User Tools

Site Tools


docs:guide-user:services:vpn:openvpn:server.comprehensive

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
docs:guide-user:services:vpn:openvpn:server.comprehensive [2018/08/12 21:35]
— (current)
Line 1: Line 1:
-====== OpenVPN Server (Comprehensive) ====== 
- 
- 
-<WRAP indent> 
-=== Introduction === 
- 
-<WRAP box 25% right lo> 
-**Degree of difficulty:​** Intermediate. This guide assumes you can: 
-  * [[docs:​guide-quick-start:​sshadministration|SSH into your router]] 
-  * Edit files using ''​nano'',​ ''​vi'',​ etc. or [[docs:​guide-quick-start:​sshadministration#​using_winscp|WinSCP GUI editor]] 
-  * Install new packages to the router 
-  * Run commands via command line 
-  * Copy files to/from your router 
-</​WRAP>​ 
- 
-<WRAP box 77em lo> 
-<WRAP half Column> 
-<color #​508CAA>​**VPN Server Purpose**</​color>​ 
-  * Provides an encrypted remote connection via WAN to router & downstream devices\\ \\ 
-  * Gateway Redirect provides encrypted connection for local router interfaces\\ \\ 
- 
-<color #​508CAA>​**SSL VPN Requirements**</​color>​ 
-  * [[docs:​guide-user:​services:​vpn:​openvpn:​server.comprehensive#​encryption|Encryption]] [Certificates] 
-  * [[docs:​guide-user:​services:​vpn:​openvpn:​server.comprehensive#​network|Network]] [VPN Interface] 
-  * [[docs:​guide-user:​services:​vpn:​openvpn:​server.comprehensive#​firewall|Firewall]] [Traffic Rules] 
-  * [[docs:​guide-user:​services:​vpn:​openvpn:​server.comprehensive#​vpn_server|Server]] [Config] 
-  * [[docs:​guide-user:​services:​vpn:​openvpn:​server.comprehensive#​vpn_clients|Clients]] [Config] 
-</​WRAP>​ 
- 
-<WRAP half Column> 
-<color #​508CAA>​**File & Folder Locations**</​color>​ 
-  - **Config Locations:​** 
-    * Firewall: **''/​etc/​config/​firewall''​** 
-    * Network: **''/​etc/​config/​network''​** 
-    * OpenVPN: **''/​etc/​config/​openvpn''​**\\ \\ 
-  - **Folder Locations:​** 
-    * OpenVPN 
-      * CA & ICA Certs: **''/​etc/​ssl/​ca/''​** 
-      * CSR: **''/​etc/​ssl/​ca/​csr/''​** 
-      * CRL: **''/​etc/​ssl/​crl/''​** 
-      * Client Certs: **''/​etc/​ssl/​openvpn/​clients/''​** 
-      * Server Certs: **''/​etc/​ssl/​openvpn/''​** 
-</​WRAP>​ 
-</​WRAP>​ 
- 
-</​WRAP>​ 
- 
- 
-===== Install Packages ===== 
- 
-<WRAP indent> 
- 
- 
-==== Required ==== 
- 
-<WRAP 77em lo> 
-  - **Install OpenVPN & OpenSSL:** <​sup>​(1160KB)</​sup>​ <code bash>​opkg update && opkg install openvpn-openssl luci-app-openvpn openssl-util</​code>​ 
-    - <​WRAP>​ ++++ Packages & Dependencies | 
-<WRAP box> 
-<WRAP third column> 
-      * [[packages:​pkgdata:​openvpn-openssl|openvpn-openssl]] ​ |  [[packages:​pkgdata:​luci-app-openvpn|luci-app-openvpn]] 
-</​WRAP>​ <WRAP third column> 
-      * [[packages:​pkgdata:​openssl-util|openssl-util]] ​ |  [[packages:​pkgdata:​kmod-tun|kmod-tun]] 
-</​WRAP>​ <WRAP third column> 
-      * [[packages:​pkgdata:​liblzo|liblzo]] ​ |  [[packages:​pkgdata:​libopenssl|libopenssl]] ​ |  [[packages:​pkgdata:​zlib|zlib]] 
-</​WRAP></​WRAP>​ ++++ </​WRAP>​ 
-</​WRAP>​ 
- 
- 
-==== Optional ==== 
- 
-<WRAP 77em lo> 
-  - **Install GnuPG:** <​sup>​(767KB)</​sup>​ <code bash>​opkg update && opkg install gnupg gnupg-utils</​code>​ 
-    - <​WRAP>​ ++++ Packages & Dependencies | 
-<WRAP box> 
-<WRAP third column> 
-      * [[packages:​pkgdata:​libopenssl|gnupg]] ​ |  [[packages:​pkgdata:​openssl-util|gnupg-utils]] 
-</​WRAP>​ 
-<WRAP third column> 
-      * [[packages:​pkgdata:​libcurl|libcurl]] ​ |  [[packages:​pkgdata:​libmbedtls|libmbedtls]] 
-</​WRAP>​ 
-<WRAP third column> 
-      * [[packages:​pkgdata:​libreadline|libreadline]] ​ |  [[packages:​pkgdata:​zlib|zlib]] 
-</​WRAP>​ 
-</​WRAP>​ ++++ </​WRAP>​ 
-</​WRAP>​ 
- 
-</​WRAP>​ 
- 
- 
-===== Encryption ===== 
- 
-<WRAP indent> 
- 
-<WRAP centeralign 77em lo> 
-<wrap danger><​color #​FFFFFF>​Easy-RSA //does not// create proper certificates & has too many limitations,​ therefore OpenSSL should be utilized directly via an openssl.cnf</​color></​wrap>​ 
-</​WRAP>​ 
- 
- 
-<WRAP 77em lo> 
-<wrap right button>​[[https://​github.com/​JW0914/​Wikis/​blob/​master/​Scripts%2BConfigs/​OpenSSL/​PEM%20Association.reg|PEM Association.reg]]</​wrap>​ 
-</​WRAP>​ 
-==== Certificates ==== 
- 
-<WRAP 75em lo> 
-  -  **Create CA, ICA, Server, and Client certificates via:** [[docs:​guide-user:​services:​vpn:​openssl.certs|OpenSSL Certificates]] 
-      - [[docs:​guide-user:​services:​vpn:​openssl.certs#​prerequisites|Prerequisites]] 
-      - [[docs:​guide-user:​services:​vpn:​openssl.certs#​ca|Create CA Certificate]] 
-      - [[docs:​guide-user:​services:​vpn:​openssl.certs#​ica|Create ICA Certificate]] 
-      - [[docs:​guide-user:​services:​vpn:​openssl.certs#​servers|Create Server Certificate]] 
-      - [[docs:​guide-user:​services:​vpn:​openssl.certs#​clients|Create Client Certificate(s)]] 
-</​WRAP>​ 
- 
- 
-<WRAP 77em lo> 
-<wrap right button>​[[https://​wiki.openssl.org/​index.php/​Diffie_Hellman|DH Wiki]] ​ [[https://​wiki.openssl.org/​index.php/​Elliptic_Curve_Cryptography|EC Wiki]]</​wrap>​ 
-</​WRAP>​ 
-==== Diffie-Hellman Key ==== 
- 
-<WRAP 77em lo> 
-  - **Generate DH Key:** <​sup><​color #​646464>​(executed from **''/​etc/​ssl/''​**)</​color></​sup>​ <code bash>​openssl dhparam -out openvpn/​dh2048.pem 2048</​code>​ 
-    - **Generating DH keys takes substantial amounts of time**\\ \\ 
-    - **You may wish to generate 3072bit and 4096bit DH keys as well** 
-      * Generating multiple DH keys at once takes substantially less time due to the rand file\\ \\ 
-    - **OpenVPN added support for EC [//Elliptic Curve//] ciphers in v2.4** 
-</​WRAP>​ 
- 
- 
-==== TLS-Auth PSK ==== 
- 
-<WRAP 77em lo> 
-  - **Generate TLS-Auth Key:** <​sup>​(<​color #​646464>​executed from **''/​etc/​ssl/''​**)</​color></​sup>​ <code bash>​openvpn --genkey --secret openvpn/​tls-auth.key</​code>​ 
-    - Adds an additional layer of HMAC authentication on top of the TLS control channel 
-      * Ensures **P**erfect **F**orward **S**ecrecy is maintained\\ \\ 
-    - **''​tls-auth''​** requires a static **P**re-**S**hared **K**ey, generated in advance, and shared among all clients 
-      * This requires incoming packets to have a valid signature generated using the PSK key 
-        * If key is changed, it must be changed on all clients (no support for rollover)\\ 
-</​WRAP>​ 
- 
-</​WRAP>​ 
- 
- 
-===== Network ===== 
- 
-<WRAP indent> 
- 
-<WRAP 77em lo> 
-<wrap right button>​[[docs:​guide-user:​base-system:​basic-networking|Network Wiki]]</​wrap>​ 
-</​WRAP>​ 
- 
- 
-==== Interface Creation ==== 
- 
-<WRAP 77em lo> 
-  - **Create VPN Interface:​** <code bash>uci set network.vpn0=interface && uci set network.vpn0.ifname=tun0 && uci set network.vpn0.proto=none && \ 
-  uci commit network && /​etc/​init.d/​network reload</​code>​ 
-</​WRAP>​ 
- 
- 
-<WRAP 77em lo> 
-<wrap right button>​[[docs:​guide-user:​services:​ddns:​client|DDNS Wiki]]</​wrap>​ 
-</​WRAP>​ 
-==== Configure DDNS ==== 
- 
-<WRAP indent> 
- 
-<WRAP box 75em lo> 
-<wrap right>​**''/​etc/​config/​ddns''​**</​wrap>​ 
-<color #​508CAA>​**Remote WAN Connections**</​color>​ 
- 
-  - **A DDNS provider or FQDN is required for users who are not assigned static IPs by ISPs** 
-    - DDNS: 
-      * **D**ynamic **D**omain **N**ame **S**ervice providers provide the user with a dynamically updated DNS name for their public IP 
-      * Purchasing occurs as a service subscription fee from DDNS providers 
-    - FQDN 
-      * **F**ully **Q**ualified **D**omain **N**ame is a URL <​sup><​color #​646464>​(google.com is a FQDN)</​color></​sup>​ 
-      * Purchasing a FQDN is for a set period of time, regulated by the non-profit IANA <​sup><​color #​646464>​(//​Internet Assigned Numbers Authority//​)</​color></​sup>​\\ \\ 
-  - **Most users will likely configure DDNS** 
-    * See the [[docs:​guide-user:​services:​ddns:​client|DDNS Clients]] wiki 
-</​WRAP>​ 
- 
-</​WRAP>​ 
- 
-</​WRAP>​ 
- 
- 
-<WRAP 79em lo> 
-<wrap right button>​[[docs:​guide-user:​firewall:​firewall_configuration|Firewall Wiki]]</​wrap>​ 
-</​WRAP>​ 
-===== Firewall ===== 
- 
-<WRAP indent> 
- 
-<WRAP box 77em lo> 
-<wrap right>​**''/​etc/​config/​firewall''​**</​wrap>​ 
-<color #​508CAA>​**Notations**</​color>​ 
- 
-  - **Traffic rules should be placed in the following order** 
