:41:50 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]<br />
Wed Dec 28 14:41:50 2011 Socket Buffers: R=[114688->131072] S=[114688->131072]<br />
Wed Dec 28 14:41:51 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]<br />
Wed Dec 28 14:41:51 2011 Local Options hash (VER=V4): '41690919'<br />
Wed Dec 28 14:41:51 2011 Expected Remote Options hash (VER=V4): '530fdded'<br />
Wed Dec 28 14:41:51 2011 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay<br />
Wed Dec 28 14:41:51 2011 UDPv4 link local: [undef]<br />
Wed Dec 28 14:41:51 2011 UDPv4 link remote: 85.93.204.250:1194<br />
Wed Dec 28 14:41:51 2011 TLS: Initial packet from 85.93.204.250:1194, sid=5f379f35 50c9ab11<br />
Wed Dec 28 14:41:52 2011 VERIFY OK: depth=1, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=Acme-CA/name=Acme-CA/emailAddress=roadrunner@acmecorp.org<br />
Wed Dec 28 14:41:52 2011 VERIFY OK: nsCertType=SERVER<br />
Wed Dec 28 14:41:52 2011 VERIFY OK: depth=0, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=elmer/name=Acme-CA/emailAddress=roadrunner@acmecorp.org<br />
Wed Dec 28 14:41:54 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key<br />
Wed Dec 28 14:41:54 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication<br />
Wed Dec 28 14:41:54 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key<br />
Wed Dec 28 14:41:54 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication<br />
Wed Dec 28 14:41:54 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA<br />
Wed Dec 28 14:41:54 2011 [elmer] Peer Connection Initiated with 85.93.204.250:1194<br />
Wed Dec 28 14:41:57 2011 SENT CONTROL [elmer]: 'PUSH_REQUEST' (status=1)<br />
Wed Dec 28 14:41:57 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'<br />
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: timers and/or timeouts modified<br />
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: --ifconfig/up options modified<br />
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: route options modified<br />
Wed Dec 28 14:41:57 2011 ROUTE default_gateway=10.64.64.64<br />
Wed Dec 28 14:41:57 2011 TUN/TAP device tun1 opened<br />
Wed Dec 28 14:41:57 2011 TUN/TAP TX queue length set to 100<br />
Wed Dec 28 14:41:57 2011 /usr/sbin/ip link set dev tun1 up mtu 1500<br />
Wed Dec 28 14:41:57 2011 /usr/sbin/ip addr add dev tun1 local 10.8.0.6 peer 10.8.0.5<br />
Wed Dec 28 14:41:57 2011 /usr/sbin/ip route add 10.8.0.1/32 via 10.8.0.5<br />
Wed Dec 28 14:41:57 2011 GID set to nobody<br />
Wed Dec 28 14:41:57 2011 UID set to nobody<br />
Wed Dec 28 14:41:57 2011 Initialization Sequence Completed<br />
</nowiki>}}<br />
<br />
On the server, find the IP assigned to the tunX device:<br />
<br />
{{hc|# ip addr show|<nowiki><br />
.<br />
.<br />
.<br />
40: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100<br />
link/none<br />
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0</nowiki>}}<br />
<br />
Here we see that the server end of the tunnel has been given the IP address 10.8.0.1.<br />
<br />
Do the same on the client:<br />
<br />
{{hc|# ip addr show|<nowiki><br />
.<br />
.<br />
.<br />
37: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100<br />
link/none<br />
inet 10.8.0.6 peer 10.8.0.5/32 scope global tun1</nowiki>}}<br />
<br />
And the client side has been given the IP 10.8.0.6.<br />
<br />
Now try pinging the interfaces.<br />
<br />
On the server:<br />
<br />
{{hc|# ping 10.8.0.6|<nowiki><br />
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.<br />
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms<br />
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=237 ms<br />
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=205 ms<br />
^C<br />
--- 10.8.0.6 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2002ms<br />
rtt min/avg/max/mdev = 205.862/227.266/238.788/15.160 ms<br />
