Difference between revisions of "Talk:OpenVPN"

From ArchWiki
Jump to navigation Jump to search
(Clean up: re)
(Clean up: edit my re)
(One intermediate revision by the same user not shown)
Line 60: Line 60:
  
 
:I can't say whether the removed content could be still useful or not, I'm just linking the two relevant edits here: [[Special:Diff/363906/next]] and [[Special:Diff/363907/next]]. — [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 10:49, 5 March 2015 (UTC)
 
:I can't say whether the removed content could be still useful or not, I'm just linking the two relevant edits here: [[Special:Diff/363906/next]] and [[Special:Diff/363907/next]]. — [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 10:49, 5 March 2015 (UTC)
 +
 +
:Well, some of the removed deprecated content contained more example config for setting up a client-side. I would assume most visitors of this article rather need a client setup only and for this readership the current content structure may be confusing. Nonetheless the now removed part was too elaborate and duplicated the new sections indeed. Your cleanup push is appreciated Rdeckard. Maybe we can figure out a way to make the current client setup content (in [[OpenVPN#Connect to a VPN provided by a third party]]) more accessible by expanding (& crosslinking) it just '''a little''' to make it more comprehensive. <s>For example, one typical client-side issue is DNS/resolv.conf handling (the removed part had hints for it).</s> (edit: I missed that Masterkorp already saw this point and re-added it with [https://wiki.archlinux.org/index.php?title=OpenVPN&curid=7364&diff=364074&oldid=363919]). What do you think? --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 10:14, 6 March 2015 (UTC)

Revision as of 10:21, 6 March 2015

Missing details

There are some things that I think would have been extremely helpful to add in this article, primarily relating to iptables. For example, in Routing_the_LAN_of_a_client_to_the_server it might have been useful to say, "do something like iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 10.4.4.30" rather than "Use the iptables NAT feature to masquerade the IP packets."

I think more handholding would help this article a lot--it certainly would have helped me figure this out much faster. If no one disagrees, I'd like to add several sections on appropriate iptables rules to add. Buhman 17:11, 9 April 2012 (EDT)

No objections, all constructive contributions are welcome, just remember that an article shouldn't be just a list of instructions: "handholding" is fine as long as it also explains why something needs to be done, so in your example above the existent sentence should be kept and your iptables line should be presented just as an example. -- Kynikos 08:46, 10 April 2012 (EDT)
To be honest, I think this article, the way it is now, uses way too much handholding. (I liked it more the way it was [1] ). It have things like: "Edit /root/easy-rsa/vars and at a minimum set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters (do not leave any of these parameters blank)", instead of just "Edit /root/easy-rsa/vars according to your preferences"
Maybe the solution could be the path Beginners' Guide and Installation Guide took; One, super handholding-type guide, and the other as a checklist-type guide... hmm, maybe I'll write such article Chrisl (talk) 18:48, 16 August 2012 (UTC)
I have some time to work on this again (vacation), hopefully I'll get at least some more stuff done. If someone wants to add iptables instructions please go ahead. There is some preliminary stuff that Kynikos uncovered :) Too much, too little handholding, it's hard too say, and it looks like opinions differ. Maybe let me be verbose and then try to tighten it up and remove unwanted verbosity? jhernberg 21:50, 16 August 2012 (UTC)

In any case, the article still needs a lot more information about the various ways that openvpn can be configured, and any help would be very much appreciated...:) jhernberg 21:55, 16 August 2012 (UTC)

Well, I have created the checklist-type article, is here: OpenVPN Checklist Guide Right now, it has lots of things of the old openvpn article, but shorter. The idea is that it have links like "click here to see more details" pointing to the section of a full article explaining something, to avoid repetition. I must add that I think this way is more KISS. Chrisl (talk) 04:55, 17 August 2012 (UTC)