-    - Firewall.User Script 
-    - Redirect Rules 
-    - Router Network Default 
-    - VPN Network Default 
-    - VPN InterZone Forwarding 
-    - VPN Traffic Rules\\ \\ 
-  - **Rule protocol for VPNs should always be both TCP & UDP for troubleshooting purposes** 
-    - Allowing both prevents having to edit the firewall every time troubleshooting is needed\\ \\ 
-  - **SSL VPNs should always use UDP** 
-    - //Except under the following two scenarios// 
-      - When troubleshooting\\ **OR** 
-      - When packet loss is high\\ \\ 
-  - **A port >1025 should be utilized for the VPN** 
-    - If using a custom port, update [[docs:​guide-user:​services:​vpn:​openvpn:​server.comprehensive#​vpn_server|VPN Server]] & [[docs:​guide-user:​services:​vpn:​openvpn:​server.comprehensive#​vpn_clients|VPN Client]] configs accordingly 
-      - If needing to bypass a strict firewall in front of the router, utilize port 443 <​sup>​[HTTPS]</​sup>​ 
-    - A non-standard port (i.e. not 1194) is recommended to limit firewall logging from unauthorized connections attempts to the default OpenVPN port 
-</​WRAP>​ 
- 
- 
-==== Create Rules ==== 
- 
-<WRAP 77em lo> 
-  - **Modify: ''​firewall''​** <code bash>vi /​etc/​config/​firewall</​code>​ 
-    - <​WRAP>​ ++++ /​etc/​config/​firewall | 
-<code cpp> 
-#::: Traffic Rules :::# 
-# LuCI: Network - Firewall - Traffic Rules 
- 
- 
-#::: Defaults :::# 
-# LuCI: Network - Firewall 
-#​------------------------------------------------ 
- 
-#::: Firewall.User Rules :::# 
-# LuCI: Network - Firewall - Custom Rules 
-config include 
-    option ​ path            '/​etc/​firewall.user'​ 
- 
-# Default OpenWrt Rule # 
-config defaults 
-    option ​ input           '​ACCEPT'​ 
-    option ​ output ​         '​ACCEPT'​ 
-    option ​ forward ​        '​DROP'​ 
-    option ​ syn_flood ​      1 
-    option ​ drop_invalid ​   1 
- 
- 
-# Allow initial VPN connection # 
-#​------------------------------------------------ 
-# LuCI: From any host in any zone To any router 
-# IP at port 5000 on this device (Accept Input) 
-config rule 
-    option ​ target ​         '​ACCEPT'​ 
-    option ​ family ​         '​ipv4'​ 
-    option ​ proto           '​tcp udp' 
-    option ​ src             '​*'​ 
-    option ​ dest_port ​      5000 
-    option ​ name            'Allow Forwarded VPN Request -> <​device>'​ 
- 
- 
-#::: Zones :::# 
-# LuCI: Network - Firewall - Zones 
-#​------------------------------------------------ 
- 
-# LAN # 
-config zone 
-    option ​ name            '​lan'​ 
-    option ​ network ​        '​lan'​ 
-    option ​ input           '​ACCEPT'​ 
-    option ​ output ​         '​ACCEPT'​ 
-    option ​ forward ​        '​DROP'​ 
- 
-# VPN # 
-config zone 
-    option ​ name            '​vpn'​ 
-    option ​ network ​        '​vpn0'​ 
-    option ​ input           '​ACCEPT'​ 
-    option ​ output ​         '​ACCEPT'​ 
-    option ​ forward ​        '​DROP'​ 
- 
-# WAN # 
-config zone 
-    option ​ name            '​wan'​ 
-    option ​ network ​        '​wan wan6' 
-    option ​ input           '​REJECT'​ 
-    option ​ output ​         '​ACCEPT'​ 
-    option ​ forward ​        '​REJECT'​ 
-    option ​ masq            1 
-    option ​ mtu_fix ​        1 
- 
- 
-#::: InterZone Forwarding :::# 
-# LuCI: Network -> Firewall -> Zones - 
-# VPN - Edit - Inter-Zone Forwarding 
-#​------------------------------------------------ 
- 
-# LAN to VPN # 
-config forwarding 
-    option ​ dest            '​vpn'​ 
-    option ​ src             '​lan'​ 
- 
-# LAN to WAN # 
-config forwarding 
-    option ​ dest            '​wan'​ 
-    option ​ src             '​lan'​ 
- 
-# VPN to LAN # 
-config forwarding 
-    option ​ dest            '​lan'​ 
-    option ​ src             '​vpn'​ 
-</​code>​ ++++ </​WRAP>​ 
-    - <​WRAP>​ ++++ Advanced: Restrict by IP | 
-<code cpp> 
-#::: Traffic Rules :::# 
-# LuCI: Network - Firewall - Traffic Rules 
- 
- 
-#::: Defaults :::# 
-# LuCI: Network - Firewall 
-#​------------------------------------------------ 
- 
-#::: Firewall.User Rules :::# 
-# LuCI: Network - Firewall - Custom Rules 
-config include 
-    option ​ path            '/​etc/​firewall.user'​ 
- 
-# Default OpenWrt Rule # 
-config defaults 
-    option ​ input           '​ACCEPT'​ 
-    option ​ output ​         '​ACCEPT'​ 
-    option ​ forward ​        '​DROP'​ 
-    option ​ syn_flood ​      1 
-    option ​ drop_invalid ​   1 
- 
- 
-# Allow initial VPN connection # 
-#​------------------------------------------------ 
-# LuCI: From any host in any zone To any router 
-# IP at port 5000 on this device (Accept Input) 
-config rule 
-    option ​ target ​         '​ACCEPT'​ 
-    option ​ family ​         '​ipv4'​ 
-    option ​ proto           '​tcp udp' 
-    option ​ src             '​*'​ 
-    option ​ dest_port ​      5000 
-    option ​ name            'Allow Forwarded VPN Request -> <​device>'​ 
- 
-# Allow VPN specific SSH traffic to VPN SSH port # 
-#​------------------------------------------------ 
-# LuCI: From any host in vpn to any router IP at 
-# port 5022 on this device 
-config rule 
-    option ​ target ​         '​ACCEPT'​ 
-    option ​ family ​         '​ipv4'​ 
-    option ​ proto           '​tcp'​ 
-    option ​ src             '​vpn'​ 
-    option ​ dest_port ​      5022 
-    option ​ name            'Allow OpenVPN -> <​device>​ (OpenVPN SSH)' 
- 
-# Once Assigned VPN IP, Allow Inbound -> LAN # 
-#​------------------------------------------------ 
-# LuCI: From IP range 10.1.0.0/28 in vpn To IP 
-# range 192.168.3.0/​26 on this device (Accept Input) 
-config rule 
-    option ​ target ​         '​ACCEPT'​ 
-    option ​ family ​         '​ipv4'​ 
-    option ​ proto           '​tcp udp' 
-    option ​ src             '​vpn'​ 
-    option ​ src_ip ​         '​10.1.0.0/​28'​ 
-    option ​ dest_ip ​        '​192.168.1.0/​24'​ 
-    option ​ name            'Allow OpenVPN -> LAN' 
- 
-# Once Assigned VPN IP, Allow Forwarded -> LAN # 
-#​------------------------------------------------ 
-# LuCI: From any host in vpn To any host in any 
-# zone (Accept Forward) 
-config rule 
-    option ​ target ​         '​ACCEPT'​ 
-    option ​ family ​         '​ipv4'​ 
-    option ​ proto           '​tcp udp' 
-    option ​ src             '​vpn'​ 
-    option ​ dest            '​*'​ 
-    option ​ name            'Allow Forwarded OpenVPN -> <​device>'​ 
- 
-# Allow Outbound ICMP Traffic from VPN # 
-#​------------------------------------------------ 
-# LuCI: ICMP From IP range 10.1.0.0/28 in vpn To 
-# any host in lan (Accept Forward) 
-config rule 
-    option ​ target ​         '​ACCEPT'​ 
-    option ​ family ​         '​ipv4'​ 
-    option ​ proto           '​icmp'​ 
-    option ​ src             '​vpn'​ 
-    option ​ src_ip ​         '​10.1.0.0/​28'​ 
-    option ​ dest            '​lan'​ 
-    option ​ name            'Allow OpenVPN (ICMP) -> LAN' 
- 
-# Allow Outbound Ping Requests from VPN # 
-#​------------------------------------------------ 
-# LuCI: ICMP with type echo-request From IP range 
-# 10.1.0.0/28 in vpn To any host in wan (Accept Forward) 
-config rule 
-    option ​ target ​         '​ACCEPT'​ 
-    option ​ family ​         '​ipv4'​ 
-    option ​ proto           '​icmp'​ 
-    list    icmp_type ​      '​echo-request'​ 
-    option ​ src             '​vpn'​ 
-    option ​ src_ip ​         '​10.1.0.0/​28'​ 
-    option ​ dest            '​wan'​ 
-    option ​ name            'Allow OpenVPN (ICMP 8: echo-request) -> WAN' 
- 
- 
-#::: Zones :::# 
-# LuCI: Network - Firewall - Zones 
-#​------------------------------------------------ 
- 
-# LAN # 
-config zone 
-    option ​ name            '​lan'​ 
-    option ​ network ​        '​lan'​ 
-    option ​ input           '​ACCEPT'​ 
-    option ​ output ​         '​ACCEPT'​ 
-    option ​ forward ​        '​DROP'​ 
- 
-# VPN # 
-config zone 
-    option ​ name            '​vpn'​ 
-    option ​ network ​        '​vpn0'​ 
-    option ​ input           '​ACCEPT'​ 
-    option ​ output ​         '​ACCEPT'​ 
-    option ​ forward ​        '​DROP'​ 
- 
-# WAN # 
-config zone 
-    option ​ name            '​wan'​ 
-    option ​ network ​        '​wan wan6' 
-    option ​ input           '​DROP'​ 
-    option ​ output ​         '​ACCEPT'​ 
