877
edits
Changes
From SME Server
Jump to navigationJump to search→Configure
If you already run the [[OpenVPN_Bridge]] contrib, you can just copy all the certificates:
If you already run the [[OpenVPN_Bridge]] contrib, you can just copy all the certificates:
cp -a /etc/openvpn/bridge/{priv,pub} /etc/openvpn/routed/
cp -a /etc/openvpn/bridge/{priv,pub} /etc/openvpn/routed/
==== Using PHPki ====
If you are using the PHPki contrib to manage your certificates you need to do the following :
Create a new certificate for your OpenVPN server - make sure it is a server only certificate.
Make sure you use the ManagementPassword key from OpenVpn on the server.
config show openvpn-routed
openvpn-routed=service
ManagementPassword=SomeLongComplicatedPassword
UDPPort=1194
access=public
status=enabled
From PHPki get the following certificates :
From the main page of PHPki :
dh pub/dh.pem - Download the Diffie-Hellman parameters
ca pub/cacert.pem - Download the Root Certificate
If you need to, get a copy of the revocation list
crl-verify pub/cacrl.pem - Download the Certificate Revocation List
The Revocation certificate can be obtained automatically with a cronjob
db configuration setprop openvpn-routed CrlUrl 'https://your-phpki-box.domain.net/phpki/index.php?stage=dl_crl_pem'
From the Manage Certificates page of PHPki :
cert pub/cert.pem - use the PEM Certificate
key priv/key.pem - use the PEM Key
Copy them to the relevant directories as above
Make sure that the certs are set 0600
If you want all your VPN clients to use the SME as default gateway once connected
db configuration setprop openvpn-routed RedirectGateway enabled
signal-event openvpn-routed-update
You can now add your Client certificates to your device.
Make sure you have a user on the server.
Make sure in your device that you choose Certificate + Password as an option.
Enter in your user name and password in addition to the certificates
==== Configure as running in parallel of bridge contrib ====
==== Configure as running in parallel of bridge contrib ====