</nowiki>}}<br />
<br />
On the client:<br />
<br />
{{hc|# ping 10.8.0.1|<nowiki><br />
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.<br />
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=158 ms<br />
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=158 ms<br />
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=157 ms<br />
^C<br />
--- 10.8.0.1 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2001ms<br />
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms<br />
</nowiki>}}<br />
<br />
You now have a working OpenVPN installation, and your client (bugs) will be able to use services on the server (elmer), and vice versa.<br />
<br />
==Starting OpenVPN==<br />
<br />
To start OpenVPN manually run:<br />
<br />
{{bc|# rc.d start openvpn}}<br />
<br />
To have your system run OpenVPN automatically at system start, add openvpn to the daemon array in /etc/rc.conf.<br />
<br />
==Advanced OpenVPN configuration==<br />
<br />
===Routing the LAN of the server to a client===<br />
<br />
Prerequisites:<br />
<br />
* The server (elmer) is on a LAN using the [[Wikipedia:Private_network#Private_IPv4_address_spaces|private class C network range]] 10.66.0.0/24.<br />
* The server's LAN network interface is called eth0.<br />
* The client (bugs) is assigned an ip address out of the address pool 10.8.0.0/24, as specified by the server directive in the server's configuration file (/etc/openvpn/server.conf):<br />
{{hc|/etc/openvpn/server.conf|server 10.8.0.0 255.255.255.0}}<br />
<br />
As OpenVPN will need to forward packets between the tun/tap device and the LAN device, edit /etc/sysctl.conf to permanently enable ipv4 packet forwarding. Takes effect at the next boot.<br />
{{hc|/etc/sysctl.conf|<nowiki><br />
# Enable packet forwarding<br />
net.ipv4.ip_forward=1<br />
</nowiki>}}<br />
<br />
To temporarily enable without rebooting do: {{bc|# echo 1 > /proc/sys/net/ipv4/ip_forward}}<br />
<br />
<!--'Investigate if scripts hooked into openvpn can do this, http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR'--><br />
As the server will have to accept traffic destined to a different IP than it's LAN interface (eth0) is configured for, it needs to be set to [[Wikipedia:Promiscuous_mode|promiscious mode]]. Add the following to /etc/rc.local: {{hc|/etc/rc.local|ip link set dev eth0 promisc on}} Takes effect at the next boot, to enable it without rebooting do: {{ic|# ip link set dev eth0 promisc on}}.<br />
<br />
To inform the client about the available subnet, add a push directive to the server configuration file:<br />
<br />
{{hc|/etc/openvpn/server.conf|push "route 10.66.0.0 255.255.255.0"}}<br />
<br />
{{Note|If the server (elmer) is not the default LAN gateway on the server side, you will have to do one of the following:<br />
* Add a static route to the LAN's default gateway (most likely the LAN's router), routing the client IP range 10.8.0.0/24 back to the server's eth0 IP address.<br />
* Add a static route to each host on the server side LAN that you want to be able to communicate with the client (bugs).<br />
* Use the iptables NAT feature to masquerade the IP packets.<br />
}}<br />
<br />
<!--'Add information on how to route several lans to the client'--><br />
<br />
===Routing the LAN of a client to the server===<br />
<br />
Prerequisites:<br />
<br />
* You must make sure that any subnets used on the client side (bugs), are unique and not in use on the server side or by any other client. In this example we will use 192.168.4.0/24 for the clients LAN.<br />
* The client's LAN network interface is called eth0.<br />
* Each client's certificate has a unique Common Name, in this case bugs.<br />
* The server may not use the duplicate-cn directive in it's config file.<br />
<br />