-    option ​ forward ​        '​DROP'​ 
-    option ​ masq            1 
-    option ​ mtu_fix ​        1 
- 
- 
-#::: InterZone Forwarding :::# 
-# LuCI: Network -> Firewall -> Zones - 
-# VPN - Edit - Inter-Zone Forwarding 
-#​------------------------------------------------ 
- 
-# LAN to WAN # 
-config forwarding 
-    option ​ dest            '​wan'​ 
-    option ​ src             '​lan'​ 
-</​code>​ ++++ </​WRAP>​ 
-    - <​WRAP>​ ++++ Advanced: Restrict by IP & MAC | 
-<code cpp> 
-#::: Traffic Rules :::# 
-# LuCI: Network - Firewall - Traffic Rules 
- 
- 
-#::: Defaults :::# 
-# LuCI: Network - Firewall 
-#​------------------------------------------------ 
- 
-#::: Firewall.User Rules :::# 
-# LuCI: Network - Firewall - Custom Rules 
-config include 
-    option ​ path            '/​etc/​firewall.user'​ 
- 
-# Default OpenWrt Rule # 
-config defaults 
-    option ​ input           '​ACCEPT'​ 
-    option ​ output ​         '​ACCEPT'​ 
-    option ​ forward ​        '​DROP'​ 
-    option ​ syn_flood ​      1 
-    option ​ drop_invalid ​   1 
- 
- 
-# Allow initial VPN connection # 
-#​------------------------------------------------ 
-# LuCI: From any host in any zone To any router 
-# IP at port 5000 on this device (Accept Input) 
-config rule 
-    option ​ target ​         '​ACCEPT'​ 
-    option ​ family ​         '​ipv4'​ 
-    option ​ proto           '​tcp udp' 
-    option ​ src             '​*'​ 
-    option ​ dest_port ​      5000 
-    option ​ name            'Allow Forwarded OpenVPN Request -> <​device>'​ 
- 
-# Allow VPN specific SSH traffic to VPN SSH port # 
-#​------------------------------------------------ 
-# LuCI: From any host in vpn to any router IP at 
-# port 5022 on this device 
-config rule 
-    option ​ target ​         '​ACCEPT'​ 
-    option ​ family ​         '​ipv4'​ 
-    option ​ proto           '​tcp'​ 
-    option ​ src             '​vpn'​ 
-    option ​ dest_port ​      5022 
-    option ​ name            'Allow OpenVPN -> <​device>​ (OpenVPN SSH)' 
- 
-# Once Assigned VPN IP, Allow Inbound PC-LAN -> LAN # 
-#​-------------------------------------------------------- 
-# LuCI: From IP range 10.1.0.2/28 in vpn with source MAC 
-# A1:​B1:​C1:​D1:​E1:​F1 To any host, port 5000 in any zone 
-config rule 
-    option ​ target ​         '​ACCEPT'​ 
-    option ​ family ​         '​ipv4'​ 
-    option ​ proto           '​tcp udp' 
-    option ​ src             '​vpn'​ 
-    option ​ dest            '​*'​ 
-    option ​ src_mac ​        '​A1:​B1:​C1:​D1:​E1:​F1'​ 
-    option ​ dest_port ​      5000 
-    option ​ src_ip ​         '​10.1.0.2/​28'​ 
-    option ​ name            'Allow Forwarded OpenVPN (PC-LAN) -> <​device>'​ 
- 
-# Once Assigned VPN IP, Allow Inbound PC-WiFi -> LAN # 
-#​-------------------------------------------------------- 
-# LuCI: From IP range 10.1.0.2/28 in vpn with source MAC 
-# A2:​B2:​C2:​D2:​E2:​F2 To any host, port 5000 in any zone 
-config rule 
-    option ​ target ​         '​ACCEPT'​ 
-    option ​ family ​         '​ipv4'​ 
-    option ​ proto           '​tcp udp' 
-    option ​ src             '​vpn'​ 
-    option ​ src_ip ​         '​10.1.0.2/​28'​ 
-    option ​ src_mac ​        '​A2:​B2:​C2:​D2:​E2:​F2'​ 
-    option ​ dest            '​*'​ 
-    option ​ dest_port ​      5000 
-    option ​ name            'Allow Forwarded OpenVPN (PC-WiFi) -> <​device>'​ 
- 
-# Once Assigned VPN IP, Allow Inbound Phone -> LAN # 
-#​-------------------------------------------------------- 
-# LuCI: From IP range 10.1.0.3/28 in vpn To any 
-# host, port 5000 in any zone 
-config rule 
-    option ​ target ​         '​ACCEPT'​ 
-    option ​ family ​         '​ipv4'​ 
-    option ​ proto           '​tcp udp' 
-    option ​ src             '​vpn'​ 
-    option ​ src_ip ​         '​10.1.0.3/​28'​ 
-    option ​ dest            '​*'​ 
-    option ​ dest_port ​      5000 
-    option ​ name            'Allow Forwarded OpenVPN (Phone) -> <​device>'​ 
- 
-# Once Assigned VPN IP, Allow Inbound -> LAN # 
-#​------------------------------------------------ 
-# LuCI: From IP range 10.1.0.0/28 in vpn To IP 
-# range 192.168.1.0/​24 on this device 
-config rule 
-    option ​ target ​         '​ACCEPT'​ 
-    option ​ family ​         '​ipv4'​ 
-    option ​ proto           '​tcp udp' 
-    option ​ src             '​vpn'​ 
-    option ​ src_ip ​         '​10.1.0.0/​28'​ 
-    option ​ dest_ip ​        '​192.168.1.0/​24'​ 
-    option ​ name            'Allow OpenVPN -> LAN' 
- 
-# Once Assigned VPN IP, Allow Forwarded -> LAN # 
-#​------------------------------------------------ 
-# LuCI: From IP range 10.1.0.0/28 in vpn To IP 
-# range 192.168.1.0/​24 in any zone 
-config rule 
-    option ​ target ​         '​ACCEPT'​ 
-    option ​ family ​         '​ipv4'​ 
-    option ​ proto           '​tcp udp' 
-    option ​ src             '​vpn'​ 
-    option ​ src_ip ​         '​10.1.0.0/​28'​ 
-    option ​ dest            '​*'​ 
-    option ​ dest_ip ​        '​192.168.1.0/​24'​ 
-    option ​ name            'Allow Forwarded OpenVPN -> <​device>'​ 
- 
-# Allow Outbound ICMP from VPN -> LAN # 
-#​------------------------------------------------ 
-# LuCI: icmp From IP range 10.1.0.0/28 in vpn To 
-# any host in lan 
-config rule 
-    option ​ target ​         '​ACCEPT'​ 
-    option ​ family ​         '​ipv4'​ 
-    option ​ proto           '​icmp'​ 
-    option ​ src             '​vpn'​ 
-    option ​ src_ip ​         '​10.1.0.0/​28'​ 
-    option ​ dest            '​lan'​ 
-    option ​ name            'Allow OpenVPN (ICMP) -> LAN' 
- 
-# Allow Outbound Ping Requests from VPN -> LAN # 
-#​------------------------------------------------ 
-# LuCI: icmp with type echo-request From IP range 
-# 10.1.0.0/28 in vpn To any host in lan 
-config rule 
-    option ​ target ​         '​ACCEPT'​ 
-    option ​ family ​         '​ipv4'​ 
-    option ​ proto           '​icmp'​ 
-    option ​ src             '​vpn'​ 
-    option ​ src_ip ​         '​10.1.0.0/​28'​ 
-    option ​ dest            '​lan'​ 
-    list    icmp_type ​      '​echo-request'​ 
-    option ​ name            'Allow OpenVPN (echo-request) -> LAN' 
- 
- 
-#::: Zones :::# 
-# LuCI: Network - Firewall - Zones 
-#​------------------------------------------------ 
- 
-# LAN # 
-config zone 
-   ​option ​ name            '​lan'​ 
-   ​option ​ network ​        '​lan'​ 
-   ​option ​ input           '​ACCEPT'​ 
-   ​option ​ output ​         '​ACCEPT'​ 
-   ​option ​ forward ​        '​DROP'​ 
- 
-# VPN # 
-config zone 
-   ​option ​ name            '​vpn'​ 
-   ​option ​ network ​        '​vpn0'​ 
-   ​option ​ input           '​ACCEPT'​ 
-   ​option ​ output ​         '​ACCEPT'​ 
-   ​option ​ forward ​        '​DROP'​ 
- 
-# WAN # 
-config zone 
-   ​option ​ name            '​wan'​ 
-   ​option ​ network ​        '​wan wan6' 
-   ​option ​ input           '​DROP'​ 
-   ​option ​ output ​         '​ACCEPT'​ 
-   ​option ​ forward ​        '​DROP'​ 
-   ​option ​ masq            1 
-   ​option ​ mtu_fix ​        1 
- 
- 
-#::: InterZone Forwarding :::# 
-# LuCI: Network -> Firewall -> Zones - 
-# VPN - Edit - Inter-Zone Forwarding 
-#​------------------------------------------------ 
- 
-# LAN to WAN # 
-config forwarding 
-   ​option ​ dest            '​wan'​ 
-   ​option ​ src             '​lan'​ 
-</​code>​ ++++ </​WRAP>​ 
-  - **Commit Changes:** <code bash>/​etc/​init.d/​firewall reload</​code>​ 
-</​WRAP>​ 
- 
- 
-<WRAP 77em lo> 
-<wrap right button>​[[docs:​guide-user:​base-system:​log.essentials|Runtime Logging]]</​wrap> ​ <wrap right button>​[[docs:​guide-user:​perf_and_log:​start|Performance & Logging]]</​wrap> ​ <wrap right button>​[[docs:​guide-user:​firewall:​netfilter-iptables:​start|Netfilter Logging]]</​wrap>​ 
-</​WRAP>​ 
-==== Logging ==== 
- 
-<WRAP 77em lo> 
-  - **Modify: ''​firewall.user''​** <code bash>vi /​etc/​firewall.user</​code>​ 
-    - <WRAP 152%> ++++ /​etc/​firewall.user | 
-<code cpp> 
-#::: Traffic Rules :::# 
-# LuCI: Network - Firewall - Custom Rules 
- 
-  # These rules make the assumption the default port of 1194 is not used for the VPN 
-    # Port 5000 is being used arbitrarily for the VPN port 
-    # Port 5022 is being used arbitrarily for the VPN SSH port 
- 
- 
-    # Establish Custom Zones # 
