Difference between revisions of "Talk:OpenVPN"

From ArchWiki
Jump to: navigation, search
(as you wish)
(Missing details)
 
(72 intermediate revisions by 18 users not shown)
Line 15: Line 15:
  
 
:Well, I have created the checklist-type article, is here: [[OpenVPN Checklist Guide]] Right now, it has lots of things of the old openvpn article, but shorter. The idea is that it have links like "click here to see more details" pointing to the section of a full article explaining something, to avoid repetition. I must add that I think this way is more KISS. [[User:Chrisl|Chrisl]] ([[User talk:Chrisl|talk]]) 04:55, 17 August 2012 (UTC)
 
:Well, I have created the checklist-type article, is here: [[OpenVPN Checklist Guide]] Right now, it has lots of things of the old openvpn article, but shorter. The idea is that it have links like "click here to see more details" pointing to the section of a full article explaining something, to avoid repetition. I must add that I think this way is more KISS. [[User:Chrisl|Chrisl]] ([[User talk:Chrisl|talk]]) 04:55, 17 August 2012 (UTC)
 +
 +
Personally and at the moment I don't have much time nor interest in updating this article.  But I also think it could really benefit from having sections written on IPv6, L2 bridging and possibly a related article describing how to use iptables and other firewall software with VPN.  I really hope that someone can step up to the plate and write the missing sections and to correct whatever I got wrong! [[User:Jhernberg|Jhernberg]] ([[User talk:Jhernberg|talk]]) 14:33, 14 June 2014 (UTC)
 +
 +
A piece of missing information that I consider particularly useful is the configuration of credentials for the user, so that he/she doesn't have to type them every time the VPN is started. I found out how to do that in [https://my.hostvpn.com/knowledgebase/22/Save-Password-in-OpenVPN-for-Automatic-Login.html an external site], but I'm wondering: is there is a reason that information is not in the guide, or can I just happily add it? --[[User:Bruno.unna|Bruno.unna]] ([[User talk:Bruno.unna|talk]]) 10:53, 26 August 2016 (UTC)
 +
 +
:Yes, there is a reason: it's an optional feature. The diy server config example in this article does not use --auth-user-pass-verify scripts, so the client must not provide user/pass. Vpn providers like yours use auth directives as a resource efficient method to permit/deny access to their service. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 18:02, 26 August 2016 (UTC)
 +
 +
::Plus, having a username/password when using the ovpn profiles seems superfluous... after all, we are already using strong keys.  I don't see what benefit the username/password provides for security.  If anything, it complicates the entire setup. Just my 2 cents [[User:Graysky|Graysky]] ([[User talk:Graysky|talk]]) 18:25, 26 August 2016 (UTC)
  
 
== Link to upstream document instead of duplicating ==
 
== Link to upstream document instead of duplicating ==
 
This page is already a little long. OpenVPN has lots of good document [http://openvpn.net/index.php/open-source/documentation.html here]. It is better give some entry point and link to the upstream document instead of duplicate info here. After all, it is Arch Wiki, not OpenVPN wiki. -- [[User:Fengchao|Fengchao]] ([[User talk:Fengchao|talk]]) 03:38, 17 August 2012 (UTC)
 
This page is already a little long. OpenVPN has lots of good document [http://openvpn.net/index.php/open-source/documentation.html here]. It is better give some entry point and link to the upstream document instead of duplicate info here. After all, it is Arch Wiki, not OpenVPN wiki. -- [[User:Fengchao|Fengchao]] ([[User talk:Fengchao|talk]]) 03:38, 17 August 2012 (UTC)
  
== Using openvpn scripts to set promiscious mode (and ipforwarding)==
+
==IPv6==
To me it appears a bad idea to use scripts to do this, as a server might conceivably have it enabled for other reasons than openvpn. Personally I'd be inclined in having the administrator hard code such changes to the system. If no one objects, i'll remove the accuracy template. Who knows maybe it could be added to a tips section or as its own entry. -- [[User:Jhernberg|Jhernberg]] ([[User talk:Jhernberg|talk]]) 17:10, 23 August 2012 (UTC)
+
If someone could add this section, it would be very much appreciated. [[User:Jhernberg|Jhernberg]] ([[User talk:Jhernberg|talk]]) 01:05, 28 June 2014 (UTC)
 +
 
 +
== Connecting to vpn server from Android ==
 +
 
 +
I recommend using OpenVPN for Android by Arne Schwabe which give allot of detail that can help troubleshooting.
 +
The ovpn file with embedded keys & certificates need to be used, See a proper example in the the link bellow.
 +
The reduced privileges won't work on android and also "key-direction 1" should be added.
 +
Server side configs are the same as in the wiki.
 +
http://dl.dropbox.com/u/6902100/archlinux/openvpn/client-empty.ovpn --[[User:Dhead|Dhead]] ([[User talk:Dhead|talk]]) 22:51, 5 March 2013 (UTC
 +
 
