Home Explore Help
Register Sign In
Mangix
/
libreCMC
forked from libreCMC/libreCMC
1
0
Fork 0
Files
Browse Source

Merge branch 'v1.4' of pi31415/libreCMC-cmh into v1.4

RISCI_ATOM 6 years ago
parent
478ff1b3a0 d9b5048eab
commit
3b92df263f
2 changed files with 96 additions and 62 deletions
Split View Show Diff Stats
  1. 95 61
      docs/OpenVPN_Layer_2_Server.md
  2. 1 1
      docs/TPE_R1100.md

+ 95 - 61
docs/OpenVPN_Layer_2_Server.md
View File 

@@ -1,61 +1,95 @@
 
-# OpenVPN Layer 2 Server

-

-## Installing OpenVPN packages

-

-TODO

-

-## Interface Setup

-

-TODO

-

-## Certificate and Key Setup Instructions

-

-TODO

-

-## Server configuration

-

-For server bridge option: First two parameters are the ip/netmask of

-the gateway on the bridged subnet. Next two paraters indicate the

-pool-start-IP and pool-end-IP, which is the part of your IP address

-pool that you have reserved just for VPN clients. You have to make

-sure the DHCP server on the company network is not handing those out

-to on-site systems.

-

-/etc/config/openvpn

-```

-config openvpn 'myvpn'

-	option enabled '1'

-	option dev 'tap0'

-	option port '1194'

-	option proto 'udp'

-	option status '/var/log/openvpn_status.log'

-	option log '/tmp/openvpn.log'

-	option verb '3'

-	option mute '5'

-	option keepalive '10 120'

-	option persist_key '1'

-	option persist_tun '1'

-	option user 'nobody'

-	option group 'nogroup'

-	option ca '/etc/easy-rsa/keys/ca.crt'

-	option cert '/etc/easy-rsa/keys/myvpn.crt'

-	option key '/etc/easy-rsa/keys/myvpn.key'

-	option dh '/etc/easy-rsa/keys/dh2048.pem'

-	option tls_server '1'

-	option tls_auth '/etc/easy-rsa/keys/ta.key 0'

-	option server_bridge '10.0.0.1 255.255.255.0 10.0.0.201 10.0.0.220'

-	option topology 'subnet'

-	option client_to_client '1'

-	list push 'persist-key'

-	list push 'persist-tun'

-	list push 'redirect-gateway def1'

-	# allow your clients to access to your network

-	list push 'route 10.0.0.0 255.255.255.0'

-	# push DNS to your clients

-	list push 'dhcp-option DNS 10.0.0.1'

-        # option comp_lzo 'no'

-```

-

-## Client setup information

-

-TODO

+# OpenVPN Layer 2 Server
 
+
 
+## Introduction
 
+
 
+Librecmc can operate as an OpenVPN server. OpenVPN technology connects
 
+two networks via an encrypted tunnel. With proper server, network, and
 
+client configuration, OpenVPN allows a client outside of your LAN to
 
+see the LAN as though it were physically connected to the LAN.
 
+
 
+OpenVPN can run in layer 2 or layer 3 mode. In layer 3 mode, the
 
+remote client sees your LAN as though it is on the other side of an IP
 
+router. In layer 2 mode, the remote client sees your LAN as though
 
+they are both on the same Data Link segment (e.g., the same Ethernet
 
+link). Layer 3 mode is easier to set up, but layer 2 mode is sometimes
 
+desired to give clients a more direct exposure to services on the LAN.
 
+
 
+## Warnings
 
+
 
+This information is provided for educational purposes only and is not
 
+meant to be a guide to best network security practices. Readers are
 
+advised to study all relevant OpenVPN and network security
 
+documentation.
 
+
 
+## Required LibreCMC packages
 
+
 
+* openvpn-openssl
 
+* openvpn-easy-rsa
 
+* luci-app-openvpn
 
+
 
+## Interface Setup
 
+
 
+TODO
 
+
 
+## Certificate and Key Setup Instructions
 
+
 
+```
 
+cd /etc/easy-rsa
 
+source vars
 
+clean-all
 
+build-ca
 
+build-dh
 
+build-key-server myvpn
 
+openvpn --genkey --secret /etc/easy-rsa/keys/ta.key
 
+```
 
+
 
+N.B.: Using easy-rsa is a straightforward approach, but it may be
 
+possible to produce more secure certificates using openssl directly.
 
+
 
+## Server configuration
 
+
 
+For the `server bridge` option: The first two parameters are the ip
 
+and netmask of the gateway on the bridged subnet. The next two
 
+parameters indicate the pool-start-IP and pool-end-IP, which is the
 
+part of your IP address pool that you have reserved just for VPN
 
+clients. You must to make sure that the DHCP server for your LAN is
 
+not leasing out those IP addresses to local (non-vpn) clients.
 
+
 
+/etc/config/openvpn
 
+```
 
+config openvpn 'myvpn'
 
+	option enabled '1'
 
+	option dev 'tap0'
 
+	option port '1194'
 
+	option proto 'udp'
 
+	option status '/var/log/openvpn_status.log'
 
+	option log '/tmp/openvpn.log'
 
+	option verb '3'
 
+	option mute '5'
 
+	option keepalive '10 120'
 
+	option persist_key '1'
 
+	option persist_tun '1'
 
+	option user 'nobody'
 
+	option group 'nogroup'
 
+	option ca '/etc/easy-rsa/keys/ca.crt'
 
+	option cert '/etc/easy-rsa/keys/myvpn.crt'
 
+	option key '/etc/easy-rsa/keys/myvpn.key'
 
+	option dh '/etc/easy-rsa/keys/dh2048.pem'
 
+	option tls_server '1'
 
+	option tls_auth '/etc/easy-rsa/keys/ta.key 0'
 
+	option server_bridge '10.0.0.1 255.255.255.0 10.0.0.201 10.0.0.220'
 
+	option topology 'subnet'
 
+	option client_to_client '1'
 
+	list push 'persist-key'
 
+	list push 'persist-tun'
 
+	list push 'redirect-gateway def1'
 
+	# allow your clients to access to your network
 
+	list push 'route 10.0.0.0 255.255.255.0'
 
+	# push DNS to your clients
 
+	list push 'dhcp-option DNS 10.0.0.1'
 
+        # option comp_lzo 'no'
 
+```
 
+
 
+## Client setup information
 
+
 
+TODO

+ 1 - 1
docs/TPE_R1100.md
View File 

@@ -1,4 +1,4 @@
 
-# Think Penguin [TPE-R1100 mini WiFi Router](https://www.thinkpenguin.com/TPE-R1100)

+# Think Penguin [TPE-R1100 mini WiFi Router](https://www.thinkpenguin.com/gnu-linux/free-software-wireless-n-mini-vpn-router-tpe-r1100)

 

 ## Specs