Since some time I've been running OpenVPN on my Synology NAS which I had to mod because the UI does not offer much, it`s very basic.
It`s for private use and I have three remote users, myself as Admin/user and a second user, all using Windows and Android.
With XCA I've setup my own CA, certificates, keys and DH parameters, everything 2048 bits.
Every user has it`s own common name.
My questions are:
Are there any flaws/faults or improvements?
The client uses pull, is it still necessary? (I mean, the server pushes... or does it push on request from the client?)
My server config is as follows:
Code: Select all
#log-append /var/log/openvpn.log
#verb 5
push "route 192.168.11.0 255.255.255.0"
push "route 192.168.168.0 255.255.255.0"
push "dhcp-option DNS 192.168.11.10"
push "dhcp-option WINS 192.168.11.12" <-- I let Samba handle this on the same NAS
management 127.0.0.1 1195
server 192.168.168.0 255.255.255.0
dev tun
proto udp
port 1194
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
tls-version-min 1.2 or-highest
remote-cert-tls client
username-as-common-name
dh /volume1/@appstore/VPNCenter/etc/openvpn/keys/dh2048.pem
ca /volume1/@appstore/VPNCenter/etc/openvpn/keys/ca.crt
cert /volume1/@appstore/VPNCenter/etc/openvpn/keys/server.crt
key /volume1/@appstore/VPNCenter/etc/openvpn/keys/server.key
tls-auth /volume1/@appstore/VPNCenter/etc/openvpn/keys/ta.key 0
max-clients 3
comp-lzo
keepalive 20 60
reneg-sec 0
plugin /var/packages/VPNCenter/target/lib/radiusplugin.so /var/packages/VPNCenter/target/etc/openvpn/radiusplugin.cnf
status /tmp/ovpn_status_2_result 30
status-version 2Code: Select all
remote 000.111.222.333 1194
remote 111.222.333.444 1194
dhcp-option DNS 192.168.11.10
dhcp-option WINS 192.168.11.12
redirect-gateway
dev tun
proto udp
pull
tls-client
tls-auth ta.key 1
remote-cert-tls server
ca ca.crt
cert client.crt
key client.key
cipher AES-256-CBC
auth SHA256
tls-version-min 1.2 or-highest
script-security 2
comp-lzo
reneg-sec 0
auth-user-pass
auth-nocache
