Changes

Template:Networking rutos manual vpn (view source)

Revision as of 08:48, 23 April 2024

3,829 bytes removed , 23 April

no edit summary

Line 73: Line 73:

<tr>

<td>Enable OpenVPN config from file</td>

−

<td>off {{!}} on; default: off</td>

+

<td>off {{!}} on; default: off</td>

<td>Enables or disables custom OpenVPN config from file.</td>

</tr>

<tr>

−

<td>OpenVPN configuration file</td>

+

<td>OpenVPN configuration file</td>

<td>-(interactive button)</td>

<td>Upload OpenVPN configuration. Warning! This will overwrite your current configuration.</td>

</tr>

<tr>

−

<td>Upload OpenVPN authentications files</td>

+

<td>Upload OpenVPN authentications files</td>

<td>off {{!}} on; default: off</td>

<td>Upload OpenVPN authentication files, which will be automatically included in configuration.</td>

Line 145: Line 145:

</tr>

<tr>

−

<td>TLS~~/TLS/Password~~: TLS cipher</td>

+

<td>TLS: TLS cipher</td>

−

<td>All {{!}} ~~~~DHE+RSA~~~~ {{!}} ~~~~Custom~~~~; default: All</td>

+

<td>All {{!}} DHE+RSA {{!}} Custom; default: All</td>

<td>Packet encryption algorithm cipher.</td>

</tr>

<tr>

−

<td>TLS~~/TLS/Password~~</span~~>: Allowed TLS ciphers~~</td>

+

<td>TLS: Allowed TLS ciphers</td>

−

<td>~~Custom~~ {{!}} ~~TLS-~~DHE-RSA~~-WITH-AES-256-GCM-SHA384~~ {{!}} TLS-DHE-RSA-WITH-AES-256-CBC-SHA {{!}} TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 {{!}} TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA {{!}} TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA {{!}} TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 {{!}} TLS-DHE-RSA-WITH-AES-128-CBC-SHA {{!}} TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 {{!}} TLS-DHE-RSA-WITH-SEED-CBC-SHA {{!}} TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA {{!}} TLS-DHE-RSA-WITH-DES-CBC-SHA; default: All</td>

+

<td>All {{!}} DHE+RSA {{!}} Custom; default: All</td>

−

<td>~~Specific cyphers to use. Only 6 can be selected at a time~~.</td>

+

<td>A list of TLS ciphers accepted by this connection.</td>

</tr>

<tr>

Line 205: Line 205:

</tr>

<tr>

−

<td>TLS~~/TLS/Password~~/Password:Use PKCS #12 format</td>

+

<td>TLS/Password:Use PKCS #12 format</td>

<td>off {{!}} on; default: off</td>

<td>Turn PKCS #12 format on or off.</td>

Line 220: Line 220:

</tr>

<tr>

−

<td>~~Authentication~~ algorithm</td>

+

<td>TLS/Password: HMAC authentication algorithm</td>

−

<td>none ~~{{!}} MD5~~ {{!}} SHA1 {{!}} SHA256 {{!}} SHA384 {{!}} SHA512; default: SHA1</td>

+

<td>none {{!}} SHA1 {{!}} SHA256 {{!}} SHA384 {{!}} SHA512; default: SHA1</td>

<td>HMAC authentication algorithm type.</td>

</tr>

<tr>

−

<td>TLS~~/TLS/Password~~/Password:Additional HMAC authentication</td>

+

<td>TLS/Password:Additional HMAC authentication</td>

<td>off {{!}} on; default: off</td>

<td>An additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks.</td>

</tr>

<tr>

−

<td>TLS~~/TLS/Password~~/Password: HMAC authentication key</td>

+

<td>TLS/Password: HMAC authentication key</td>

<td>.key file; default: none</td>

<td>Uploads an HMAC authentication key file.</td>

</tr>

<tr>

−

<td>TLS~~/TLS/Password~~/Password: HMAC key direction</td>

+

<td>TLS/Password: HMAC key direction</td>

<td>0 {{!}} 1 {{!}} none; default: 1</td>

<td>The value of the key direction parameter should be complementary on either side (client and server) of the connection. If one side uses 0, the other side should use 1, or both sides should omit the parameter altogether.</td>

</tr>

<tr>

−

<td>TLS~~/TLS/Password~~/Password: Certificate authority</td>

+

<td>TLS/Password: Certificate authority</td>

<td>.ca file; default: none</td>

<td>Certificate authority is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate.</td>