-#​--------------------------------------------------- 
- 
-# Log: 
-  iptables ​ -N  LOG-VPN 
-  iptables ​ -N  LOG-VPN 
- 
-# Limit: 
-  iptables ​ -N  Port-Log 
- 
- 
-    # Establish Ports to Log # 
-#​--------------------------------------------------- 
- 
-# SSH: 
-  iptables ​ -A  Port-Log ​ -p  tcp   ​--dport ​  ​22 ​   -m  limit       ​--limit ​  ​3/​min ​  ​--limit-burst ​  ​3 ​  ​-j ​ LOG-SSH 
- 
-# VPN: 
-  iptables ​ -A  Port-Log ​ -p  tcp   ​--dport ​  ​5000 ​ -m  limit       ​--limit ​  ​3/​min ​  ​--limit-burst ​  ​3 ​  ​-j ​ LOG-VPN 
-  iptables ​ -A  Port-Log ​ -p  udp   ​--dport ​  ​5000 ​ -m  limit       ​--limit ​  ​3/​min ​  ​--limit-burst ​  ​3 ​  ​-j ​ LOG-VPN 
- 
-# VPN SSH 
-  iptables ​ -A  Port-Log ​ -p  tcp   ​--dport ​  ​5022 ​ -m  limit       ​--limit ​  ​3/​min ​  ​--limit-burst ​  ​3 ​  ​-j ​ LOG-SSH 
- 
-# Default: 
-  iptables ​ -A  Port-Log ​                                                                                 -j  DROP 
- 
- 
-    # Apply Port Logging # 
-#​--------------------------------------------------- 
- 
-# VPN: 
-  iptables ​ -I  INPUT     ​-p ​ tcp   ​--dport ​  ​5000 ​ -m  conntrack ​  ​--ctstate NEW                         ​-j ​ Port-Log 
-  iptables ​ -I  INPUT     ​-p ​ udp   ​--dport ​  ​5000 ​ -m  conntrack ​  ​--ctstate NEW                         ​-j ​ Port-Log 
- 
- 
-  # Log VPN Traffic # 
-#​--------------------------------------------------- 
- 
-# VPN: 
-  iptables ​ -A  LOG-VPN ​                                                                                  ​-j ​ LOG       ​--log-prefix ​ "<​[[--- ​ VPN Traffic ---]]> : " ​        ​--log-level 4 
-  iptables ​ -A  LOG-VPN ​                                                                                  ​-j ​ ACCEPT 
-</​code>​ ++++ </​WRAP>​ 
-    - <WRAP 152%> ++++ Advanced: Log VPN & VPN SSH | 
-<code cpp> 
-#::: Traffic Rules :::# 
-# LuCI: Network - Firewall - Custom Rules 
- 
-  # These rules make the assumption the default port of 1194 is not used for the VPN 
-    # Port 5000 is being used arbitrarily for the VPN port 
-    # Port 5022 is being used arbitrarily for the VPN SSH port 
- 
- 
-    # Establish Custom Zones # 
-#​--------------------------------------------------- 
- 
-# Log: 
-  iptables ​ -N  LOG-VPN 
-  iptables ​ -N  LOG-VPN 
- 
-# Limit: 
-  iptables ​ -N  Port-Log 
- 
- 
-    # Establish Ports to Log # 
-#​--------------------------------------------------- 
- 
-# SSH: 
-  iptables ​ -A  Port-Log ​ -p  tcp   ​--dport ​  ​22 ​   -m  limit       ​--limit ​  ​3/​min ​  ​--limit-burst ​  ​3 ​  ​-j ​ LOG-SSH 
- 
-# SSH (VPN): 
-  iptables ​ -A  Port-Log ​ -p  tcp   ​--dport ​  ​5022 ​ -m  limit       ​--limit ​  ​3/​min ​  ​--limit-burst ​  ​3 ​  ​-j ​ LOG-SSH 
- 
-# VPN: 
-  iptables ​ -A  Port-Log ​ -p  tcp   ​--dport ​  ​5000 ​ -m  limit       ​--limit ​  ​3/​min ​  ​--limit-burst ​  ​3 ​  ​-j ​ LOG-VPN 
-  iptables ​ -A  Port-Log ​ -p  udp   ​--dport ​  ​5000 ​ -m  limit       ​--limit ​  ​3/​min ​  ​--limit-burst ​  ​3 ​  ​-j ​ LOG-VPN 
- 
-# Default: 
-  iptables ​ -A  Port-Log ​                                                                                 -j  DROP 
- 
- 
-    # Apply Port Logging # 
-#​--------------------------------------------------- 
- 
-# SSH: 
-  iptables ​ -I  INPUT     ​-p ​ tcp   ​--dport ​  ​22 ​   -m  conntrack ​  ​--ctstate NEW                         ​-j ​ Port-Log 
- 
-# SSH (VPN): 
-  iptables ​ -I  INPUT     ​-p ​ tcp   ​--dport ​  ​5022 ​ -m  conntrack ​  ​--ctstate NEW                         ​-j ​ Port-Log 
- 
-# VPN: 
-  iptables ​ -I  INPUT     ​-p ​ tcp   ​--dport ​  ​5000 ​ -m  conntrack ​  ​--ctstate NEW                         ​-j ​ Port-Log 
-  iptables ​ -I  INPUT     ​-p ​ udp   ​--dport ​  ​5000 ​ -m  conntrack ​  ​--ctstate NEW                         ​-j ​ Port-Log 
- 
- 
-  # Log SSH Traffic # 
-#​--------------------------------------------------- 
- 
-# VPN SSH: 
-  iptables ​ -A  LOG-SSH ​  ​-p ​ tcp   ​--dport ​  ​5022 ​                                                       -j  LOG-VPN 
- 
-# SSH: 
-  iptables ​ -A  LOG-SSH ​                                                                                  ​-j ​ LOG       ​--log-prefix ​ "<​[[--- SSH Traffic ---]]> : " ​         --log-level 4 
-  iptables ​ -A  LOG-SSH ​                                                                                  ​-j ​ ACCEPT 
- 
- 
-  # Log VPN Traffic # 
-#​--------------------------------------------------- 
- 
-# VPN SSH: 
-  iptables ​ -A  LOG-VPN ​  ​-p ​ tcp   ​--dport ​  ​5022 ​                                                       -j  LOG       ​--log-prefix ​ "<​[[--- VPN --> SSH Traffic ---]]> : " ​ --log-level 4 
- 
-# VPN: 
-  iptables ​ -A  LOG-VPN ​                                                                                  ​-j ​ LOG       ​--log-prefix ​ "<​[[--- VPN Traffic ---]]> : " ​         --log-level 4 
-  iptables ​ -A  LOG-VPN ​                                                                                  ​-j ​ ACCEPT 
-</​code>​ ++++ </​WRAP>​ 
-  - **Commit Changes:** <code bash>/​etc/​init.d/​firewall reload</​code>​ 
-</​WRAP>​ 
- 
-</​WRAP>​ 
- 
- 
-<WRAP 79em lo> 
-<wrap right button>​[[docs:​guide-user:​services:​vpn:​overview|VPN Overview]]</​wrap>​ 
-</​WRAP>​ 
-=====  VPN Server ===== 
- 
-<WRAP indent> 
- 
-<WRAP 77em lo> 
-<WRAP centeralign><​wrap safety> It's //strongly encouraged//​ to read through the OpenVPN HowTo & Man Page</​wrap></​WRAP>​ 
- 
-<WRAP box> 
-<wrap right>​**''/​etc/​config/​openvpn''​**</​wrap>​ 
-<color #​508CAA>​**Notations**</​color>​ 
- 
-  - **The OpenVPN** [[docs:​guide-user:​services:​vpn:​openvpn:​server.comprehensive#​openvpn|HowTo & Man Page]] **provide every possible option for Server & Client Configs** \\ \\ 
-    - **This specific configuration has been designed to give the best performance possible, via** [[docs:​guide-user:​services:​vpn:​openvpn:​server.comprehensive#​openvpn|MTU & Buffer]] **Tuning recommendations** 
-      - DNS primary & secondary are [[https://​www.opendns.com/​setupguide/?​url=familyshield|OpenDNS'​]] 
-      - NTP is garnished from [[http://​tf.nist.gov/​tf-cgi/​servers.cgi|NIST]] (time-c) and can be updated to your NTP server of choice 
-        * NTP should be specified (doesn'​t need to be NIST), as encryption handshakes must be accurate to within milliseconds\\ \\ 
-    - **//CCD directives//​ (under //Client Config//) are commented out, as one will need to read the** [[docs:​guide-user:​services:​vpn:​openvpn:​server.comprehensive#​openvpn|OpenVPN HowTo]] **to understand how it's used** 
-      * CCD adds an extra layer of protection, allowing only those CNs specified to connect to the VPN, even if a valid client cert is used\\ \\ 
-    - **Two or more servers can be run from this config file** 
-      * To add additional servers, copy & paste first config directly below itself, with a blank line separating the two\\ \\ \\ 
-</​WRAP>​ 
- 
-<​WRAP>​ ++++ Encryption Annotations | 
-<WRAP box> 
-<wrap right>​**''/​etc/​config/​openvpn''​**</​wrap>​ 
-<color #​508CAA>​**Encryption Info**</​color>​ 
- 
-  - **OpenVPN 2.4 added TLS Elliptic-Curve ''​[EC]''​ support**\\ \\ 
-    - **TLS EC ciphers are faster & more efficient to process than SSL ciphers, resulting in higher throughput & less load**\\ \\ 
-    - **OpenVPN on OpenWrt only supports a //maximum of 256 characters//​ for //''​option tls_cipher''//​** 
-      - Ciphers are listed in a hierarchical,​ chronological order of most secure & efficient to least efficient 
-      - Disabled ciphers are specified at the end with an ''<​wrap em>​!</​wrap>''​ in front of the cipher 
-</​WRAP>​ 
-    - <wrap hi>​**Ciphers must match the capabilities of the server & clients**</​wrap>​ 
-      - **Available TLS ciphers:** <code bash>​openssl ciphers -V | grep TLS</​code>​ 
-        - **//Windows Client://** <code bash>​openssl ciphers -V | findstr /R TLS</​code>​ 
-      - **Available SSL ciphers:** <code bash>​openssl ciphers -V | grep SSL</​code>​ 
-        - **//Windows Client://** <code bash>​openssl ciphers -V | findstr /R SSL</​code>​\\ 
-    - <wrap hi>**x64 CPUs process SHA512 hashes more efficiently than SHA256**</​wrap>​ 