 +
== IPv4 forwarding ==
 +
 
 +
I'd like to suggest adding a section on IP packet forwarding info to this page. If you follow the instructions for setting up forwarding using iptables and ufw only, it still won't work without forwarding packets.  
 +
 
 +
Traditionally, this has been a simple process of:
 +
# sysctl net.ipv4.ip_forward=1
 +
 
 +
(or editing {{ic|/etc/sysctl.d/30-ipforward.conf}} for a more permanent change)
 +
 
 +
But there is a [https://bugs.freedesktop.org/show_bug.cgi?id=89509 bug] right now where systemd-networkd overrides {{ic|net.ipv4.ip_forward}}. This might be good to point out for people trying to setup OpenVPN on Arch.
 +
 
 +
As of now, someone setting up OpevVPN could only find this out from from a small link to [[Internet_sharing#Enable_packet_forwarding|enable packet forwarding]] and then catching the bug note on that page. Setting up OpenVPN was a frustrating experience since this was buried; I was stuck on this for several hours, and finally found the solution.
 +
 
 +
Thought this might be helpful for others out there. Respectfully, [[User:Jr000|Jr000]] ([[User talk:Jr000|talk]]) 00:13, 29 May 2015 (UTC)
  
: Have removed the accuracy template from the main page and put it here. Additional reasons to the above is that upstream has by default disabled scripts for security reasons, also the configs in this article drop root privs again for security reasons.
+
:[[OpenVPN#Routing_all_client_traffic_through_the_server]] already says "Now you need to enable packet forwarding on the server.", with a link to [[Internet_sharing#Enable_packet_forwarding]] which contains the instructions and the note you mentioned. There is no point in duplicating the instructions, because sooner or later one version would inevitably become outdated/inaccurate. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 09:36, 29 May 2015 (UTC)
  
{{Accuracy|Investigate if scripts hooked into openvpn can do this,  http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR}}
+
== OpenVPN in a container ==
:-- [[User:Jhernberg|Jhernberg]] ([[User talk:Jhernberg|talk]]) 15:56, 25 August 2012 (UTC)
+
  
==L2 ethernet bridging==
+
This is a good solution instead of messing around with iptables: https://www.youtube.com/watch?v=7Obl8_dozh0&
I was going to add this information today, but realized that there have been so many changes in the init system, and that network configuration has gotten a lot more complex.  I need to figure out what set of scripts to use to create the bridge interface, at the moment I'm inclined to go with the netcfg scripts. Any opinions? -- [[User:Jhernberg|Jhernberg]] ([[User talk:Jhernberg|talk]]) 16:40, 24 August 2012 (UTC)
+
{{unsigned|03:39, 6 August 2015‎|Hendry}}
  
==Firewalls?==
+
== Nameserver Order ==
Firewalls imo are really out of scope and would make the article even longer.. Any opinions on what and how much to add?  Maybe something simple like these iptable rules:
+
In case VPN provided name servers are appended at the end of {{ic|/etc/resolv.conf}} while using {{pkg|networkmanager-openvpn}}, make sure you don't configure your primary network connection by {{pkg|systemd}} (using {{ic|dhcpcd.service}} for example). It is caused by {{pkg|openresolv}} configuration option {{ic|interface_order}} because one set of nameservers is provided by network interface (for example eth0) and second set of nameservers is provided by NetworkManager interface (yes, that is not a typo, all interfaces configured by NetworkManager are presented to openresolv as one "NetworkManager" interface). You can check which nameservers are provided to openresolv by running
  
-A INPUT -i tun+ -j ACCEPT
+
$ resolvconf -l
  
-A FORWARD -i tun+ -j ACCEPT
+
To solve this issue, either disable systemd interface configuration ({{ic|systemctl disable dhcpcd}} for example) or change interface order in {{ic|/etc/resolvconf.conf}} ({{ic|1=interface_order="lo lo[0-9]* NetworkManager"}} for example). [[User:Kenny|Kenny]] ([[User talk:Kenny|talk]]) 15:06, 11 March 2016 (UTC)
-A FORWARD -i eth+ -j ACCEPT
+
-A FORWARD -j REJECT
+
  
But then how much of a disclaimer would one write as someone could compromise the entire corporate security plan with an insecure nat translating VPN...
+
:Interesting point. Yet, it is always difficult to mix different network managers. For a mixed conf not to fail one should probably configure, eg NetworkManager and dhcpcd, to exclude the respective other interface first. Anyhow, as I understand your point, the same ordering issue could arise from any combination of network manager tools, and openvpn is just one application triggering openresolv where it may matter. What do you think about adding your input to [[Resolv.conf#Using_openresolv]] instead? It could then be crosslinked better (from [[OpenVPN#DNS]] and other articles where it may matter). --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 19:21, 11 March 2016 (UTC)
: -- [[User:Jhernberg|Jhernberg]] ([[User talk:Jhernberg|talk]]) 21:58, 28 August 2012 (UTC)
+
  
