redfast00 edited this page Mar 19, 2018 · 13 revisions

PiVPN Wiki

Testing

Can install from test branch via curl -L http://install-test.pivpn.io | TESTING=1 bash

Updating OpenVPN to newer version

If you installed an earlier version of pivpn and wish to update OpenVPN to a newer version (> 2.4.3) just do the following steps:

sudo -s
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
echo "deb http://build.openvpn.net/debian/openvpn/stable [osrelease] main" > /etc/apt/sources.list.d/openvpn-aptrepo.list

where [osrelease] should be replaced with:

  • wheezy (Debian 7.x)
  • jessie (Debian 8.x)
  • precise (Ubuntu 12.04)
  • trusty (Ubuntu 14.04)
  • xenial (Ubuntu 16.04)

More information can be found here: https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos

Setting up static IP for clients

  1. Add this line client-config-dir /etc/openvpn/ccd in /etc/openvpn/server.conf

  2. Create client config directory sudo mkdir /etc/openvpn/ccd

  3. Fix permissions sudo chown -R pi:nogroup /etc/openvpn/ccd (Make sure to enter correct username, in this case it was pi)

  4. Adding clients. sudo nano /etc/openvpn/ccd/exampleuser (Add clients with their common name, in this case exampleuser.ovpn)

  5. Configuring static IP. Add this line ifconfig-push 10.8.0.3 255.255.255.0 to /etc/openvpn/ccd/exampleuser

  6. Restart openvpn sudo service openvpn restart

(Here 10.8.0.3 is going to be static IP for user exampleuser, if you want to configure additional users, repeat from step 4)

Note: You have to assign static IP for all clients in order to avoid IP address conflict

DynDns

Refer to: https://help.dyn.com/ddclient/

apt-get install ddclient

and then this is my example conf in /etc/ddclient.conf

# Configuration file for ddclient generated by debconf
#
# /etc/ddclient.conf

ssl=yes
protocol=dyndns2
use=web, web=checkip.dyndns.com, web-skip='IP Address'
server=members.dyndns.org
login=username
password='password'
mydyn.domain.com

If you use a namecheap domain your ddclient setup can be found here.

OpenVPN Technical Information

Info on TLS

'Modern' OpenVPN (2.x, using the TLS mode) basically sets up two connections:

The 'control channel'. This is a low bandwidth channel, over which e.g. network parameters and key material for the 'data channel' is exchanged'. OpenVPN uses TLS to protect control channel packets. The 'data channel'. This is the channel over which the actual VPN traffic is sent. This channel is keyed with key material exchanged over the control channel. Both these channels are duplexed over a single TCP or UDP port.

--tls-cipher controls the cipher used by the control channel. --cipher together with --auth control the protection of the data channel.

And regarding security, OpenVPN uses encrypt-then-mac for its data channel, rather than mac-then-encrypt like TLS. All the CBC-related issues you hear about are due to the combination mac-then-encrypt + CBC. This means that AES-CBC for the data channel is perfectly fine from a security perspective.

(And there is no GCM support for the data channel yet. That will arrive in OpenVPN 2.4.)

If I wanted to specify ciphers, this is the list I'd use (I think): TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

Tutorials

Here is a decent video tutorial. Note: I don't think you'd have to do anything with iptables as he shows. This shows connecting with Windows client.

Further Help

Trouble connecting over mobile data? Try this

Check any closed issues with the information label!

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.