</tr>

<tr>

−

<td>TLS~~/TLS/Password~~: Client certificate</td>

+

<td>TLS: Client certificate</td>

<td>.crt file; default: none</td>

<td>Client certificate is a type of digital certificate that is used by client systems to make authenticated requests to a remote server. Client certificates play a key role in many mutual authentication designs, providing strong assurances of a requester's identity.</td>

</tr>

<tr>

−

<td>TLS~~/TLS/Password~~:Client key</td>

+

<td>TLS: Client key</td>

<td>.key file; default: none</td>

<td>Authenticates the client to the server and establishes precisely who they are.</td>

</tr>

<tr>

−

<td>TLS~~/Config File~~: Private key decryption password (optional)</td>

+

<td>TLS: Private key decryption password (optional)</td>

<td>string; default: none</td>

<td>A password used to decrypt the server's private key. Use only if server's .key file is encrypted with a password.</td>

Line 271: Line 271:

<ul>

<li>Red for Authentication: TLS</li>

−

~~<li>Olive for Authentication: TLS/Password</li>~~

<li>Purple for Authentication: Static key</li>

<li>Blue for Authentication: Password</li>

−

~~<li>Brown for OpenVPN config from file</li>~~

</ul>

</li>

Line 301: Line 299:

<td>Turns the OpenVPN instance on or off.</td>

</tr>

−

<tr>

+

<tr>

<td>Enable OpenVPN config from file</td>

−

<td>off {{!}} ~~~~on~~~~; default: off</td>

+

<td>off {{!}} on; default: off</td>

<td>Enables or disables custom OpenVPN config from file.</td>

−

~~</tr>~~

−

~~<tr>~~

−

~~<td>OpenVPN configuration file</td>~~

−

~~<td>-(interactive button)</td>~~

−

~~<td>Upload OpenVPN configuration. Warning! This will overwrite your current configuration.</td>~~

−

~~</tr>~~

−

~~<tr>~~

−

~~<td>Upload OpenVPN authentications files</td>~~

−

~~<td>off {{!}} on; default: off</td>~~

−

~~<td>Upload OpenVPN authentication files, which will be automatically included in configuration.</td>~~

</tr>

<tr>

−

<td>TUN (tunnel) {{!}} ~~~~TAP (bridged)~~~~; default: TUN (tunnel)</td>

+

<td>TUN (tunnel) {{!}} TAP (bridged); default: TUN (tunnel)</td>

<td>Virtual network device type.

<ul>

Line 325: Line 313:

</ul>

</td>

−

~~</tr>~~

−

~~<tr>~~

−

~~<td>Bridge</td>~~

−

~~<td>Bridge interface for TAP; default: br-lan</td>~~

−

~~<td>Assign a TAP interface to a bridge.</td>~~

</tr>

<tr>

Line 351: Line 334:

<td>Turns LZO data compression on or off.</td>

</tr>

−

<tr>

+

<tr>

+

<td>Encryption</td>

+

<td>DES-CBC 64 {{!}} RC2-CBC 128 {{!}} DES-EDE-CBC 128 {{!}} DES-EDE3-CBC 192 {{!}} DESX-CBC 192 {{!}} BF-CBC 128 {{!}} RC2-40-CBC 40 {{!}} CAST5-CBC 128 {{!}} RC2-64CBC 64 {{!}} AES-128-CBC 128 {{!}} AES-128-CFB 128 {{!}} AES-128-CFB1 128 {{!}} AES-128-CFB8 128 {{!}} AES-128-OFB 128 {{!}} AES-128-GCM 128 {{!}} AES-192-CBC 192 {{!}} AES-192-CFB 192 {{!}} AES-192-CFB1 192 {{!}} AES-192-CFB8 192 {{!}} AES-192-OFB 192 {{!}} AES-192-GCM 192 {{!}} AES-256-CBC 256 {{!}} AES-256-CFB 256 {{!}} AES-256-CFB1 256 {{!}} AES-256-CFB8 256 {{!}} AES-256-OFB 256 {{!}} AES-256-GCM 256 {{!}} none; default: AES-256-CBC 256</td>

+

<td>Algorithm used for packet encryption.</td>

+

</tr>

+

<tr>

<td>Authentication</td>

<td>TLS {{!}} Static Key {{!}} TLS/Password; default: TLS</td>

Line 367: Line 355:

