31,703
edits
Changes
Template:Networking rut manual vpn (view source)
Revision as of 11:12, 9 July 2019
, 11:12, 9 July 2019no edit summary
<td>ip; default: <b>none</b></td>
<td>ip; default: <b>none</b></td>
<td>Assigns an IP address to the client that uses the adjacent authentication info. This field is optional and if left empty the client will simply receive an IP address from the IP pool defined above.</td>
<td>Assigns an IP address to the client that uses the adjacent authentication info. This field is optional and if left empty the client will simply receive an IP address from the IP pool defined above.</td>
</tr>
</table>
==Stunnel==
<b>Stunnel</b> is an open-source a proxy service that adds TLS encryption to clients and servers already existing on a VPN network. TLS encryption provided by Stunnel can be used as an additional layer of encryption for data sent by OpenVPN. This procedure increases the security of the established connection and provides higher chances of passing a Deep packet inspection (DPI) check.
For a more in-depth Stunnel configuration example visit this page: [[OpenVPN over Stunnel {{{name}}}|OpenVPN over Stunnel]].
===Stunnel Globals===
----
The <b>Stunnel Globals</b> section is used to manage the Stunnel service as a whole. Refer to the figure and table below for information on the field contained in the Stunnel Globals section.
[[File:{{{file_stunnel_globals}}}]]
<table class="nd-mantable">
<tr>
<th>Field Name</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Enabled</td>
<td>yes | no; default: <b>no</b></td>
<td>Turns the Stunnel service on or off. If this is unchecked, Stunnel instances will not start (even if they are enabled individually); therefore, iti is necessary to check this field in order to make Stunnel active on the router.</td>
</tr>
<tr>
<td>Debug Level</td>
<td>integer [0..7]; default: <b>5</b></td>
<td>Debugging to log output level.
Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use '''7''' for greatest debugging output.</td>
</tr>
<tr>
<td>Use alternative config</td>
<td>yes | no; default: <b>no</b></td>
<td>Turns the possibility to upload an external Stunnel configuration file on or off.if you turn this on, other Stunnel configurations present in the router will become inactive.</td>
</tr>
<tr>
<td>Upload alternative config</td>
<td>file; default: <b>none</b></td>
<td>Uploads an Stunnel configuration file.</td>
</tr>
</table>
===Stunnel client/server===
----
[[File:{{{file_stunnel_client_server_config}}}]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Enable</td>
<td>yes | no; default: <b>no</b></td>
<td>Turns the Stunnel instance on or off.</td>
</tr>
<tr>
<td>Operating Mode</td>
<td>Server | Client; default: <b>Server</b></td>
<td>Selects the Stunnel instance's role.
<ul>
<li><b>Server</b> - </li>
<li><b>Client</b> - </li>
</ul>
</td>
</tr>
<tr>
<td>Listen IP</td>
<td>ip; default: <b>none</b></td>
<td>Makes the instance "listen" for incoming connections on the specified IP address. When left empty, the value of this field defaults to <i>localhost</i> (<i>127.0.0.1</i>).</td>
</tr>
<tr>
<td>Listen Port</td>
<td>integer [0..65535]; default: <b>none</b></td>
<td>Makes the instance "listen" for incoming connections on the specified TCP port. Make sure you chose a port that is not being used by another service. You will also have to allow traffic on the specified port. You can do this via the <b>Network → Firewall → Traffic Rulles → [[{{{name}}}_Firewall#Open_Ports_On_Router|Open Ports On Router]]</b> section.</td>
</tr>
<tr>
<td>Connect IP's</td>
<td>ip:port; default: <b>none</b></td>
<td>Uses the standard host:port convetion (e.g. 127.0.0.1:6001; localhost:6001). Host part can be emmited - empty host part defaults to '''localhost'''.
Must contain at least one item. If multiple options are specified, remote address is chosen using a round-robin algorithm.</td>
</tr>
<tr>
<td>TLS Cipher</td>
<td>None | Secure | Custom; default: <b>None</b></td>
<td>Packet encryption algorithm cipher.</td>
</tr>
<tr>
<td>Allowed TLS Ciphers</td>
<td>string; default: <b>none</b></td>
<td>A list of TLS ciphers accepted for this connection.</td>
</tr>
<tr>
<td>Application Protocol</td>
<td>Connect | SMTP | Not specified; default: <b>Not specified</b></td>
<td>This option enables initial, protocol-specific negotiation of the TLS encryption. The protocol option should not be used with TLS encryption on a separate port.</td>
</tr>
<tr>
<td>Protocol Authentication</td>
<td><b>Connect</b>: Basic | NTLM; default: <b>Basic</b><br><b>SMTP</b>: Plain | Login; default: <b>Plain</b></td>
<td>Authentication type for the protocol negotiations.</td>
</tr>
<tr>
<td>Protocol Domain</td>
<td>string; default: <b>none</b></td>
<td>Domain for the protocol negotiations.</td>
</tr>
<tr>
<td>Protocol Host</td>
<td>host:port; default: <b>none</b></td>
<td>Specifies the final TLS server to be connected to by the proxy, and not the proxy server directly connected by Stunnel. The proxy server should be specified along with the <i>connect</i> option.</td>
</tr>
<tr>
<td>Protocol Username</td>
<td>string; Default: <b>none</b></td>
<td>Username for authentication to the protocol negotiations.</td>
</tr>
<tr>
<td>Protocol Password</td>
<td>string; default: <b>none</b></td>
<td>Password for authentication to the protocol negotiations.</td>
</tr>
<tr>
<td>Certificate File</td>
<td>.crt file; default: <b>none</b></td>
<td>TLS client or server certificate file.</td>
</tr>
<tr>
<td>Private Key</td>
<td>.key file; default: <b>none</b></td>
<td>TLS client or server key file.</td>
</tr>
</tr>
</table>
</table>