==Proposed sections for future expansion of the article==
+
::If OpenVPN needs some special ordering of the name servers, isn't the script ({{AUR|openvpn-update-resolv-conf}}) to blame here? If {{Pkg|openresolv}} does not support ordering, the script should not use it in the first place... -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 19:45, 11 March 2016 (UTC)
Removed the stuff I had parked here.  At the most it will become a tips and tricks section with links to the official documentation...
+
: -- [[User:Jhernberg|Jhernberg]] ([[User talk:Jhernberg|talk]]) 22:59, 28 August 2012 (UTC)
+
  
==Using resolvconf with user nobody==
+
:::Well, {{Pkg|openresolv}} supports different types of ordering (resolvconf.conf(5)), which is another reason the issue applies more to [[resolv.conf#Using_openresolv]] (ordering for the links). The typical approach for openvpn usually is that the server should (not all do, that would be an openvpn troubleshooting matter) push DNS with a low metric. The metric alone is enough to ensure they are ordered first. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 21:17, 11 March 2016 (UTC)
If {{bc|1=user nobody}} is used in the client's config, the update-resolv-conf on down fails, because it is executed as nobody.
+
Using openvpn-down-root.so could be used as a workaround:
+
{{bc|1=plugin /usr/lib/openvpn/openvpn-down-root.so "script_type=down /usr/share/openvpn/update-resolv-conf"}}
+
: -- [[User:DarkForce|DarkForce]] ([[User talk:DarkForce|talk]]) 01:35, 29 November 2012 (UTC)
+

Latest revision as of 18:25, 26 August 2016

Missing details

There are some things that I think would have been extremely helpful to add in this article, primarily relating to iptables. For example, in Routing_the_LAN_of_a_client_to_the_server it might have been useful to say, "do something like iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 10.4.4.30" rather than "Use the iptables NAT feature to masquerade the IP packets."

I think more handholding would help this article a lot--it certainly would have helped me figure this out much faster. If no one disagrees, I'd like to add several sections on appropriate iptables rules to add. Buhman 17:11, 9 April 2012 (EDT)

No objections, all constructive contributions are welcome, just remember that an article shouldn't be just a list of instructions: "handholding" is fine as long as it also explains why something needs to be done, so in your example above the existent sentence should be kept and your iptables line should be presented just as an example. -- Kynikos 08:46, 10 April 2012 (EDT)
To be honest, I think this article, the way it is now, uses way too much handholding. (I liked it more the way it was [1] ). It have things like: "Edit /root/easy-rsa/vars and at a minimum set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters (do not leave any of these parameters blank)", instead of just "Edit /root/easy-rsa/vars according to your preferences"
Maybe the solution could be the path Beginners' Guide and Installation Guide took; One, super handholding-type guide, and the other as a checklist-type guide... hmm, maybe I'll write such article Chrisl (talk) 18:48, 16 August 2012 (UTC)
I have some time to work on this again (vacation), hopefully I'll get at least some more stuff done. If someone wants to add iptables instructions please go ahead. There is some preliminary stuff that Kynikos uncovered :) Too much, too little handholding, it's hard too say, and it looks like opinions differ. Maybe let me be verbose and then try to tighten it up and remove unwanted verbosity? jhernberg 21:50, 16 August 2012 (UTC)

In any case, the article still needs a lot more information about the various ways that openvpn can be configured, and any help would be very much appreciated...:) jhernberg 21:55, 16 August 2012 (UTC)

Well, I have created the checklist-type article, is here: OpenVPN Checklist Guide Right now, it has lots of things of the old openvpn article, but shorter. The idea is that it have links like "click here to see more details" pointing to the section of a full article explaining something, to avoid repetition. I must add that I think this way is more KISS. Chrisl (talk) 04:55, 17 August 2012 (UTC)

Personally and at the moment I don't have much time nor interest in updating this article. But I also think it could really benefit from having sections written on IPv6, L2 bridging and possibly a related article describing how to use iptables and other firewall software with VPN. I really hope that someone can step up to the plate and write the missing sections and to correct whatever I got wrong! Jhernberg (talk) 14:33, 14 June 2014 (UTC)

A piece of missing information that I consider particularly useful is the configuration of credentials for the user, so that he/she doesn't have to type them every time the VPN is started. I found out how to do that in an external site, but I'm wondering: is there is a reason that information is not in the guide, or can I just happily add it? --Bruno.unna (talk) 10:53, 26 August 2016 (UTC)

