From patchwork Wed Jul 15 12:30:08 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 1258 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id II8OKRWED180TAAAIUCqbw for ; Wed, 15 Jul 2020 18:32:53 -0400 Received: from proxy13.mail.iad3b.rsapps.net ([172.31.255.6]) by director11.mail.ord1d.rsapps.net with LMTP id 8LFaJhWED1+RcAAAvGGmqA ; Wed, 15 Jul 2020 18:32:53 -0400 Received: from smtp26.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.iad3b.rsapps.net with LMTP id gGSHIBWED1/XdgAAvUvv+w ; Wed, 15 Jul 2020 18:32:53 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp26.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=fail (p=none; dis=none) header.from=openvpn.net X-Suspicious-Flag: YES X-Classification-ID: 1e8e8728-c6eb-11ea-ae72-5254001088d3-1-1 Received: from [216.105.38.7] ([216.105.38.7:33486] helo=lists.sourceforge.net) by smtp26.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 5D/A2-04535-4148F0F5; Wed, 15 Jul 2020 18:32:52 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jvpwm-00017u-Sg; Wed, 15 Jul 2020 22:32:16 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jvpwl-00017e-8j for openvpn-devel@lists.sourceforge.net; Wed, 15 Jul 2020 22:32:15 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Content-Type:MIME-Version :References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=dh94+vsOSQxktc0FbqSBDVt8I+Jtgb7ZCjHTXVwab6E=; b=K9ewM9OzCZ9T+zCyoxtA6CiE3x NlcYjvFE9L0fzM9mrEkP7lkHpH3ZPqiKPaF1iMZKZE33LNwLkHakTOt+XyEWmApSoPMbR917UCPy9 hcQJ4fGklgC1QWhHXN69nBpfhrEx83CtqPW372DDDR2mk7zb6BFB3tJzvrj6Tc8mpM98=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=dh94+vsOSQxktc0FbqSBDVt8I+Jtgb7ZCjHTXVwab6E=; b=BnhVLYLwk0kH5tmkPPYYI3EE8j 6d+gD9N14Jkqo9hbUin0P9xIUzFHwLfwYqZE46YEjJll4H/BDDZ6ueHqM5iVpeqnEpRteDv4RcIx0 fDz9noKHvyG9XxKKfSJM5h3H1wWIZFFZOfeyj6dDZX6mEN0kgxha5cmS37D110xmWugI=; Received: from mx0.basenordic.cloud ([185.212.44.139]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jvpwj-0051E6-Hg for openvpn-devel@lists.sourceforge.net; Wed, 15 Jul 2020 22:32:15 +0000 Received: from localhost (unknown [IPv6:::1]) by mx0.basenordic.cloud (Postfix) with ESMTP id 4081F861801 for ; Wed, 15 Jul 2020 22:32:00 +0000 (UTC) Received: from mx0.basenordic.cloud ([IPv6:::1]) by localhost (winterfell.topphemmelig.net [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id jrtgqWqoFi1v for ; Thu, 16 Jul 2020 00:31:57 +0200 (CEST) Received: from zimbra.sommerseth.email (zimbra.sommerseth.email [172.16.33.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx0.basenordic.cloud (Postfix) with ESMTPS id 144D182A383 for ; Thu, 16 Jul 2020 00:31:55 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by zimbra.sommerseth.email (Postfix) with ESMTP id 81A6E400F0CC for ; Thu, 16 Jul 2020 00:31:54 +0200 (CEST) Received: from zimbra.sommerseth.email ([127.0.0.1]) by localhost (zimbra.sommerseth.email [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id lCB5Kh82juEV for ; Thu, 16 Jul 2020 00:31:54 +0200 (CEST) Received: from optimus.homebase.sommerseths.net (unknown [10.35.7.3]) by zimbra.sommerseth.email (Postfix) with ESMTPS id D0459400F0D5 for ; Thu, 16 Jul 2020 00:30:51 +0200 (CEST) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Thu, 16 Jul 2020 00:30:08 +0200 Message-Id: <20200715223013.11726-12-davids@openvpn.net> X-Mailer: git-send-email 2.26.0 In-Reply-To: <20200715223013.11726-1-davids@openvpn.net> References: <20200715223013.11726-1-davids@openvpn.net> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1jvpwj-0051E6-Hg Subject: [Openvpn-devel] [PATCH 11/16] doc/man: Cleaned up the examples X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Removed a lot of outdated information. The loading of the tun module is not needed on current Linux distributions; it is automatically loaded when needed. Also removed all the iptables references and rather refer the reader to figure out how firewalling is configured on their system. The reason is that iptables is moving towards being deprecated in faviour of nftables/nft. In addition many Linux distributions provide their own wrappers around it (ufw, firewalld, to mention a couple). In addition it makes the man page less Linux-centric. The only Linux specific reference left is configuration of IP forwarding. But extended the text to ask the reader to find the preferred way of configuring IP forwarding in a persistent way. Many Linux distributions uses their own set of network configuration tools as well (NetworkManager, systemd-networkd, netplan, to mention a few). The rest of the instructions should be fairly OS neutral and is a quick introduction how to get tunnels configured and gradually expand the configuration and improve the security along the way. Signed-off-by: David Sommerseth --- doc/man-sections/examples.rst | 105 ++++------------------------------ 1 file