</ul>

</td>

−

~~</tr>~~

−

~~<tr>~~

−

~~<td>Encryption</td>~~

−

<td>DES-CBC 64 {{!}} RC2-CBC 128 {{!}} DES-EDE-CBC 128 {{!}} DES-EDE3-CBC 192 {{!}} DESX-CBC 192 {{!}} BF-CBC 128 {{!}} RC2-40-CBC 40 {{!}} CAST5-CBC 128 {{!}} RC2-64CBC 64 {{!}} AES-128-CBC 128 {{!}} AES-128-CFB 128 {{!}} AES-128-CFB1 128 {{!}} AES-128-CFB8 128 {{!}} AES-128-OFB 128 {{!}} AES-128-GCM 128 {{!}} AES-192-CBC 192 {{!}} AES-192-CFB 192 {{!}} AES-192-CFB1 192 {{!}} AES-192-CFB8 192 {{!}} AES-192-OFB 192 {{!}} AES-192-GCM 192 {{!}} AES-256-CBC 256 {{!}} AES-256-CFB 256 {{!}} AES-256-CFB1 256 {{!}} AES-256-CFB8 256 {{!}} AES-256-OFB 256 {{!}} AES-256-GCM 256 {{!}} none; default: AES-256-CBC 256</td>

−

~~<td>Algorithm used for packet encryption.</td>~~

−

~~</tr>~~

−

~~<tr>~~

−

~~<td>TLS/TLS/Password: TLS cipher</td>~~

−

~~<td>All {{!}} DHE+RSA {{!}} Custom; default: All</td>~~

−

~~<td>Packet encryption algorithm cipher.</td>~~

−

~~</tr>~~

−

~~<tr>~~

−

~~<td>TLS/TLS/Password: Allowed TLS ciphers</td>~~

−

<td>Custom {{!}} TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 {{!}} TLS-DHE-RSA-WITH-AES-256-CBC-SHA {{!}} TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 {{!}} TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA {{!}} TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA {{!}} TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 {{!}} TLS-DHE-RSA-WITH-AES-128-CBC-SHA {{!}} TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 {{!}} TLS-DHE-RSA-WITH-SEED-CBC-SHA {{!}} TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA {{!}} TLS-DHE-RSA-WITH-DES-CBC-SHA; default: All</td>

−

~~<td>Specific cyphers to use. Only 6 can be selected at a time.</td>~~

</tr>

<tr>

Line 409: Line 382:

</tr>

<tr>

−

<td>TLS/TLS/Password/Password: Client to client</td>

+

<td>TLS/TLS/Password: TLS cipher</td>

+

<td>All {{!}} DHE+RSA {{!}} Custom; default: All</td>

+

<td>Packet encryption algorithm cipher.</td>

+

</tr>

+

<tr>

+

<td>TLS/Password: Allowed TLS ciphers</td>

+

<td>All {{!}} DHE+RSA {{!}} Custom; default: All</td>

+

<td>A list of TLS ciphers accepted by this connection.</td>

+

</tr>

+

<tr>

+

<td>TLS/TLS/Password: Client to client</td>

<td>off {{!}} on; default: off</td>

<td>Allows OpenVPN clients to communicate with each other on the VPN network.</td>

</tr>

<tr>

−

<td>TLS/TLS/Password~~/Password~~: Keep alive</td>

+

<td>TLS/TLS/Password: Keep alive</td>

<td>two integers separated by a space; default: none</td>

<td>Defines two time intervals: the first is used to periodically send ICMP requests to the OpenVPN server, the second one defines a time window, which is used to restart the OpenVPN service if no ICMP response is received during the specified time slice. When this value is specifiied on the OpenVPN server, it overrides the 'keep alive' values set on client instances. Example: 10 120</td>

</tr>

<tr>

−

<td>TLS/TLS/Password~~/Password~~: Virtual network IP address</td>

+

<td>TLS/TLS/Password: Virtual network IP address</td>

<td>ip4; default: none</td>

<td>IPv4 address of the OpenVPN network.</td>

</tr>

<tr>

−

<td>TLS/TLS/Password~~/Password~~: Virtual network netmask</td>

+

<td>TLS/TLS/Password: Virtual network netmask</td>

<td>netmask; default: none</td>

<td>Subnet mask of the OpenVPN network.</td>

</tr>

<tr>

−

<td>TLS~~/TLS/Password~~/Password: Assign IP start</td>

+

<td>TLS/TLS/Password: Virtual network IPv6 address</td>

−

~~<td>IP; default: none</td>~~

−

~~<td>Assign IP addresses starting from a pool of subnets to be dynamically allocated to connecting clients.</td>~~

