Linux/OpenVPN: Unterschied zwischen den Versionen
→Android
Thomas (Diskussion | Beiträge) Keine Bearbeitungszusammenfassung |
Thomas (Diskussion | Beiträge) |
||
| (15 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
=Setup for an OpenVPN server which | =Setup for an OpenVPN server which handles ALL traffic= | ||
First install and configure OpenVPN: https://wiki.gentoo.org/wiki/OpenVPN | First install and configure OpenVPN: https://wiki.gentoo.org/wiki/OpenVPN | ||
| Zeile 12: | Zeile 12: | ||
username-as-common-name | username-as-common-name | ||
Check the necessary kernel options (can be set as M): | Add this line for TLS Authentication (the client then also has to import '''ta.key''' and use direction '''1'''): | ||
tls-auth ta.key 0 | |||
Check the necessary kernel options (can be set as '''M'''odul): | |||
CONFIG_TUN | CONFIG_TUN | ||
CONFIG_IP_NF_CONNTRACK | CONFIG_IP_NF_CONNTRACK | ||
| Zeile 27: | Zeile 30: | ||
echo 1 > /proc/sys/net/ipv4/ip_forward | echo 1 > /proc/sys/net/ipv4/ip_forward | ||
Activate IP forwarding (necessary after each reboot, so put it for example in '''/etc/local.d/baselayout1.start'''): | Activate IP forwarding/routing (necessary after each reboot, so put it for example in '''/etc/local.d/baselayout1.start'''): | ||
modprobe iptable_nat # if compiled as module | modprobe iptable_nat # if compiled as module | ||
iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE | iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE | ||
Open port 12112 UDP on your router. | For verifying, list nat rules: | ||
iptables -t nat -v -L -n --line-number | |||
Open port '''12112 UDP''' on your router. | |||
Start OpenVPN: | Start OpenVPN: | ||
/etc/init.d/openvpn start | /etc/init.d/openvpn start | ||
If everything works, add OpenVPN to the default runlevel, so that it starts during boot: | If everything works, add OpenVPN to the default runlevel, so that it starts during boot: | ||
rc-update add openvpn | rc-update add openvpn | ||
| Zeile 42: | Zeile 48: | ||
Use https://play.google.com/store/apps/details?id=de.blinkt.openvpn. | Use https://play.google.com/store/apps/details?id=de.blinkt.openvpn. | ||
Import client openvpn.conf. Enable | Import client '''openvpn.conf'''. Enable '''User/PW + Certificates''' and '''Use default route'''. | ||
Disable '''LZO Compression''', if you disabled it on the server because of simple ChromeOS clients. | |||
If you want to use '''TLA Authentication''' then import also '''ta.key''' and choose TLS direction '''1'''. | |||
= ChromeOS = | = ChromeOS = | ||
== Simple == | |||
Restrictions of simple method: | |||
* no compression | |||
* no tlsauth | |||
* only UDP | |||
On the Linux server: | |||
openssl pkcs12 -export -in ./pki/issued/client1.crt -inkey ./pki/private/client1.key -certfile ./pki/ca.crt -name client1 -out client1.p12 | |||
* import '''ca.crt''' and '''client1.p12''' at '''chrome://settings/certificates''' and then use the OpenVPN connection wizard of ChromeOS. | |||
* disable '''comp-lzo''' and '''tlsauth''' and use '''proto udp''' in '''/etc/openvpn/openvpn.conf''' and restart OpenVPN | |||
* use '''servername:12112''' in ChromeOS OpenVPN connection settings | |||
Source: https://www.errietta.me/blog/openvpn-chromebook/ | Source: https://www.errietta.me/blog/openvpn-chromebook/ | ||
== Advanced == | |||
For advanced configuration, you also have to import the certificates and then you have to create a '''.onc''' config file and import it at '''chrome://net-internals/#chromeos'''. | |||
Advanced configuration is necessary for LZO compression or TLS Authentication or TCP protocol. | |||
More info: https://darranboyd.wordpress.com/2017/03/24/chromeos-openvpn-tlsauth/ or https://docs.google.com/document/d/18TU22gueH5OKYHZVJ5nXuqHnk2GN6nDvfu2Hbrb4YLE/pub. | |||
Note: If you want to import multiple config files for multiple connections, the UUIDs in the files must be unique. | |||
Alternative method (did not work for me): https://unfix.org/projects/chromeos-openvpn-onc/ | |||
= WiFi Hotspots = | = WiFi Hotspots = | ||
Some Hotspots (for example Telekom Germany) do not allow UDP packets. In that case, configure OpenVPN to use TCP. | Some Hotspots (for example Telekom Germany) do not allow '''UDP''' packets. In that case, configure OpenVPN to use '''TCP'''. | ||
= Multiple OpenVPN servers on one machine (Gentoo) = | = Multiple OpenVPN servers on one machine (Gentoo) = | ||