As OpenVPN will need to forward packets between the tun/tap device and the LAN device, edit /etc/sysctl.conf to permanently enable ipv4 packet forwarding. Takes effect at the next boot.<br />
{{hc|/etc/sysctl.conf|<nowiki><br />
# Enable packet forwarding<br />
net.ipv4.ip_forward=1<br />
</nowiki>}}<br />
<br />
To temporarily enable without rebooting do: {{bc|# echo 1 > /proc/sys/net/ipv4/ip_forward}}<br />
<br />
As the client will have to accept traffic destined to a different IP than the LAN interface is configured for, you will need to set it to [[Wikipedia:Promiscuous_mode|promiscious mode]]. Add the following to /etc/rc.local: {{hc|/etc/rc.local|ip link set dev eth0 promisc on}} Takes effect at the next boot, to enable it without rebooting do: {{ic|# ip link set dev eth0 promisc on}}.<br />
<br />
You must now create a client configuration directory on the server (elmer). When a client connects, the server process will check this directory for a file named the same as the client certificate's common name, and apply the directives to the client.<br />
<br />
{{bc|# mkdir -p /etc/openvpn/ccd}}<br />
<br />
Create a file in the client configuration directory called bugs, containing the directive iroute 192.168.4.0 255.255.255.0. This will tell the server that the 192.168.4.0/24 subnet should be routed to the client (bugs):<br />
<br />
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}<br />
<br />
Then add the directive route 192.168.4.0 255.255.255.0 to the server's configuration file /etc/openvpn/server.conf. This will tell the server that the 192.168.4.0/24 subnet should be routed from the tun device to the server process. Both are needed:<br />
<br />
{{hc|/etc/openvpn/server.conf|route 192.168.4.0 255.255.255.0}}<br />
<br />
{{Note|If the client (bugs) is not the default LAN gateway on the client side, you will need to do one of the following:<br />
* Add a static route to the client LAN's default gateway (most likely the client LAN router), routing the server's IP range 10.66.0.0/24 back to the client's eth0 IP address.<br />
* Add a static route to each host on the client side LAN that you want to be able to respond to the server.<br />
* Use the iptables NAT feature to masquerade the IP packets.<br />
}}<br />
<br />
<!--'Add information on how to route several LANs to the server side'--><br />
<!--'<br />
===Pushing DHCP options to clients===<br />
<br />
===Configuring client-specific rules and access policies===<br />
<br />
===Routing all client traffic through the server===<br />
<br />
===Running an OpenVPN server on a dynamic IP address===<br />
<br />
===Implementing a load-balancing/failover configuration===<br />
<br />
===Locking down security===<br />
<br />
====Security through obfuscation====<br />
<br />
====Port knocking====<br />
<br />
====Running in unprivileged mode====<br />
<br />
====Running in a chroot jail====<br />
<br />
====Larger RSA keys====<br />
probably better to use blowfish...<br />
<br />
Enable the 256 bit [[Wikipedia:Advanced_Encryption_Standard|AES (Advanced Encryption Standard)]] instead of the default 128 bit blowfish cryptographic cipher:<br />
{{hc|/etc/openvpn/server.conf|<br />
;cipher BF-CBC # Blowfish (default)<br />
;cipher AES-128-CBC # AES<br />
;cipher DES-EDE3-CBC # Triple-DES<br />
cipher AES-256-CBC<br />
}}<br />
<br />
Enable the 256 bit [[Wikipedia:Advanced_Encryption_Standard|AES (Advanced Encryption Standard)]] instead of the default 128 bit blowfish cryptographic cipher:<br />
{{hc|/etc/openvpn/client.conf|<br />
;cipher x<br />
cipher AES-256-CBC<br />
}}<br />
<br />
===Revoking certificates===<br />
<br />
==Configuring iptables for use with OpenVPN==<br />
<br />
Add a rule for the tun devices on both the server and the client.<br />
{{Note|That the order of the rules is important. See [[iptables]] for more information}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|-A INPUT -i tun+ -j ACCEPT}}<br />