-      * **If utilizing only on devices with x86/ARM processors, change server'​s & client'​s //''​auth '​SHA512'​ ''//​ to //''​auth '​SHA256'​ ''//​** 
-        - **Verify SHA256 Speed:** <code bash>​openssl speed sha256</​code>​ 
-        - **Verify SHA512 Speed:** <code bash>​openssl speed sha512</​code>​ 
-++++ </​WRAP>​ 
-</​WRAP>​ 
- 
- 
-==== Config ==== 
- 
-<WRAP 77em lo> 
- 
-  - **Modify: ''​openvpn''​** <code bash>cd /etc/config && cp openvpn openvpn.orig && echo > openvpn && vi openvpn</​code><​WRAP>​ ++++ /​etc/​config/​openvpn | 
-<code cpp> 
-config openvpn '​VPNserver'​ 
-    option ​ enabled ​            1 
- 
-    # Protocol # 
-#​------------------------------------------------ 
-    option ​ dev                 '​tun'​ 
-    option ​ dev                 '​tun0'​ 
-    option ​ topology ​           '​subnet'​ 
-    option ​ proto               '​udp'​ 
-    option ​ port                5000 
- 
-    # Routes # 
-#​------------------------------------------------ 
-    option ​ server ​             '​10.1.0.0 255.255.255.240'​ 
-    option ​ ifconfig ​           '​10.1.0.1 255.255.255.240'​ 
- 
-    # Client Config # 
-#​------------------------------------------------ 
-    #   ​option ​ ccd_exclusive ​          1 
-    #   ​option ​ client_config_dir ​      '/​etc/​openvpn/​clients/'​ 
-    #   ​option ​ ifconfig_pool_persist ​  '/​etc/​openvpn/​clients/​ipp.txt'​ 
- 
-    # Pushed Routes # 
-#​------------------------------------------------ 
-    list    push                'route 192.168.1.0 255.255.255.0'​ 
-    list    push                '​dhcp-option ​   DNS 192.168.1.1'​ 
-    list    push                '​dhcp-option ​   WINS 192.168.1.1'​ 
-    list    push                '​dhcp-option ​   DNS 208.67.222.123'​ 
-    list    push                '​dhcp-option ​   DNS 208.67.220.123'​ 
-    list    push                '​dhcp-option ​   NTP 129.6.15.30'​ 
- 
-    # Encryption # 
-#​------------------------------------------------ 
-    # Diffie-Hellman:​ 
-    option ​ dh                  '/​etc/​ssl/​openvpn/​dh2048.pem'​ 
- 
-    # PKCS12: 
-    option ​ pkcs12 ​             '/​etc/​ssl/​openvpn/​vpn-server.p12'​ 
- 
-    # SSL: 
-    option ​ cipher ​             '​AES-128-CBC'​ 
-    option ​ auth                '​SHA512'​ 
-    option ​ tls_auth ​           '/​etc/​ssl/​openvpn/​tls-auth.key 0' 
- 
-    # TLS: 
-    option ​ tls_server ​         1 
-    option ​ tls_version_min ​    '​1.2'​ 
-    option ​ tls_cipher ​         '​TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:​TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:​TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:​TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:​!aNULL:​!eNULL:​!LOW:​!3DES:​!MD5:​!SHA:​!EXP:​!PSK:​!SRP:​!DSS:​!RC4:​!kRSA'​ 
- 
-    # Logging # 
-#​------------------------------------------------ 
-    option ​ log_append ​         '/​tmp/​openvpn.log'​ 
-    option ​ status ​             '/​tmp/​openvpn-status.log'​ 
-    option ​ verb                4 
- 
-    # Connection Options # 
-#​------------------------------------------------ 
-    option ​ keepalive ​          '​10 120' 
-    option ​ compress ​           '​lzo'​ 
- 
-    # Connection Reliability # 
-#​------------------------------------------------ 
-    option ​ client_to_client ​   1 
-    option ​ persist_key ​        1 
-    option ​ persist_tun ​        1 
- 
-    # Connection Speed # 
-#​------------------------------------------------ 
-    option ​ sndbuf ​             393216 
-    option ​ rcvbuf ​             393216 
-    option ​ fragment ​           0 
-    option ​ mssfix ​             0 
-    option ​ tun_mtu ​            48000 
- 
-    # Pushed Buffers # 
-#​------------------------------------------------ 
-    list    push                '​sndbuf 393216'​ 
-    list    push                '​rcvbuf 393216'​ 
- 
-    # Permissions # 
-#​------------------------------------------------ 
-    option ​ user                '​nobody'​ 
-    option ​ group               '​nogroup'​ 
- 
- 
-    # chroot # 
-#​------------------------------------------------ 
-    # chroot should be utilized in case the VPN is ever exploited; however, most commercial 
-    # routers don't have internal flash storage large enough to support it.  An OpenVPN 
-    # chroot would be ~11MB in size. 
- 
-        # Modify if chroot is configured # 
-    #​-------------------------------------------- 
-        # option ​ ccd_exclusive ​            1 
-        # option ​ client_config_dir ​        '/​var/​chroot-openvpn/​etc/​openvpn/​clients'​ 
-        # option ​ ifconfig_pool_persist ​    '/​var/​chroot-openvpn/​etc/​openvpn/​clients/​ipp.txt'​ 
- 
-        # option ​ cipher ​                   '​AES-128-CBC'​ 
-        # option ​ dh                        '/​var/​chroot-openvpn/​etc/​ssl/​openvpn/​dh2048.pem'​ 
-        # option ​ pkcs12 ​                   '/​var/​chroot-openvpn/​etc/​ssl/​openvpn/​vpn-server.p12'​ 
-        # option ​ tls_auth ​                 '/​var/​chroot-openvpn/​etc/​ssl/​openvpn/​tls-auth.key 0' 
-</​code>​ ++++ </​WRAP>​ 
-  - **Commit Changes:** <code bash>/​etc/​init.d/​openvpn enable && /​etc/​init.d/​openvpn start && sleep 2 && cat /​tmp/​openvpn.log</​code>​ 
-</​WRAP>​ 
- 
- 
-==== CCD ==== 
- 
-<WRAP indent 77em lo> 
- 
-<​WRAP>​ ++++ To Enable CCD: | 
-<wrap right>​**''/​etc/​openvpn/​clients''​**</​wrap>​ 
-<color #​508CAA>​**Configure CCD**</​color>​ 
- 
-  - **Enable CCD in Server Config:** <code bash>vi /​etc/​config/​openvpn</​code>​ <​WRAP>​ ++++ Uncomment | 
-<code cpp> 
-    option ​ ccd_exclusive ​          1 
-    option ​ client_config_dir ​      '/​etc/​openvpn/​clients/'​ 
-    option ​ ifconfig_pool_persist ​  '/​etc/​openvpn/​clients/​ipp.txt'​ 
-</​code>​ <WRAP box> 
-    * **//''​ccd_exclusive ​          ''//​** <wrap em>​=</​wrap>​ <color #​646464>​enables CCD</​color>​ 
-    * **//''​client_config_dir ​      ''//​** ​ <wrap em>​=</​wrap>​ <color #​646464>​Directory housing CCD client files</​color>​ 
-    * **//''​ifconfig_pool_persist ​  ''//​** ​ <wrap em>​=</​wrap>​ <color #​646464>​File containing common names from client files, followed by static IP for device</​color>​ 
-</​WRAP>​ 
-++++ </​WRAP>​ 
-  - **Configure CCD files** 
-    - For each VPN client, a file must be created which exactly mirrors the common name of each client cert 
-      * File should contain an **''​ifconfig''​** command pushing a static IP to the client 
-        - **Client Certificate CN: //''​John Doe (OpenWrt VPNserver Client)''//​** 
-        - **Client File: //''/​etc/​openvpn/​clients/​John Doe (OpenWrt VPNserver Client)''//​** 
-        - **File Output: //''​ifconfig-push 10.1.0.6 255.255.255.240''//​**\\ \\ 
-  - **Configure IPP file** 
-    * One per line, each VPN client'​s CN needs to be specified, followed by their static IP 
-      - **IPP File: //''/​etc/​openvpn/​clients/​ipp.txt''//​** 
-      - **File Output: //''​John Doe (OpenWrt VPNserver Client),​10.1.0.6''//​**\\ \\ 
-  - **Restart OpenVPN:** <code bash>/​etc/​init.d/​openvpn stop && /​etc/​init.d/​openvpn start && tail -f /​tmp/​openvpn.log</​code>​ 
-  - **Connect with __each__ client to test** 
-++++ </​WRAP>​ 
-</​WRAP>​ 
- 
- 
-==== Log Output ==== 
- 
-<WRAP indent 75em lo> 
- 
-<WRAP 110%> ++++ CCD Disabled | 
-<wrap right>​**''/​tmp/​openvpn.log''​**</​wrap>​ 
-<color #​508CAA>​**Log Output w/ CCD Disabled**</​color>​ 
- 
-<code cpp> 
-root@OpenWrt ~ # cat /​tmp/​openvpn.log 
-Thu Oct 20 13:35:00 2016 us=668816 OpenVPN 2.3.11 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] 
-Thu Oct 20 13:35:00 2016 us=668891 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09 
-Thu Oct 20 13:35:00 2016 us=669836 Diffie-Hellman initialized with 2048 bit key 
-Thu Oct 20 13:35:00 2016 us=705181 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​tls-auth.key'​ as a OpenVPN static key file 
-Thu Oct 20 13:35:00 2016 us=705286 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication 
-Thu Oct 20 13:35:00 2016 us=705351 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication 
-Thu Oct 20 13:35:00 2016 us=705387 crypto_adjust_frame_parameters:​ Adjusting frame parameters for crypto by 100 bytes 
-Thu Oct 20 13:35:00 2016 us=705489 crypto_adjust_frame_parameters:​ Adjusting frame parameters for crypto by 72 bytes 
