3,250
edits
Changes
Jump to navigation
Jump to search
Line 25:
Line 25: + + + + + − ==== install the rpms ====+ + + + Line 33:
Line 41: − ==== Configure ====+ − + + + + + + + + + Line 45:
Line 61: − If you already run the [[OpenVPN_Bridge]] contrib, you can just copy all the certificates:+ − cp -a /etc/openvpn/bridge/{priv,pub} /etc/openvpn/routed/ Line 94:
Line 109: + Line 105:
Line 121: − Line 225:
Line 240: − + + + + + + +
→Default key properties
=== Installation ===
=== Installation ===
<tabs container><tab name="For SME 10">
/!\ new default cipher = AES-128-GCM and HMAC SHA256, if you have issues check the configuration options
yum install smeserver-openvpn-routed --enablerepo=smecontribs
if you have smeserver-openvpn-bridge installed and configured then all will work automaticly.
It will change its port to a different one, and it will copy certificates from the bridge openvpn
to know the new port
config getprop openvpn-routed UDPPort
</tab>
<tab name="For SME 9">
install fws repo, see : [[Fws]]
install fws repo, see : [[Fws]]
yum install smeserver-openvpn-routed --enablerepo=fws,smecontribs
yum install smeserver-openvpn-routed --enablerepo=fws,smecontribs
you will then have to configure by hand
This contribs is really minimal and doesn't have a panel to configure everything. You have to configure all by hand.
If you already run the [[OpenVPN_Bridge]] contrib, you can just copy all the certificates:
cp -a /etc/openvpn/bridge/{priv,pub} /etc/openvpn/routed/
</tab>
</tabs>
=== Configure ===
This contribs is really minimal and doesn't have a panel to configure everything. You have to configure all by hand. Except on SME10 if you already have smeserver-openvpn-bridge installed and configured.
here's the file the contrib expects to see before being started:
here's the file the contrib expects to see before being started:
* /etc/openvpn/routed/priv/takey.pem (an optional shared key)
* /etc/openvpn/routed/priv/takey.pem (an optional shared key)
and an available port to bind to.
==== Configure as running in parallel of bridge contrib ====
==== Configure as running in parallel of bridge contrib ====
Not needed for SME10, the contrib does it for you.
#install
#install
# signale event to regenerate all you need
# signale event to regenerate all you need
signal-event openvpn-routed-update
signal-event openvpn-routed-update
===Client configuration - iOS===
===Client configuration - iOS===
|-
|-
| || || || Cipher || None || Various. AES-256-CBC || Default BF-CBC deprecated
| || || || Cipher || None || Various. AES-128-CBC || Default BF-CBC deprecated
|-
| || || || HMAC || None || Various. SHA256 || Default SHA1 deprecated
|-
|-
| || || || CrlUrl ||None || http://url/phpki/index.php?stage=dl_crl_pem ||
| || || || CrlUrl ||None || http://url/phpki/index.php?stage=dl_crl_pem ||
|}
|}
you can also set the property PushRoute to disabled to any network in networks db to avoid the contrib to push the network to the client
===Workarounds and known issues===
===Workarounds and known issues===
if you migrate from SME8 to SME9 and are not able to connect after correctly migrating your certificates, this might be related to not secure enough algorithm. CentOS 6.9 release notes state that "Support for insecure cryptographic protocols and algorithms has been dropped. This affects usage of MD5, SHA0, RC4 and DH parameters shorter than 1024 bits." Of course real solution would be to migrate all your certs to better algorithm.
if you migrate from SME8 to SME9 and are not able to connect after correctly migrating your certificates, this might be related to not secure enough algorithm. CentOS 6.9 release notes state that "Support for insecure cryptographic protocols and algorithms has been dropped. This affects usage of MD5, SHA0, RC4 and DH parameters shorter than 1024 bits." Of course real solution would be to migrate all your certs to better algorithm.