View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000302 | Windows and other desktop OS | OpenVPN | public | 2019-10-22 00:48 | 2023-12-05 05:39 |
Reporter | DigitalMy | ||||
Priority | normal | Severity | minor | Reproducibility | N/A |
Status | progress | Resolution | open | ||
Platform | OS | Windows server | OS Version | 2008R2 | |
Summary | 0000302: Unified settings for OpenVpn clients site-to-site mode | ||||
Description | Installed to C:\OpenVPN\ folder client version 2.4.7. for tests. Use tun udp Windows OS server and client | ||||
Tags | No tags attached. | ||||
FinishDate | |||||
StartDate | |||||
WasteTime | 0 | ||||
PriorityIndex | 5 | ||||
LaboriousnessIndex | 1 | ||||
|
delete subfolders \doc\ and \sample-config\ after installation generate certificates on server for this unique client name and copy them to local \config\ folder Add outbound firewall rule for C:\OpenVPN\bin\openvpn.exe prepare \config\client.ovpn file |
|
client dev tun proto udp ca ca.crt cert client.crt key client.key |
|
> make client certificates with .bat script from OpenSSL included to OpenVPN (easy-rsa): @echo off set NAME=client_name set HOME="C:\Program Files (x86)\OpenVPN\easy-rsa" set KEY_DIR=keys set KEY_CONFIG=openssl-1.0.0.cnf set PATH="C:\Program Files (x86)\OpenVPN\bin" set DH_KEY_SIZE=2048 set KEY_SIZE=4096 set KEY_COUNTRY=RU set KEY_PROVINCE=MS set KEY_CITY=Moscow set KEY_ORG=My set KEY_EMAIL=123@my.ru set KEY_CN=%NAME% set KEY_NAME=my.tk set KEY_OU=%NAME% set PKCS11_MODULE_PATH=%NAME% set PKCS11_PIN=123456 cd %HOME% "C:\Program Files (x86)\OpenVPN\bin\openssl.exe" req -days 3650 -nodes -new -keyout %KEY_DIR%\client-%NAME%.key -out %KEY_DIR%\client-%NAME%.csr -config %KEY_CONFIG% "C:\Program Files (x86)\OpenVPN\bin\openssl.exe" ca -days 3650 -out %KEY_DIR%\client-%NAME%.crt -in %KEY_DIR%\client-%NAME%.csr -config %KEY_CONFIG% del /q %KEY_DIR%\*.old (fix path to fit installation) each client name must be unique |
|
client configurations are stored in folder \OpenVPN\config\client\ (not default client-config-dir ccd) iroute - use for remote network router only , specifies route from server to remote router network ifconfig-push - specify client own IP address , can be used instead of "ipp.txt" file record but cannot push route this way with error: OPTIONS IMPORT: reading client specific options from Options error: option 'route' cannot be used in this context According to official manual, only -push, --push-reset, --push-remove, --iroute, --ifconfig-push, and --config are allowed in these client configurations |
|
first issue is that client configurations which are stored on server in \clinet\ subfolder (client-config-dir) they are not loaded at all, in case different names in file in log file there is CN of client in "quotes" , but for server - not ... so, this is issue with certificate - make CN without quotes - found this problem change \easy-rsa script - made new certificate with names without quotes , like: GS , not "GS" second, new version uses folder OpenVPN\config-auto\client for service |
|
Windows app OpenVPN GUI in case set Advanced - Configuration files - Folder same as OpenVPN\config will get error on each start There already exists a config file named *.ovpn Fix - set different path in "Folder" for user configurations (empty is fine). |
|
As for android OS client has got error tun_prop_route_error: route destinations other than vpn_gateway or net_gateway are not supported change to push "route 192.168.166.0 255.255.255.0" without gateway and metric... |
|
Android client has Connection reset, restarting [0] SIGUSR1[soft,connection-reset] received, client-instance restarting every 30 second removed # ping 5 # ping-restart 10 Session invalidated KEEPALIVE_TIMEOUT added to client keepalive 600 1800 added to server: keepalive 600 3600 |
|
Windows udp client config: client dev tun proto udp resolv-retry infinite nobind tls-client persist-key auth-nocache remote-cert-tls server keepalive 60 120 verb 4 pull explicit-exit-notify 1 do not use #persist-tun - because on provider network stuck - no route change (removal) happen, but it's necessary for second tun to use |