-Thu Oct 20 13:35:00 2016 us=705535 TLS-Auth MTU parms [ L:48104 D:1138 EF:112 EB:0 ET:0 EL:3 ] 
-Thu Oct 20 13:35:00 2016 us=705589 Socket Buffers: R=[87380->​327680] S=[16384->​327680] 
-Thu Oct 20 13:35:00 2016 us=706121 TUN/TAP device tun0 opened 
-Thu Oct 20 13:35:00 2016 us=706200 TUN/TAP TX queue length set to 100 
-Thu Oct 20 13:35:00 2016 us=706254 do_ifconfig,​ tt->​ipv6=0,​ tt->​did_ifconfig_ipv6_setup=0 
-Thu Oct 20 13:35:00 2016 us=706327 /sbin/ip link set dev tun0 up mtu 48000 
-Thu Oct 20 13:35:00 2016 us=708260 /sbin/ip addr add dev tun0 10.1.0.1/28 broadcast 10.1.0.15 
-Thu Oct 20 13:35:00 2016 us=713288 Data Channel MTU parms [ L:48104 D:48104 EF:104 EB:143 ET:0 EL:3 AF:3/1 ] 
-Thu Oct 20 13:35:00 2016 us=713438 GID set to nogroup 
-Thu Oct 20 13:35:00 2016 us=713500 UID set to nobody 
-Thu Oct 20 13:35:00 2016 us=713746 Listening for incoming TCP connection on [undef] 
-Thu Oct 20 13:35:00 2016 us=713811 TCPv4_SERVER link local (bound): [undef] 
-Thu Oct 20 13:35:00 2016 us=713857 TCPv4_SERVER link remote: [undef] 
-Thu Oct 20 13:35:00 2016 us=713922 MULTI: multi_init called, r=256 v=256 
-Thu Oct 20 13:35:00 2016 us=714000 IFCONFIG POOL: base=10.1.0.2 size=12, ipv6=0 
-Thu Oct 20 13:35:00 2016 us=714070 MULTI: TCP INIT maxclients=1024 maxevents=1028 
-Thu Oct 20 13:35:00 2016 us=714678 Initialization Sequence Completed 
-</​code>​ ++++ </​WRAP>​ 
- 
-<WRAP 110%> ++++ CCD Enabled | 
-<wrap right>​**''/​tmp/​openvpn.log''​**</​wrap>​ 
-<color #​508CAA>​**Log Output w/ CCD Enabled**</​color>​ 
- 
-<code cpp> 
-root@OpenWrt ~ # cat /​tmp/​openvpn.log 
-Thu Oct 20 13:35:30 2016 us=653309 OpenVPN 2.3.11 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] 
-Thu Oct 20 13:35:30 2016 us=653403 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09 
-Thu Oct 20 13:35:30 2016 us=654598 Diffie-Hellman initialized with 2048 bit key 
-Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​tls-auth.key'​ as a OpenVPN static key file 
-Thu Oct 20 13:35:30 2016 us=706592 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication 
-Thu Oct 20 13:35:30 2016 us=706679 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication 
-Thu Oct 20 13:35:30 2016 us=706722 crypto_adjust_frame_parameters:​ Adjusting frame parameters for crypto by 100 bytes 
-Thu Oct 20 13:35:30 2016 us=706760 crypto_adjust_frame_parameters:​ Adjusting frame parameters for crypto by 72 bytes 
-Thu Oct 20 13:35:30 2016 us=706804 TLS-Auth MTU parms [ L:48104 D:1138 EF:112 EB:0 ET:0 EL:3 ] 
-Thu Oct 20 13:35:30 2016 us=706857 Socket Buffers: R=[87380->​327680] S=[16384->​327680] 
-Thu Oct 20 13:35:30 2016 us=707392 TUN/TAP device tun0 opened 
-Thu Oct 20 13:35:30 2016 us=707465 TUN/TAP TX queue length set to 100 
-Thu Oct 20 13:35:30 2016 us=707517 do_ifconfig,​ tt->​ipv6=0,​ tt->​did_ifconfig_ipv6_setup=0 
-Thu Oct 20 13:35:30 2016 us=707587 /sbin/ip link set dev tun0 up mtu 48000 
-Thu Oct 20 13:35:30 2016 us=709190 /sbin/ip addr add dev tun0 10.1.0.1/28 broadcast 10.1.0.15 
-Thu Oct 20 13:35:30 2016 us=714514 Data Channel MTU parms [ L:48104 D:48104 EF:104 EB:143 ET:0 EL:3 AF:3/1 ] 
-Thu Oct 20 13:35:30 2016 us=714630 GID set to nogroup 
-Thu Oct 20 13:35:30 2016 us=714680 UID set to nobody 
-Thu Oct 20 13:35:30 2016 us=714859 Listening for incoming TCP connection on [undef] 
-Thu Oct 20 13:35:30 2016 us=714908 TCPv4_SERVER link local (bound): [undef] 
-Thu Oct 20 13:35:30 2016 us=714945 TCPv4_SERVER link remote: [undef] 
-Thu Oct 20 13:35:30 2016 us=714986 MULTI: multi_init called, r=256 v=256 
-Thu Oct 20 13:35:30 2016 us=715050 IFCONFIG POOL: base=10.1.0.2 size=12, ipv6=0 
-Thu Oct 20 13:35:30 2016 us=715095 ifconfig_pool_read(),​ in='​vpn-client1-foobar1-device1,​10.1.0.5',​ TODO: IPv6 
-Thu Oct 20 13:35:30 2016 us=715138 succeeded -> ifconfig_pool_set() 
-Thu Oct 20 13:35:30 2016 us=715176 ifconfig_pool_read(),​ in='​John Doe (OpenWrt VPNserver Client),​10.1.0.6',​ TODO: IPv6 
-Thu Oct 20 13:35:30 2016 us=715213 succeeded -> ifconfig_pool_set() 
-Thu Oct 20 13:35:30 2016 us=715249 IFCONFIG POOL LIST 
-Thu Oct 20 13:35:30 2016 us=715287 vpn-client1,​10.1.0.5 
-Thu Oct 20 13:35:30 2016 us=715331 John Doe (OpenWrt VPNserver Client),​10.1.0.6 
-Thu Oct 20 13:35:30 2016 us=715428 MULTI: TCP INIT maxclients=1024 maxevents=1028 
-Thu Oct 20 13:35:30 2016 us=715971 Initialization Sequence Completed 
-</​code>​ ++++ </​WRAP>​ 
-</​WRAP>​ 
- 
-</​WRAP>​ 
- 
- 
-===== VPN Clients ===== 
- 
-<WRAP indent> 
- 
- 
-<WRAP 77em lo> 
-<wrap right button>​[[https://​play.google.com/​store/​apps/​details?​id=de.blinkt.openvpn&​hl=en|OpenVPN for Android]]</​wrap>​ 
-</​WRAP>​ 
-==== Android ==== 
- 
-<WRAP indent 77em lo> 
- 
-<WRAP box> 
-<color #​508CAA>​**Client Information**</​color>​ 
- 
-<WRAP centeralign><​color #​960000>​**For compatibility with exFAT, Android sdcards have a non-customizable 771 permission structure**\\ It's //​imperative//,​ for the security of the VPN, to ensure the certificate key is encrypted as specified under [[docs:​guide-user:​services:​vpn:​openssl.certs#​clients|Client Certs]]</​color></​WRAP>​ 
- 
-  - **//OpenVPN for Android// is the best app for VPNs on Android**\\ \\ 
-  - **PKCS12 certs are installed into the //Android Keychain//​** 
-    - As a security feature, a warning toast will always appear in the notification area due to user installed certs 
-      * This toast can be removed if you have a rooted device via: 
-        - <​WRAP>​ ++++ Toast Removal | 
-<wrap right button>​[[http://​wiki.cacert.org/​FAQ/​ImportRootCert#​Android_Phones_.26_Tablets|CAcert Wiki]] ​ [[https://​github.com/​JW0914/​Wikis/​blob/​master/​OpenVPN/​Documentation/​Android%20Certificate%20Toast%20Removal.pdf|PDF]]</​wrap>​ 
-<color #​508CAA>​**Certificate Warning Toast Removal**</​color>​ 
- 
-  - If **''/​system/​etc/​security/​cacerts.bks''​** exists on your device, refer to //CAcert Wiki//, then continue\\ \\ 
-  - Move certificate from userland to system 
-    - <​WRAP>​ ++++ Method 1 | 
-<color #​789600>​**Method 1:​**</​color>​ 
-      - **Add certificate to Android Keychain** 
-        - **//​Settings//​ -> //​Security//​ -> //Install from Storage//​**\\ \\ 
-      - **Move certificate from userland to system trusted** 
-        - **Android < 5.0:** 
-          - Move new file 
-            - <color #​960000>​**From:​**</​color>​ **''/​data/​misc/​keychain/​cacertsadded/''​** 
-            - <color #​789600>​**To:​**</​color>​ **''/​system/​etc/​security/​cacerts/''​**\\ \\ 
-        - **Android > 5.0:** 
-          - Move new file 
-            - <color #​960000>​**From:​**</​color>​ **''/​data/​misc/​user/​0/​cacerts-added/''​** 
-            - <color #​789600>​**To:​**</​color>​ **''/​system/​etc/​security/​cacerts/''​**\\ \\ 
-++++ </​WRAP>​ 
-    - <​WRAP>​ ++++ Method 2 | 
-<color #​789600>​**Method 2:​**</​color>​ 
-      - **Save certificate with ''​.pem''​ extension**\\ \\ 
-      - **Garnish subject of certificate:​** <code bash>​openssl x509 -inform PEM -subject_hash -in 0b112a89.0</​code>​ 
-          * Should be similar to: **''​0b112a89''​**\\ \\ 
-      - **Save certificate as text:** <code bash>​openssl x509 -inform PEM -text -in 0b112a89.0 > 0b112a89.0.txt</​code>​ 
-      - **Swap PEM section and text:** 
-        -**//''​-----BEGIN CERTIFICATE-----''//​** must be at top of file\\ \\ 
-      - **Rename file:** **''​0b112a89.0''​** 
-        - Replace with subject from **//Step ii//**\\ \\ 
-      - **Copy file to: ''/​system/​etc/​security/​cacerts/''​**\\ \\ 
-      - **Set permissions:​** <code bash>​chmod 644 0b112a89.0</​code>​ 
-      - **Certificate should be listed under:** 
-        - **//​Settings//​ -> //​Security//​ -> //Trusted Credentials//​ - //​System//​**\\ \\ 
-        - If it's still under **//​User//​**:​ 
-          - **Disable/​Re-Enable certificate in Android Settings** 
-            - This creates a file in: **''/​data/​misc/​keychain/​cacertsadded/''​** 
-            - Move that file to: **''​system/​etc/​security/​cacerts/''​** 
-            - Delete original file from **//Step vi//**\\ \\ 
-++++ </​WRAP>​ 
-++++ </​WRAP>​ 
-    - Another option is to include all certs & keys via inline XML within the client config file 
-      * //​Regardless if all certs are referenced as inline xml or not, the final generated config inlines all certs//\\ \\ 
