From 0a09a6e6f247729457d15480f8d2b9bb0b89ae5e Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 29 Aug 2016 22:55:41 -0700 Subject: Updated (very out of date) docs and README.md --- docs/en/services/openvpn.html | 178 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 178 insertions(+) create mode 100644 docs/en/services/openvpn.html (limited to 'docs/en/services/openvpn.html') diff --git a/docs/en/services/openvpn.html b/docs/en/services/openvpn.html new file mode 100644 index 00000000..e5fe1128 --- /dev/null +++ b/docs/en/services/openvpn.html @@ -0,0 +1,178 @@ + + + + +openvpn - LEAP Platform Documentation + + + + + + + + +
+
+

openvpn

+ +
OpenVPN egress gateways
+
+
+
    +
  1. + Topology +
  2. +
  3. + Configuration +
  4. +
+ +

Topology

+ +

Currently, openvpn service should not be combined with other services on the same node.

+ +

Unlike most of the other node types, the openvpn nodes do not need access to the database and does not ever communicate with any other nodes (except for the monitor node, if used). So, openvpn nodes can be placed anywhere without regard to the other nodes.

+ +

Configuration

+ +

Essential configuration

+ +
    +
  • openvpn.gateway_address: The address that OpenVPN daemon is bound to and that VPN clients connect to.
  • +
  • ip_address: The main IP of the server, and the egress address for outgoing traffic.
  • +
+ + +

For example:

+ +
{
+  "ip_address": "1.1.1.1",
+  "openvpn": {
+    "gateway_address": "2.2.2.2"
+  }
+}
+
+ +

In this example, VPN clients will connect to 2.2.2.2, but their traffic will appear to come from 1.1.1.1.

+ +

Why are two IP addresses needed? Without this, traffic between two VPN users on the same gateway will not get encrypted. This is because the VPN on every client must be configured to allow cleartext traffic for the IP address that is the VPN gateway.

+ +

Optional configuration

+ +

Here is the default configuration:

+ +
"openvpn": {
+  "configuration": {
+    "auth": "SHA1",
+    "cipher": "AES-128-CBC",
+    "fragment": 1400,
+    "keepalive": "10 30",
+    "tls-cipher": "DHE-RSA-AES128-SHA",
+    "tun-ipv6": true
+  },
+  "ports": ["80", "443", "53", "1194"],
+  "protocols": ["tcp", "udp"]
+}
+
+ +

You may want to change the ports so that only 443 or 80 are used. It is probably best to not modify the openvpn.configuration options for now.

+ +
+
+ + -- cgit v1.2.3