Yes, there is a reason: it's an optional feature. The diy server config example in this article does not use --auth-user-pass-verify scripts, so the client must not provide user/pass. Vpn providers like yours use auth directives as a resource efficient method to permit/deny access to their service. --Indigo (talk) 18:02, 26 August 2016 (UTC)
Plus, having a username/password when using the ovpn profiles seems superfluous... after all, we are already using strong keys. I don't see what benefit the username/password provides for security. If anything, it complicates the entire setup. Just my 2 cents Graysky (talk) 18:25, 26 August 2016 (UTC)

Link to upstream document instead of duplicating

This page is already a little long. OpenVPN has lots of good document here. It is better give some entry point and link to the upstream document instead of duplicate info here. After all, it is Arch Wiki, not OpenVPN wiki. -- Fengchao (talk) 03:38, 17 August 2012 (UTC)

IPv6

If someone could add this section, it would be very much appreciated. Jhernberg (talk) 01:05, 28 June 2014 (UTC)

Connecting to vpn server from Android

I recommend using OpenVPN for Android by Arne Schwabe which give allot of detail that can help troubleshooting. The ovpn file with embedded keys & certificates need to be used, See a proper example in the the link bellow. The reduced privileges won't work on android and also "key-direction 1" should be added. Server side configs are the same as in the wiki. http://dl.dropbox.com/u/6902100/archlinux/openvpn/client-empty.ovpn --Dhead (talk) 22:51, 5 March 2013 (UTC

IPv4 forwarding

I'd like to suggest adding a section on IP packet forwarding info to this page. If you follow the instructions for setting up forwarding using iptables and ufw only, it still won't work without forwarding packets.

Traditionally, this has been a simple process of:

# sysctl net.ipv4.ip_forward=1

(or editing /etc/sysctl.d/30-ipforward.conf for a more permanent change)

But there is a bug right now where systemd-networkd overrides net.ipv4.ip_forward. This might be good to point out for people trying to setup OpenVPN on Arch.

As of now, someone setting up OpevVPN could only find this out from from a small link to enable packet forwarding and then catching the bug note on that page. Setting up OpenVPN was a frustrating experience since this was buried; I was stuck on this for several hours, and finally found the solution.

Thought this might be helpful for others out there. Respectfully, Jr000 (talk) 00:13, 29 May 2015 (UTC)

OpenVPN#Routing_all_client_traffic_through_the_server already says "Now you need to enable packet forwarding on the server.", with a link to Internet_sharing#Enable_packet_forwarding which contains the instructions and the note you mentioned. There is no point in duplicating the instructions, because sooner or later one version would inevitably become outdated/inaccurate. -- Lahwaacz (talk) 09:36, 29 May 2015 (UTC)

OpenVPN in a container

This is a good solution instead of messing around with iptables: https://www.youtube.com/watch?v=7Obl8_dozh0& —This unsigned comment is by Hendry (talk) 03:39, 6 August 2015‎. Please sign your posts with ~~~~!

Nameserver Order

In case VPN provided name servers are appended at the end of /etc/resolv.conf while using networkmanager-openvpn, make sure you don't configure your primary network connection by systemd (using dhcpcd.service for example). It is caused by openresolv configuration option interface_order because one set of nameservers is provided by network interface (for example eth0) and second set of nameservers is provided by NetworkManager interface (yes, that is not a typo, all interfaces configured by NetworkManager are presented to openresolv as one "NetworkManager" interface). You can check which nameservers are provided to openresolv by running

$ resolvconf -l

To solve this issue, either disable systemd interface configuration (systemctl disable dhcpcd for example) or change interface order in /etc/resolvconf.conf (interface_order="lo lo[0-9]* NetworkManager" for example). Kenny (talk) 15:06, 11 March 2016 (UTC)

Interesting point. Yet, it is always difficult to mix different network managers. For a mixed conf not to fail one should probably configure, eg NetworkManager and dhcpcd, to exclude the respective other interface first. Anyhow, as I understand your point, the same ordering issue could arise from any combination of network manager tools, and openvpn is just one application triggering openresolv where it may matter. What do you think about adding your input to Resolv.conf#Using_openresolv instead? It could then be crosslinked better (from OpenVPN#DNS and other articles where it may matter). --Indigo (talk) 19:21, 11 March 2016 (UTC)
If OpenVPN needs some special ordering of the name servers, isn't the script (openvpn-update-resolv-confAUR) to blame here? If openresolv does not support ordering, the script should not use it in the first place... -- Lahwaacz (talk) 19:45, 11 March 2016 (UTC)
Well, openresolv supports different types of ordering (resolvconf.conf(5)), which is another reason the issue applies more to resolv.conf#Using_openresolv (ordering for the links). The typical approach for openvpn usually is that the server should (not all do, that would be an openvpn troubleshooting matter) push DNS with a low metric. The metric alone is enough to ensure they are ordered first. --Indigo (talk) 21:17, 11 March 2016 (UTC)