Linux/OpenVPN: Unterschied zwischen den Versionen
→Android
Thomas (Diskussion | Beiträge) |
Thomas (Diskussion | Beiträge) |
||
(9 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
Zeile 12: | Zeile 12: | ||
username-as-common-name | username-as-common-name | ||
Add this line for TLS Authentication (the client then also has to import ta.key): | Add this line for TLS Authentication (the client then also has to import '''ta.key''' and use direction '''1'''): | ||
tls-auth ta.key 0 | tls-auth ta.key 0 | ||
Check the necessary kernel options (can be set as M): | Check the necessary kernel options (can be set as '''M'''odul): | ||
CONFIG_TUN | CONFIG_TUN | ||
CONFIG_IP_NF_CONNTRACK | CONFIG_IP_NF_CONNTRACK | ||
Zeile 34: | Zeile 34: | ||
iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE | iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE | ||
Open port 12112 UDP on your router. | For verifying, list nat rules: | ||
iptables -t nat -v -L -n --line-number | |||
Open port '''12112 UDP''' on your router. | |||
Start OpenVPN: | Start OpenVPN: | ||
/etc/init.d/openvpn start | /etc/init.d/openvpn start | ||
If everything works, add OpenVPN to the default runlevel, so that it starts during boot: | If everything works, add OpenVPN to the default runlevel, so that it starts during boot: | ||
rc-update add openvpn | rc-update add openvpn | ||
Zeile 45: | Zeile 48: | ||
Use https://play.google.com/store/apps/details?id=de.blinkt.openvpn. | Use https://play.google.com/store/apps/details?id=de.blinkt.openvpn. | ||
Import client openvpn.conf. Enable | Import client '''openvpn.conf'''. Enable '''User/PW + Certificates''' and '''Use default route'''. | ||
Disable '''LZO Compression''', if you disabled it on the server because of simple ChromeOS clients. | |||
If you want to use TLA Authentication then import also ta.key. | If you want to use '''TLA Authentication''' then import also '''ta.key''' and choose TLS direction '''1'''. | ||
= ChromeOS = | = ChromeOS = | ||
== Simple == | |||
Restrictions of simple method: | |||
* no compression | |||
* no tlsauth | |||
* only UDP | |||
On the Linux server: | |||
openssl pkcs12 -export -in ./pki/issued/client1.crt -inkey ./pki/private/client1.key -certfile ./pki/ca.crt -name client1 -out client1.p12 | openssl pkcs12 -export -in ./pki/issued/client1.crt -inkey ./pki/private/client1.key -certfile ./pki/ca.crt -name client1 -out client1.p12 | ||
* import '''ca.crt''' and '''client1.p12''' at '''chrome://settings/certificates''' and then use the OpenVPN connection wizard of ChromeOS. | |||
* disable '''comp-lzo''' in '''/etc/openvpn/openvpn.conf''' and restart OpenVPN | * disable '''comp-lzo''' and '''tlsauth''' and use '''proto udp''' in '''/etc/openvpn/openvpn.conf''' and restart OpenVPN | ||
* use '''servername:12112''' in ChromeOS OpenVPN connection settings | * use '''servername:12112''' in ChromeOS OpenVPN connection settings | ||
Source: https://www.errietta.me/blog/openvpn-chromebook/ | |||
== Advanced == | |||
For advanced configuration, you also have to import the certificates and then you have to create a '''.onc''' config file and import it at '''chrome://net-internals/#chromeos'''. | |||
Advanced configuration is necessary for LZO compression or TLS Authentication or TCP protocol. | |||
More info: https://darranboyd.wordpress.com/2017/03/24/chromeos-openvpn-tlsauth/ or https://docs.google.com/document/d/18TU22gueH5OKYHZVJ5nXuqHnk2GN6nDvfu2Hbrb4YLE/pub. | |||
Note: If you want to import multiple config files for multiple connections, the UUIDs in the files must be unique. | |||
Alternative method (did not work for me): https://unfix.org/projects/chromeos-openvpn-onc/ | |||
= WiFi Hotspots = | = WiFi Hotspots = | ||
Some Hotspots (for example Telekom Germany) do not allow UDP packets. In that case, configure OpenVPN to use TCP. | Some Hotspots (for example Telekom Germany) do not allow '''UDP''' packets. In that case, configure OpenVPN to use '''TCP'''. | ||
= Multiple OpenVPN servers on one machine (Gentoo) = | = Multiple OpenVPN servers on one machine (Gentoo) = |