New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
@GM2015
Yes, you need to allow internal networking, but yeah. The servers would just act as clients connected to the central server. Still, my opinion is that there are better options for secure server to server connections than OpenVPN, depending on what are you trying to achieve.
Please note that my script just uses 10.8.0.0/24 by default. There is no problem in using 10.0.0.0/8 if you prefer.
TL;DR: it can be done, but I wouldn't use OpenVPN for server to server connections.
Can you tell me please what you're thinking of or would recommend?
Depends on what you are trying to accomplish. Just for secure file transfers, rsync is a great and very reliable option. For secure P2P networking between servers, tinc for example is way more efficient and fast than using a central server with OpenVPN.
Lovely script.
Is there an option to add tls-auth static key support to your script?
From what I understand from: https://community.openvpn.net/openvpn/wiki/Hardening , it would mitigate against Heartbleed-like vulnerabilities in the future.
I had been using Openvpn AS installer(which generates such a ta.key) until today, when I needed something more lightweight (RAM) for LES 64mb vps.
No. This was discussed multiple times already:
https://github.com/Nyr/openvpn-install/pull/98
Lovely, I got it working after following the linked-to diffs.
the script works very well. i have a question,, how to make one profile vpn account can be used by 2 or 3 devices? more than 1 connection
This is not recommended, the proper way is to use multiple certificates.
If you still want to, edit
/etc/openvpn/server.conf
and add a new line with the content:duplicate-cn
Just run the script again and make another profile/certificate.
Would you be able to explain the security upgrades/firewall and subnet changes that were made in this release? I've been comparing the differences with older revisions, and apart from unified configuration files and the use of the new EasyRSA version haven't been able to find them.
Finally... just a small suggestion, would you possibly consider logging output of the install process to a file rather than displaying on screen? There's lots of data there.
Thanks.
IIRC just the switch to
remote-cert-tls
which was the result of using easy-rsa 3.Exception rules are added for both FirewallD and iptables if needed.
Using subnet topology instead of the deprecated net30.
Not sure... I think it helps troubleshooting if something fails... but I'm open to suggestions if others also consider the current approach a bit too much.
By the way: Where exactly does OpenVPN store its log files? I found nothing in /var/log...
syslog
Dang. Always the obvious...
Thanks, @Nyr!
Not sure if you remember, but sometime ago I PM-d you about Openvpn not working on my laptop.
The problem was that the connection was fine, however / etc / resolv.conf /domain name lookups didn't work.
For some reason, my laptop didn't bother to honor the pushdns directive in the certificate.
I didn't change anything from your setup script and the pushdns option was surely in place both on the server and client certificate.
I manually overwrote my / etc / resolv.conf file( so that I had the same settings as on the server's openvpn settings) and everything worked fine.
On windows, there's no issue at all with dns settings.
Looks like a client side issue, so nothing I could do about it.
I understand. The wifi's managed by network-manager but I don't think it overwrites /etc/resolv.conf every second.
Still, at least I know it's my issue.
Thanks for the script once again.
@GM2015 do you use more than one connection on your laptop? Like ethernet + wifi
The script works fine with iptables, but I have trouble connecting on a VPS with CSF firewall installed. I have manually added the port and iptable rules, but it failed to connect. Any suggestions to make it work with CSF.
Yes. Wifi(wlan0) has the internet and ethernet cable(eth0) is connected with a raspberry pi 2.
Thanks @nyr. Just a couple more questions/suggestions.
Would you consider changing the default encryption key size to 4096 bits? This would seem to offer more security, and I can't think of any huge downsides. What would your opinion be on this?
Finally... I'm not sure how this could best be added, but would it be possible to offer the option of looking at existing certificates in /etc/openvpn, and if expired re-generating them along with the client config?
Thanks.
No.
I can. See previous issues in GitHub about this if you are interested in a longer explanation.
Certificates last for 10 years by default so I haven't considered this at all.
Do you know if this was a new change made in EasyRSA 3? The default in version 2 was 3650 days (so 5 years).
Do your math again.
Uh... yes, probably a good idea. What just happened there!
I can't find the issue you're referring to, I believe.
Would it be an option to make this configurable?
Some of the previous discussions about this:
https://github.com/Nyr/openvpn-install/issues/23
https://github.com/Nyr/openvpn-install/pull/38
https://github.com/Nyr/openvpn-install/issues/55
This is by far one of the most common questions/requests, but I've decided against it. Back when 1024 bits were the default on some distributions, I forced the DH to be 2048 because 1024 was... legacy to say at least. But currently 2048 bits are the standard for easy-rsa and I think it is a reasonable balance.
Just so you have an idea, one 2048 DH takes about 3 minutes to generate on a DigitalOcean instance while 4096 did take 20 minutes. Now think about how much it would take for example a Raspberry Pi or kidechire and it's simply unacceptable. This combined with the fact that 2048 bits are the easy-rsa default and is reasonably secure for now is what prompted me to make this call.
Yes, there had been calls to implement both DH length and transport cypher choice, but I think it would get confusing to many users which would automatically select 8192 bits and AES-256-CBC if available. So at the moment, I'm just respecting the defaults from OpenVPN which are sane and probably the best for most use cases. Only thing I would maybe implement in the future is a check to use AES-128 instead of Blowfish automatically where AES-NI is available.
how about giving an option to put any nameserver you want?
not just the system ones or from the list provided.
Something to consider, yeah.
I got tls certificate errors with this. Then I realized, my vps's date-time is incorrect (set in future). After fixing time with ntp, script is working. Good work!