−

~~</tr>~~

−

~~<tr>~~

−

~~<td>TLS/TLS/Password~~/Password: Assign IP end</td>

−

~~<td>IP; default: none</td>~~

−

~~<td>Assign IP addresses ending at a pool of subnets to be dynamically allocated to connecting clients.</td>~~

−

~~</tr>~~

−

~~<tr>~~

−

~~<td>TLS~~~~/TLS/Password/~~Password: Virtual network IPv6 address</td>

<td>ip6; default: none</td>

<td>IPv6 address of the OpenVPN network. This field becomes visible when protocol is set to UDP6 or TCP6</td>

</tr>

<tr>

−

<td>TLS/TLS/Password~~/Password~~: Push option</td>

+

<td>TLS/TLS/Password: Push option</td>

<td>OpenVPN options; default: none</td>

<td>Push options are a way to "push" routes and other additional OpenVPN options to connecting clients.</td>

</tr>

<tr>

−

<td>TLS/TLS/Password~~/Password~~: Allow duplicate certificates</td>

+

<td>TLS/TLS/Password: Allow duplicate certificates</td>

<td>off {{!}} on; default: off</td>

<td>When enabled allows multiple clients to connect using the same certificates.</td>

</tr>

<tr>

−

<td>TLS/Password/Password~~: Usernames & Passwords~~</td>

+

<td>TLS/Password: User name</td>

−

<td>~~-interactive button~~; default: none</td>

+

<td>string; default: none</td>

−

<td>~~File containing usernames and passwords against which the~~ server ~~can authenticate clients. Each username and password pair should be placed on a single line and separated by a space.~~.</td>

+

<td>Username used for authentication to this OpenVPN server.</td>

+

</tr>

+

<tr>

+

<td>TLS/Password: Password</td>

+

<td>string; default: none</td>

+

<td>Password used for authentication to this OpenVPN server.</td>

</tr>

<tr>

Line 464: Line 442:

</tr>

<tr>

−

<td>TLS/TLS/Password~~/Password~~: Certificate authority</td>

+

<td>TLS/TLS/Password: Certificate authority</td>

<td>.ca file; default: none</td>

<td>Certificate authority is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate.</td>

</tr>

<tr>

−

<td>TLS/TLS/Password~~/Password~~: Server certificate</td>

+

<td>TLS/TLS/Password: Server certificate</td>

<td>.crt file; default: none</td>

<td>A type of digital certificate that is used to identify the OpenVPN server.</td>

</tr>

<tr>

−

<td>TLS/TLS/Password~~/Password~~: Server key</td>

+

<td>TLS/TLS/Password: Server key</td>

<td>.key file; default: none</td>

<td>Authenticates clients to the server.</td>

</tr>

<tr>

−

<td>TLS/TLS/Password~~/Password~~: Diffie Hellman parameters</td>

+

<td>TLS/TLS/Password: Diffie Hellman parameters</td>

<td>.pem file; default: none</td>

<td>DH parameters define how OpenSSL performs the Diffie-Hellman (DH) key-exchange.</td>

</tr>

<tr>

−

<td>TLS/TLS/Password~~/Password~~: CRL file (optional)</td>

+

<td>TLS/TLS/Password: CRL file (optional)</td>

<td>.pem file {{!}} .crl file; Default: none</td>

<td>A certificate revocation list (CRL) file is a list of certificates that have been revoked by the certificate authority (CA). It indicates which certificates are no longer acccepted by the CA and therefore cannot be authenticated to the server.</td>

Line 495: Line 473:

<ul>

<li>Red for Authentication: TLS</li>

−

~~<li>Olive for Authentication: TLS/Passwords</li>~~

<li>Purple for Authentication: Static key</li>

−

<li>Blue for Authentication: Password~~</li>~~

+

<li>Blue for Authentication: TLS/Password</li>

−

~~<li>Brown for OpenVPN config from file~~</li>

</ul>

</li>

Vainius.l

Administrators

8,925

edits