-  - **Rather than utilizing inline XML, one can:** 
-    - <​WRAP>​ ++++ Reference the tls-auth.key | 
-      - <color #​960000>​**//​Remove://​**</​color>​ <code cpp> 
-# Encryption # 
-#​------------------------------------------------ 
-key-direction 1 
- 
-<​tls-auth>​ 
------BEGIN OpenVPN Static key V1----- 
-#​PASTED-KEY-INLINE-HERE#​ 
------END OpenVPN Static key V1----- 
-</​tls-auth></​code>​ 
-      - <color #​789600>​**//​Add://​**</​color>​ <code cpp> 
-# Encryption # 
-#​------------------------------------------------ 
-tls-auth ​   '/​path/​to/​tls-auth.key 1' 
-</​code>​ 
-++++ </​WRAP>​ 
- 
- 
-<​WRAP>​ ++++ KNOWN ISSUES: | 
-  - <color #​960000>​**Some Android devices are not able to convert PKCS12 certs to x509 certs**</​color>​ <​WRAP>​ ++++ Reference individual Certs | 
-    - If your device is affected, you will need to reference your individual certs in your Server Config 
-      - <color #​789600>​**//​Add://​**</​color>​ <code cpp> 
-  # Encryption # 
-#​------------------------------------------------ 
-ca      '/​sdcard/​openvpn/​OpenWrt-OpenVPN_ICA-Chain.crt.pem'​ 
-cert    '/​sdcard/​openvpn/​vpn-client1.crt.pem'​ 
-key     '/​sdcard/​openvpn/​vpn-client1.key.pem'​ 
-</​code>​ 
-++++ </​WRAP>​ 
-  - <color #​960000>​**Some Android devices are not able to utilize certain tuning options**</​color>​ 
-    - **//''​fragment 0''//​** 
-      - <color #​789600>​**//​Solution://​**</​color>​ Remove from client and server configs 
-        - **Affected:​** OnePlusOne Devices 
-        - **Firmware:​** Certain Android 6 [Marshmallow] ROMs 
-++++ </​WRAP>​ 
-</​WRAP>​ 
- 
- 
-<​WRAP>​ ++++ VPNserver.ovpn | 
-<wrap right>​**''/​sdcard/​openvpn/​vpnserver.ovpn''​**</​wrap>​ 
-<color #​508CAA>​**Android Client Config**</​color>​ 
- 
-<code cpp> 
-    # Config Type # 
-#​------------------------------------------------ 
-client 
- 
-    # Connection ​ # 
-#​------------------------------------------------ 
-dev tun 
-proto udp 
-remote your.ddns.com 5000 
- 
-    # Speed # 
-#​------------------------------------------------ 
-mssfix 0 
-fragment 0 
-tun-mtu 48000 
- 
-    # Reliability # 
-#​------------------------------------------------ 
-float 
-nobind 
-comp-lzo 
- 
-persist-key 
-persist-tun 
-resolv-retry infinite 
- 
-    # Encryption # 
-#​------------------------------------------------ 
-auth SHA512 
-auth-nocache 
- 
-# --- SSL --- # 
-cipher AES-128-CBC 
- 
-# --- TLS --- # 
-key-direction 1 
-tls-version-min 1.2 
- 
-remote-cert-eku 'TLS Web Server Authentication'​ 
- 
-<​tls-auth>​ 
------BEGIN OpenVPN Static key V1----- 
-#​PASTE-KEY-INLINE-HERE#​ 
------END OpenVPN Static key V1----- 
-</​tls-auth>​ 
- 
-    # Logging # 
-#​------------------------------------------------ 
-verb 5 
-</​code>​ 
-++++ </​WRAP>​ 
- 
- 
-<WRAP indent> ++++ Inline XML | 
-<wrap right>​**''/​sdcard/​openvpn/​vpnserver.ovpn''​**</​wrap>​ 
-<color #​508CAA>​**Referencing Certs via Inline XML**</​color>​ 
- 
-  - **If not using a PKCS12 cert imported into the Android KeyChain:** 
-    - <color #​960000>​**//​Remove://​**</​color>​ <code cpp> 
-    # Encryption # 
-#​------------------------------------------------ 
-ca        '/​sdcard/​openvpn/​OpenWrt-OpenVPN_ICA-Chain.crt.pem'​ 
-cert      '/​sdcard/​openvpn/​vpn-client1.crt.pem'​ 
-key       '/​sdcard/​openvpn/​vpn-client1.key.pem'​ 
-tls-auth ​ '/​path/​to/​tls-auth.key 1' </​code>​ 
-    - <color #​789600>​**//​Add://​**</​color>​ <code cpp> 
-    # Encryption # 
-#​------------------------------------------------ 
- 
-# --- TLS --- # 
-key-direction 1 
- 
-<ca> 
-#​PASTE-CA-CERT-INLINE-HERE#​ 
-</ca> 
- 
-<​cert>​ 
-#​PASTE-VPN-SERVER-CERT-INLINE-HERE#​ 
-</​cert>​ 
- 
-<key> 
-#​PASTE-VPN-SERVER-KEY-INLINE-HERE#​ 
-</​key>​ 
- 
-<​tls-auth>​ 
------BEGIN OpenVPN Static key V1----- 
-#​PASTE-KEY-INLINE-HERE#​ 
------END OpenVPN Static key V1----- 
-</​tls-auth>​ </​code>​ 
-++++ </​WRAP>​ 
- 
-</​WRAP>​ 
- 
- 
-<WRAP 77em lo> 
-<wrap button right>​[[https://​openvpn.net/​index.php/​open-source/​downloads.html|OpenVPN Client]]</​wrap>​ 
-</​WRAP>​ 
-==== BSD/Linux ==== 
- 
-<WRAP indent 77em lo> 
-<color #​508CAA>​**Client Information**</​color>​ 
- 
-  * Due to the sheer number of distros & variances from one to the other, only the client config is being provided 
- 
-<​WRAP>​ ++++ VPNserver.conf | 
-<wrap right>​**''/​etc/​openvpn/​vpnserver.ovpn''​**</​wrap>​ 
-<color #​508CAA>​**Linux/​BSD Client Config**</​color>​ 
- 
-<code cpp> 
-# Config Type # 
-#​------------------------------------------------ 
-client 
- 
-# Connection ​ # 
-#​------------------------------------------------ 
-dev tun 
-proto udp 
-remote your.ddns.com 5000 
- 
-# Speed # 
-#​------------------------------------------------ 
-mssfix 0 
-fragment 0 
-tun-mtu 48000 
- 
-# Reliability # 
-#​------------------------------------------------ 
-float 
-nobind 
-comp-lzo 
- 
-persist-key 
-persist-tun 
-resolv-retry infinite 
- 
-    # Encryption # 
-#​------------------------------------------------ 
-auth SHA512 
-auth-nocache 
- 
-# --- SSL --- # 
-cipher AES-128-CBC 
- 
-# --- TLS --- # 
-key-direction 1 
-tls-version-min 1.2 
- 
-pkcs12 '/​etc/​ssl/​openvpn/​vpn-client1.p12'​ 
-remote-cert-eku 'TLS Web Server Authentication'​ 
- 
-<​tls-auth>​ 
------BEGIN OpenVPN Static key V1----- 
-#​PASTE-KEY-INLINE-HERE#​ 
------END OpenVPN Static key V1----- 
-</​tls-auth>​ 
- 
-# Logging # 
-#​------------------------------------------------ 
-verb 5 
-</​code>​ 
-++++ </​WRAP>​ 
-</​WRAP>​ 
- 
- 
-<WRAP 77em lo> 
-<wrap button right>​[[https://​openvpn.net/​index.php/​open-source/​downloads.html|OpenVPN Client]]</​wrap>​ 
-</​WRAP>​ 
-==== Windows ==== 
- 
-<WRAP indent 77em lo> 
-<color #​508CAA>​**Windows Client Information**</​color>​ 
- 
-  - **If PKCS12 cert isn't stored in the same directory as the ovpn config , the path to the PKCS12 cert must be referenced** 
-    - You must use double backslashes for the path: **''​%UserProfile%\\.ovpn\\OpenWrt\\VPN-Client1.p12''​** 
- 
-<​WRAP>​ ++++ VPNserver.ovpn | 
-<wrap right>​**''​%UserProfile%\.ovpn\OpenWrt\VPNserver.ovpn''​**</​wrap>​ 
-<color #​508CAA>​**Windows Client Config**</​color>​ 
- 
-<code cpp> 
-# Config Type # 
-#​------------------------------------------------ 
-client 
- 
-# Connection ​ # 
-#​------------------------------------------------ 
-dev tun 
-proto udp 
-remote your.ddns.com 5000 
- 
-# Speed # 
-#​------------------------------------------------ 
-mssfix 0 
-fragment 0 
-tun-mtu 48000 
- 
-# Reliability # 
-#​------------------------------------------------ 
-float 
-nobind 
-comp-lzo 
- 
-persist-key 
-persist-tun 
-resolv-retry infinite 
- 
-    # Encryption # 
-#​------------------------------------------------ 
-auth SHA512 
-auth-nocache 
- 
-# --- SSL --- # 
-cipher AES-128-CBC 
- 
-# --- TLS --- # 
-key-direction 1 
-tls-version-min 1.2 
- 
-pkcs12 "​%UserProfile%\\.ovpn\\OpenWrt\\VPN-Client1.p12"​ 
-remote-cert-eku "TLS Web Server Authentication"​ 
- 
-<​tls-auth>​ 
------BEGIN OpenVPN Static key V1----- 
-#​PASTE-KEY-INLINE-HERE#​ 
------END OpenVPN Static key V1----- 
-</​tls-auth>​ 
- 
-# Logging # 
-#​------------------------------------------------ 
-verb 5 
-</​code>​ 
-++++ </​WRAP>​ 
-</​WRAP>​ 
- 
-</​WRAP>​ 
- 
----- 
- 
----- 
- 
- 
-===== Optional ===== 
- 
-<WRAP indent> 
- 
- 
-<WRAP 77em lo> 
-<wrap right button>​[[https://​www.gnupg.org/​|GnuPG]]</​wrap>​ 
-</​WRAP>​ 
-==== Backup & Import ==== 
- 
-<WRAP indent 77em lo> 
-<WRAP centeralign><​wrap safety>​GnuPG is a great tool for managing CAs and client certificates</​wrap></​WRAP>​ 
-<color #​508CAA>​**Configure Backup**</​color>​ 
- 
-  - **Apply correct permissions:​** <code bash>​chmod 600 /​etc/​ssl/​ca/​* /​etc/​ssl/​ca/​csr/​* /​etc/​ssl/​crl/​* /​etc/​ssl/​openvpn/​* /​etc/​ssl/​openvpn/​clients/​* 
-chmod 644 /​etc/​ssl/​ca/​*.crt* /​etc/​ssl/​openvpn/​*.crt* /​etc/​ssl/​openvpn/​clients/​*.crt* /​etc/​ssl/​crl/​*.crl</​code>​ 
-  - **//​Optional://​** 
-    - <​WRAP>​ ++++ Encrypt with GnuPG | 
-<wrap right button>​[[https://​www.gnupg.org/​documentation/​manuals/​gnupg/​Operational-GPG-Commands.html#​Operational-GPG-Commands| GPG Man]]</​wrap>​ 
-<wrap right button>​[[https://​www.gnupg.org/​documentation/​manuals/​gnupg/​OpenPGP-Key-Management.html#​OpenPGP-Key-Management| GPG Key Management]]</​wrap>​ 
