====== OpenVPN ======

This topic is destined to users with some basic knowledge about VPN, who know how to create and setup a VPN client/server. 

===== Creating the PKI =====
 [[.:pki|PKI management]]

===== VPN Server Setup/Configuration  =====

Here an example of creating and configuring an OpenVPN server

  - [[.:server|OpenVPN server configuration]]

===== VPN Client Setup/Configuration =====

==== Modify the configuration file ====

The configuration of the VPN requires:
   * A client configuration file, named ''client-openvpn.conf''. This is the main configuration file.\\ Make sure that non-interactive authentication is enabled (the connection is established by a daemon, the password cannot be entered manually)
   * A “Certification Authority Certificate” file, authenticating the remote server, ''ca.crt''
   * A “User key and certificate archive” file, authenticating the Wanesy SPN gateway (the client), ''client.p12''

All those files have to be uploaded via the web UI. 

Here is an example of a client configuration file:

<code file client-openvpn.conf.conf>
#################################################
#                                               #
# Client-side OpenVPN 2.X config file for       #
# connecting to multi-client server.            #
#                                               #
# Comments are preceded with '#' or ';'         #
#                                               #
#################################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

tls-client
#remote-cert-tls server


# Protocol
proto udp

#Tunnel
dev tun

#Server
remote 192.168.1.14

#Certification Authority Certificate - Server Authentication
ca ca.crt

#User Key and Certificate - Client Authentication
pkcs12 client.p12

cipher AES-256-CBC

#auth SHA256

tls-version-min "1.0"
tls-version-max "1.0"

mssfix 1200
comp-lzo


</code>

Note: if you set a passphrase to access your private key, just add the following line in your configuration file :

<code bash>
askpass pass.txt
</code>

Fill the ''pass.txt'' file with your password and protect it from reading to others that are not root:

<code bash>
# chmod 600 pass.txt
</code>

The two other files (.crt and .p12) have to be generated using the [[.:pki|PKI]].


==== Enable OpenVPN over the kerlink gateway Web interface ====

Select the "Enable" button from the Administration > OpenVPN menu option and drag and drop the following files :

  * ''ca.crt''
  * ''client.p12''
  * ''client-openvpn.conf''


{{:images:enable_openvpn.png|}}

Automatically the openvpn process will be launch at boot time and be monitored by the ''monit'' tool.


===== Connection =====

Once the files are uploaded and the VPN feature is activated in the administration page, the VPN tunnel will automatically be created.