Personally and at the moment I don't have much time nor interest in updating this article. But I also think it could really benefit from having sections written on IPv6, L2 bridging and possibly a related article describing how to use iptables and other firewall software with VPN. I really hope that someone can step up to the plate and write the missing sections and to correct whatever I got wrong! Jhernberg (talk) 14:33, 14 June 2014 (UTC)

Link to upstream document instead of duplicating

This page is already a little long. OpenVPN has lots of good document here. It is better give some entry point and link to the upstream document instead of duplicate info here. After all, it is Arch Wiki, not OpenVPN wiki. -- Fengchao (talk) 03:38, 17 August 2012 (UTC)

L2 ethernet bridging

I was going to add this information today, but realized that there have been so many changes in the init system, and that network configuration has gotten a lot more complex. I need to figure out what set of scripts to use to create the bridge interface, at the moment I'm inclined to go with the netcfg scripts. Any opinions? -- Jhernberg (talk) 16:40, 24 August 2012 (UTC)

IPv6

If someone could add this section, it would be very much appreciated. Jhernberg (talk) 01:05, 28 June 2014 (UTC)

Firewalls?

Firewalls imo are really out of scope and would make the article even longer.. Any opinions on what and how much to add? Maybe something simple like these iptable rules:

-A INPUT -i tun+ -j ACCEPT

-A FORWARD -i tun+ -j ACCEPT -A FORWARD -i eth+ -j ACCEPT -A FORWARD -j REJECT

But then how much of a disclaimer would one write as someone could compromise the entire corporate security plan with an insecure nat translating VPN...

-- Jhernberg (talk) 21:58, 28 August 2012 (UTC)

Using resolvconf with user nobody

If

user nobody

is used in the client's config, the update-resolv-conf on down fails, because it is executed as nobody.

Using openvpn-down-root.so could be used as a workaround:

plugin /usr/lib/openvpn/openvpn-down-root.so "script_type=down /usr/share/openvpn/update-resolv-conf"
-- DarkForce (talk) 01:35, 29 November 2012 (UTC)

Connecting to vpn server from Android

I recommend using OpenVPN for Android by Arne Schwabe which give allot of detail that can help troubleshooting. The ovpn file with embedded keys & certificates need to be used, See a proper example in the the link bellow. The reduced privileges won't work on android and also "key-direction 1" should be added. Server side configs are the same as in the wiki. http://dl.dropbox.com/u/6902100/archlinux/openvpn/client-empty.ovpn --Dhead (talk) 22:51, 5 March 2013 (UTC

Clean up

There's a big section of depreceated content at the end of the article that I think should be removed. I think the section on routing all traffic, which I have been working on, can be added to the main article. The section on Configuring LDAP authorization should be removed, since there is nothing in it (or moved to the talk page). Then we can remove the huge "Contributions that do not yet fit into the main article". Thoughts? Rdeckard (talk) 15:30, 4 March 2015 (UTC)

Actually I went ahead and did some cleanup, especially getting rid of that "Contributions that do not yet fit into the main article". I'll be doing some more probably. I'm not chaning content, just clarifying, updating things. Let me know your thoughts. Rdeckard (talk) 16:12, 4 March 2015 (UTC)

I can't say whether the removed content could be still useful or not, I'm just linking the two relevant edits here: Special:Diff/363906/next and Special:Diff/363907/next. — Kynikos (talk) 10:49, 5 March 2015 (UTC)
Well, some of the removed deprecated content contained more example config for setting up a client-side. I would assume most visitors of this article rather need a client setup only and for this readership the current content structure may be confusing. Nonetheless the now removed part was too elaborate and duplicated the new sections indeed. Your cleanup push is appreciated Rdeckard. Maybe we can figure out a way to make the current client setup content (in OpenVPN#Connect to a VPN provided by a third party) more accessible by expanding (& crosslinking) it just a little to make it more comprehensive. For example, one typical client-side issue is DNS/resolv.conf handling (the removed part had hints for it). (edit: I missed that Masterkorp already saw this point and re-added it with [2]). What do you think? --Indigo (talk) 10:14, 6 March 2015 (UTC)