<br />
Add a rule to accept connections on the OpenVPN UDP port (1194) on the server.<br />
{{hc|/etc/iptables/iptables.rules|-A INPUT -p udp --dport 1194 -j ACCEPT}}<br />
<br />
If you use the iptables firewall on the server (elmer) add the following rules to /etc/iptables/iptables.rules, then restart iptables:<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT<br />
-A FORWARD -s 10.8.0.0/24 -j ACCEPT<br />
-A FORWARD -j REJECT<br />
}}<br />
<br />
If you use the iptables firewall on the client (bugs) add the following rules to /etc/iptables/iptables.rules, then restart iptables:<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT<br />
-A FORWARD -s 10.8.0.0/24 -j ACCEPT<br />
-A FORWARD -j REJECT<br />
}}<br />
<br />
'--><br />
<br />
<br />
==Deprecated older wiki content==<br />
<br />
{{Accuracy}}<br />
<br />
===Using PAM and passwords to authenticate===<br />
{{bc|<br />
port 1194<br />
proto udp<br />
dev tap<br />
ca /etc/openvpn/easy-rsa/keys/ca.crt<br />
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt<br />
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key<br />
dh /etc/openvpn/easy-rsa/keys/dh2048.pem<br />
server 192.168.56.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
;learn-address ./script<br />
client-to-client<br />
;duplicate-cn<br />
keepalive 10 120<br />
;tls-auth ta.key 0<br />
comp-lzo<br />
;max-clients 100<br />
;user nobody<br />
;group nobody<br />
persist-key<br />
persist-tun<br />
status /var/log/openvpn-status.log<br />
verb 3<br />
client-cert-not-required<br />
username-as-common-name<br />
plugin /usr/lib/openvpn/openvpn-auth-pam.so login<br />
}}<br />
<br />
===Using certs to authenticate===<br />
{{bc|<br />
port 1194<br />
proto tcp<br />
dev tun0<br />
<br />
ca /etc/openvpn/easy-rsa/keys/ca.crt<br />
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt<br />
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key<br />
dh /etc/openvpn/easy-rsa/keys/dh2048.pem<br />
<br />
server 10.8.0.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
keepalive 10 120<br />
comp-lzo<br />
user nobody<br />
group nobody<br />
persist-key<br />
persist-tun<br />
status /var/log/openvpn-status.log<br />
verb 3<br />
<br />
log-append /var/log/openvpn<br />
status /tmp/vpn.status 10<br />
}}<br />
<br />
===Routing traffic through the server===<br />
<br />
Append the following to your server's openvpn.conf configuration file:<br />
{{bc|<br />
push "dhcp-option DNS 192.168.1.1"<br />
push "redirect-gateway def1"<br />
}}<br />
Change "192.168.1.1" to your external DNS IP address.<br />
<br />
Use an iptable for NAT forwarding:<br />
{{bc|<br />
echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE<br />
}}<br />
<br />
If running ArchLinux in a OpenVZ VPS environment [http://thecodeninja.net/linux/openvpn-archlinux-openvz-vps/]:<br />
{{bc|<br />
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to (venet0 ip)<br />
}}<br />
<br />
If all is well, make the changes permanent:<br />
<br />
Edit /etc/conf.d/iptables and change IPTABLES_FORWARD=1<br />
<br />
{{bc|<br />
/etc/rc.d/iptables save<br />
}}<br />
<br />
===Setting up the Client===<br />
The clientside .conf file<br />
====With password authentication====<br />
{{bc|<br />
client<br />
dev tap<br />
proto udp<br />
remote <address> 1194<br />
resolv-retry infinite<br />
nobind<br />
persist-tun<br />
comp-lzo<br />
verb 3<br />
auth-user-pass passwd<br />
ca ca.crt<br />
}}<br />
<br />
passwd file (referenced by auth-user-pass) must contain two lines:<br />
* first line - username<br />
* second - password<br />
<br />
====Certs authentication====<br />
{{bc|<br />
client<br />
remote <MYSERVER> 1194<br />
dev tun0<br />
proto tcp<br />
resolv-retry infinite<br />
nobind<br />
persist-key<br />
persist-tun<br />
verb 2<br />