-<wrap right button>​[[https://​www.gnupg.org/​documentation/​manuals/​gnupg/​|GPG Docs]]</​wrap>​ 
-      - **Utilize GnuPG to encrypt a copy of ''/​etc/​ssl/''​**\\ \\ 
-      - **Create separate encryption tars for:** 
-          - **''/​etc/​ssl/​ca/''​** 
-          - **''/​etc/​ssl/​openvpn/''​** 
-          - **''/​etc/​ssl/​openvpn/​clients/''​**\\ \\ 
-        - **After creating encrypted backups:** 
-          - Copy PKCS12s to their respective clients 
-          - Erase //​(preferably securely)// unencrypted client, CA, & ICA keys and PKCS12s\\ \\ 
-++++ </​WRAP>​ 
-  - **Add directories & files to** **''/​etc/​sysupgrade.conf''​** <code bash>vi /​etc/​sysupgrade.conf</​code>​ 
-      - <color #​789600>​**//​Add://​**</​color>​ 
-        * **''/​etc/​config/''​** 
-        * **''/​etc/​openvpn/''​** 
-        * **''/​etc/​ssl/''​** 
-        * **''/​etc/​firewall.user''​** 
-        * **''/​etc/​sysupgrade.conf''​**\\ \\ 
-      - <​WRAP>​ ++++ /​etc/​sysupgrade.conf | 
-<code cpp> 
-# LuCI: System - Backup/​Flash Firmware - Configuration 
- 
-  # Directories # 
-#​--------------------------------------------------- 
-/​etc/​config/​ 
-/​etc/​openvpn/​ 
-/etc/ssl/ 
- 
-  # Files # 
-#​--------------------------------------------------- 
-/​etc/​firewall.user 
-/​etc/​sysupgrade.conf 
-</​code>​ ++++ </​WRAP>​ 
-</​WRAP>​ 
- 
- 
-<WRAP 77em lo> 
-<wrap right button>​[[https://​openvpn.net/​index.php/​open-source/​documentation/​howto.html#​redirect|Gateway Redirect]]</​wrap>​ 
-</​WRAP>​ 
-==== Redirect Gateway ==== 
- 
-<WRAP indent> 
-<WRAP centeralign 77em lo><​wrap safety>​It'​s recommended to read Gateway Redirect **//prior to//** continuing</​wrap></​WRAP>​ 
- 
- 
-===  Same Subnet === 
- 
-<WRAP 75em lo> 
-  - <​WRAP>​ ++++ Modify Forwarding | 
-<wrap right>​**''/​etc/​config/​firewall''​**</​wrap>​ 
-<color #​508CAA>​**LAN & InterZone Forwarding**</​color>​ 
- 
-    - <color #​789600>​**//​Add://​**</​color>​ <code cpp> 
-#::: Zones :::# 
-# LuCI: Network - Firewall - Zones 
- 
-# Add: LAN Masquerade # 
-#​------------------------------------------------ 
-config zone 
-    option ​ name            '​lan'​ 
-    option ​ network ​        '​lan'​ 
-    option ​ input           '​ACCEPT'​ 
-    option ​ output ​         '​ACCEPT'​ 
-    option ​ forward ​        '​DROP'​ 
-    option ​ masq            1</​code>​ 
-    - <color #​789600>​**//​Add://​**</​color>​ <code cpp> 
-#::: InterZone Forwarding :::# 
-# LuCI: Network -> Firewall -> Zones -> VPN - Edit - Inter-Zone Forwarding 
- 
-# Allow Forwarding VPN -> WAN # 
-#​------------------------------------------------ 
-config forwarding 
-    option ​ dest            '​wan'​ 
-    option ​ src             '​vpn'</​code>​ 
-    - **Commit Changes:** <code bash>/​etc/​init.d/​firewall restart</​code>​ 
-++++ </​WRAP>​ 
-  - <​WRAP>​ ++++ Modify Routes | 
-<wrap right>​**''/​etc/​config/​openvpn''​**</​wrap>​ 
-<color #​508CAA>​**Pushed Routes**</​color>​ 
- 
-    - <color #​960000>​**//​Remove://​**</​color>​ <code cpp> 
-    list    push                '​dhcp-option ​       DNS 208.67.222.123'​ 
-    list    push                '​dhcp-option ​       DNS 208.67.220.123'</​code>​ 
-    - <color #​789600>​**//​Add://​**</​color>​ <code cpp> 
-    list    push                '​redirect-gateway ​  def1 local' 
-    list    push                '​dhcp-option ​       DNS 10.1.0.1'</​code>​ 
-    - **Commit Changes:** <code bash>/​etc/​init.d/​openvpn restart</​code>​ 
-++++ </​WRAP>​ 
-</​WRAP>​ 
- 
-</​WRAP>​ 
-</​WRAP>​ 
- 
----- 
- 
----- 
- 
- 
-===== Troubleshooting ===== 
- 
-<WRAP indent 77em lo> 
-If asking for help in a forum, please perform the following steps to include in your initial post: 
-  - **Server** 
-    - **''/​etc/​config/​openvpn'':​** 
-      - **//''​verb 5''//​** 
-      - **//''​proto tcp''//​** 
-    - **''/​etc/​config/​firewall'':​** 
-      - Change OpenVPN rules to **//''​proto 'tcp udp'''//​** <WRAP 43em><​code bash>cd /etc/init.d && ./firewall reload && ./openvpn restart</​code></​WRAP>​ 
-  - **Client:** 
-    - **''​client.ovpn'':​** 
-      - **//''​verb 7''//​** 
-      - **//''​proto tcp''//​** 
-    - Disconnect client, then reconnect\\ \\ 
-  - Once client connect attempt fails, please post your client and server logs, as well as the configs for each 
-    - //Ensure WAN IP, DDNS, and port # are removed from configs and logs// 
-      - **Server Log: ''/​tmp/​openvpn.log''​** 
-      - **Client Log:** 
-        - **Windows:​** Right click on **OpenVPN tray icon** -> **View Log** 
-        - **BSD/​Linux:​** Refer to **''​client.ovpn''​** 
-</​WRAP>​ 
- 
- 
-===== VPN Wikis ===== 
- 
-<WRAP indent> 
- 
- 
-==== OpenSSL ==== 
- 
-<WRAP box indent 77em lo> 
-<WRAP half column> 
-<color #​508CAA>​**OpenSSL Guides:​**</​color>​ 
- 
-  * [[https://​www.openssl.org/​docs/​|OpenSSL Documents]] 
-  * [[https://​www.openssl.org/​docs/​apps/​openssl.html|OpenSSL Man Page]] 
-  * [[https://​www.openssl.org/​docs/​standards.html|OpenSSL RFC Standards]] 
-</​WRAP>​ 
- 
-<WRAP half Column> 
-<color #​508CAA>​**OpenSSL Wiki:​**</​color>​ 
- 
-  * [[https://​wiki.openssl.org/​index.php/​Main_Page|OpenSSL Wikis]] 
-</​WRAP>​ 
-</​WRAP>​ 
- 
- 
-==== OpenVPN ==== 
- 
-<WRAP box indent 77em lo> 
-<WRAP half Column> 
-<color #​508CAA>​**Android:​**</​color>​ 
- 
-  * [[https://​docs.openvpn.net/​docs/​openvpn-connect/​openvpn-connect-android-faq.html|OpenVPN on Android]] 
-  * [[http://​forum.xda-developers.com/​google-nexus-5/​help/​howto-install-custom-cert-network-t2533550|Remove "Your Network Could be Monitored"​ Toast]] 
-  * [[http://​wiki.cacert.org/​FAQ/​ImportRootCert#​Android_Phones|Trust CA cert's Root Certificate]] 
- 
- 
-<color #​508CAA>​**Guides:​**</​color>​ 
- 
-<WRAP indent><​wrap safety>​Highly Recommended</​wrap></​WRAP>​ 
-    * [[https://​openvpn.net/​index.php/​open-source/​documentation/​howto.html|OpenVPN HowTo]] 
-    * [[https://​community.openvpn.net/​openvpn/​wiki/​Openvpn24ManPage|OpenVPN Man Page]] 
-</​WRAP>​ 
- 
-<WRAP half Column> 
-<color #​508CAA>​**If Requiring Help:​**</​color>​ 
- 
-  * [[https://​forums.openvpn.net/​|OpenVPN Forum]] 
- 
- 
-<color #​508CAA>​**Tuning:​**</​color>​ 
- 
-    * [[http://​winaero.com/​blog/​speed-up-openvpn-and-get-faster-speed-over-its-channel/​|Buffer Tuning]] 
-    * [[https://​community.openvpn.net/​openvpn/​wiki/​Gigabit_Networks_Linux|MTU Tuning]] 
-</​WRAP>​ 
-</​WRAP>​ 
- 
- 
-==== OpenWrt ==== 
- 
-<WRAP box indent 77em lo> 
-<WRAP half Column> 
-<color #​508CAA>​**If Requiring Help:​**</​color>​ 
- 
-    * [[https://​forum.openwrt.org|OpenWrt Forum]] 
-</​WRAP>​ 
- 
-<WRAP half Column> 
-<color #​508CAA>​**Wikis:​**</​color>​ 
- 
-  * [[docs:​guide-user:​services:​vpn:​openvpn:​start|OpenVPN Start]]\\ \\ 
-  * <​WRAP>​ ++++ Servers | 
-  * [[docs:​guide-user:​services:​vpn:​openvpn:​server.setup|OpenVPN (Server Setup)]] 
-  * [[docs:​guide-user:​services:​vpn:​openvpn:​server.tap|OpenVPN Server (Layer 2: TAP)]] 
-  * [[docs:​guide-user:​services:​vpn:​openvpn:​server.tun|OpenVPN Server (Layer 3: TUN)]]\\ \\ 
-++++ </​WRAP>​ 
-  * <​WRAP>​ ++++ Clients | 
-  * [[docs:​guide-user:​services:​vpn:​openvpn:​client|OpenVPN Client]] 
-  * [[docs:​guide-user:​services:​vpn:​openvpn:​serverandclient|OpenVPN Client & Server (Simultaneously)]] 
-  * [[docs:​guide-user:​services:​vpn:​openvpn:​client.tun|OpenVPN Client (Layer 3: TUN)]] 
-++++ </​WRAP>​ 
-</​WRAP>​ 
-</​WRAP>​ 
- 
-</​WRAP>​ 
- 
- 
- 
----- 
- 
- 
-===== Notes ===== 
- 
-<WRAP 79em lo> 
-  * **The answer to any question about an OpenVPN Client or Server configuration is contained within the** [[docs:​guide-user:​services:​vpn:​openvpn:​server.comprehensive#​vpn_wikis|VPN Wiki]] **or** [[docs:​guide-user:​services:​vpn:​openvpn:​server.comprehensive#​openssl|OpenSSL]] **sections** 
-  * If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the [[docs:​guide-user:​services:​vpn:​openvpn:​server.comprehensive#​openvpn|OpenVPN]] or [[docs:​guide-user:​services:​vpn:​openvpn:​server.comprehensive#​openwrt|OpenWrt]] forums 
-</​WRAP>​ 
  
docs/guide-user/services/vpn/openvpn/server.comprehensive.1534109703.txt.gz · Last modified: 2018/08/12 21:35 (external edit)