changed, 11 insertions(+), 94 deletions(-) diff --git a/doc/man-sections/examples.rst b/doc/man-sections/examples.rst index 0bea7f5a..ecc2a29f 100644 --- a/doc/man-sections/examples.rst +++ b/doc/man-sections/examples.rst @@ -7,32 +7,12 @@ installed OpenVPN, consult the INSTALL file included in the OpenVPN distribution. -TUN/TAP Setup: --------------- - -If you are using Linux 2.4 or higher, make the tun device node and load -the tun module: - -:: - - mknod /dev/net/tun c 10 200 - modprobe tun - -If you installed from RPM, the ``mknod`` step may be omitted, because -the RPM install does that for you. - -Only Linux 2.4 and newer are supported. - -For other platforms, consult the INSTALL file at -https://openvpn.net/community-resources/the-standard-install-file-included-in-the-source-distribution/ -for more information. - - Firewall Setup: --------------- If firewalls exist between the two machines, they should be set to -forward UDP port 1194 in both directions. If you do not have control +forward the port OpenVPN is configured to use, in both directions. +The default for OpenVPN is 1194/udp. If you do not have control over the firewalls between the two machines, you may still be able to use OpenVPN by adding ``--ping 15`` to each of the ``openvpn`` commands used below in the examples (this will cause each peer to send out a UDP @@ -40,13 +20,8 @@ ping to its remote peer once every 15 seconds which will cause many stateful firewalls to forward packets in both directions without an explicit firewall rule). -If you are using a Linux iptables-based firewall, you may need to enter -the following command to allow incoming packets on the TUN device: - -:code:`iptables -A INPUT -i tun+ -j ACCEPT` - -See the firewalls section below for more information on configuring -firewalls for use with OpenVPN. +Please see your operating system guides for how to configure the firewall +on your systems. VPN Address Setup: @@ -239,10 +214,14 @@ enable routing: echo 1 > /proc/sys/net/ipv4/ip_forward -and enable TUN packet forwarding through the firewall: -:: +This setting is not persistent. Please see your operating systems +documentation how to properly configure IP forwarding, which is also +persistent through system boots. - iptables -A FORWARD -i tun+ -j ACCEPT +If you system is configured with a firewall. Please see your operating +systems guide on how to configure the firewall. You typically want to +allow traffic coming from and going to the tun/tap adapter OpenVPN is +configured to use. On bob: :: @@ -260,65 +239,3 @@ Now any machine on the *10.0.0.0/24* subnet can access any machine on the In a production environment, you could put the route command(s) in a script and execute with the ``--up`` option. - -FIREWALLS -========= - -OpenVPN's usage of a single UDP port makes it fairly firewall-friendly. -You should add an entry to your firewall rules to allow incoming OpenVPN -packets. On Linux 2.4+: -:: - - iptables -A INPUT -p udp -s 1.2.3.4 --dport 1194 -j ACCEPT - -This will allow incoming packets on UDP port :code:`1194` (OpenVPN's -default UDP port) from an OpenVPN peer at :code:`1.2.3.4`. - -If you are using HMAC-based packet authentication (the default in any of -OpenVPN's secure modes), having the firewall filter on source address -can be considered optional, since HMAC packet authentication is a much -more secure method of verifying the authenticity of a packet source. In -that case: -:: - - iptables -A INPUT -p udp --dport 1194 -j ACCEPT - -would be adequate and would not render the host inflexible with respect -to its peer having a dynamic IP address. - -OpenVPN also works well on stateful firewalls. In some cases, you may -not need to add any static rules to the firewall list if you are using a -stateful firewall that knows how to track UDP connections. If you -specify ``--ping n``, OpenVPN will be guaranteed to send a packet to its -peer at least once every ``n`` seconds. If ``n`` is less than the -stateful firewall connection timeout, you can maintain an OpenVPN -connection indefinitely without explicit firewall rules. - -You should also add firewall rules to allow incoming IP traffic on TUN -or TAP devices such as: -:: - - iptables -A INPUT -i tun+ -j ACCEPT - -to allow input packets from tun devices, -:: - - iptables -A FORWARD -i tun+ -j ACCEPT - -to allow input packets from tun devices to be forwarded to other hosts -on the local network, -:: - - iptables -A INPUT -i tap+ -j ACCEPT - -to allow input packets from tap devices, and -:: - - iptables -A FORWARD -i tap+ -j ACCEPT - -to allow input packets from tap devices to be forwarded to other hosts -on the local network. - -These rules are secure if you use packet authentication, since no -incoming packets will arrive on a TUN or TAP virtual device unless they -first pass an HMAC authentication test.