ca ca.crt<br />
cert client1.crt<br />
key client1.key<br />
comp-lzo<br />
}}<br />
Copy three files from server to remote computer.<br />
ca.crt<br />
client1.crt<br />
client1.key<br />
<br />
Install the tunnel/tap module:<br />
{{bc|<br />
# sudo modprobe tun<br />
}}<br />
<br />
To have the '''tun''' module loaded automatically at boot time add it to the Modules line in /etc/rc.conf<br />
<br />
====DNS====<br />
The DNS servers used by the system are defined in '''/etc/resolv.conf'''. Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc...) However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side. To achieve this in a sensible way, install '''openresolv''', which makes it possible for more than one program to modify resolv.conf without stepping on each-other's toes. Before continuing, test openresolv by restarting your network connection and ensuring that resolv.conf states that it was generated by "resolvconf", and that your DNS resolution still works as before. You shouldn't need to configure openresolv; it should be automatically detected and used by your network system.<br />
<br />
Next, save the following script at '''/usr/share/openvpn/update-resolv-conf''':<br />
{{bc|<nowiki><br />
#!/bin/bash<br />
#<br />
# Parses DHCP options from openvpn to update resolv.conf<br />
# To use set as 'up' and 'down' script in your openvpn *.conf:<br />
# up /etc/openvpn/update-resolv-conf<br />
# down /etc/openvpn/update-resolv-conf<br />
#<br />
# Used snippets of resolvconf script by Thomas Hood <jdthood@yahoo.co.uk><br />
# and Chris Hanson<br />
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.<br />
#<br />
# 05/2006 chlauber@bnc.ch<br />
#<br />
# Example envs set from openvpn:<br />
# foreign_option_1='dhcp-option DNS 193.43.27.132'<br />
# foreign_option_2='dhcp-option DNS 193.43.27.133'<br />
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'<br />
<br />
[ -x /usr/sbin/resolvconf ] || exit 0<br />
<br />
case $script_type in<br />
<br />
up)<br />
for optionname in ${!foreign_option_*} ; do<br />
option="${!optionname}"<br />
echo $option<br />
part1=$(echo "$option" | cut -d " " -f 1)<br />
if [ "$part1" == "dhcp-option" ] ; then<br />
part2=$(echo "$option" | cut -d " " -f 2)<br />
part3=$(echo "$option" | cut -d " " -f 3)<br />
if [ "$part2" == "DNS" ] ; then<br />
IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"<br />
fi<br />
if [ "$part2" == "DOMAIN" ] ; then<br />
IF_DNS_SEARCH="$part3"<br />
fi<br />
fi<br />
done<br />
R=""<br />
if [ "$IF_DNS_SEARCH" ] ; then<br />
R="${R}search $IF_DNS_SEARCH<br />
"<br />
fi<br />
for NS in $IF_DNS_NAMESERVERS ; do<br />
R="${R}nameserver $NS<br />
"<br />
done<br />
echo -n "$R" | /usr/sbin/resolvconf -a "${dev}.inet"<br />
;;<br />
down)<br />
/usr/sbin/resolvconf -d "${dev}.inet"<br />
;;<br />
esac<br />
</nowiki>}}<br />
<br />
Remember to make the file executable with:<br />
$ chmod +x /usr/share/openvpn/update-resolv-conf<br />
Next, add the following lines to your OpenVPN client configuration file:<br />
{{bc|<br />
script-security 2<br />
up /usr/share/openvpn/update-resolv-conf<br />
down /usr/share/openvpn/update-resolv-conf<br />
}}<br />
<br />
Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection.<br />
<br />
===Connecting to the Server===<br />
You need to start the service on the server<br />
{{bc|<br />
/etc/rc.d/openvpn start<br />
}}<br />
You can add it to rc.conf to make it permanet.<br />
<br />
On the client, in the home directory create a folder that will hold your OpenVPN client config files along with the '''.crt'''/'''.key''' files. Assuming your OpenVPN config folder is called '''.openvpn''' and your client config file is '''vpn1.conf''', to connect to the server issue the following command:<br />
{{bc|<br />
cd ~/.openvpn && sudo openvpn vpn1.conf<br />
}}</div>Smrtz