I've made my first configuration working as docker container on my RPi4. I'd like to ask you if my configuration would be safe (last commit gigio was in 2016) .
I did follow github project https://github.com/giggio/docker-openvpn-arm which is branch of https://github.com/kylemanna/docker-openvpn.
added myself two lines:
auth SHA512
cipher AES-256-CBC
This solution has few years and works with OpenVPN v.2.3
So here's some configuration data.
Code: Select all
server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/VPN.SERVERNAME.COM.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/VPN.SERVERNAME.COM.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun
proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log
user nobody
group nogroup
### Route Configurations Below
route 192.168.254.0 255.255.255.0
### Push Configurations Below
push block-outside-dns
push dhcp-option DNS 8.8.8.8
push dhcp-option DNS 8.8.4.4
### Extra Configurations Below added by me
auth SHA512
cipher AES-256-CBC
Code: Select all
declare -x OVPN_AUTH=""
declare -x OVPN_CIPHER="AES-256-CBC"
declare -x OVPN_CLIENT_TO_CLIENT
declare -x OVPN_CN="VPN.SERVERNAME.COM"
declare -x OVPN_COMP_LZO
declare -x OVPN_DEFROUTE="1"
declare -x OVPN_DEVICE="tun"
declare -x OVPN_DNS="1"
declare -x OVPN_ENV="/etc/openvpn/ovpn_env.sh"
declare -x OVPN_FRAGMENT
declare -x OVPN_MTU
declare -x OVPN_NAT="0"
declare -x OVPN_OTP_AUTH
declare -x OVPN_PORT="1194"
declare -x OVPN_PROTO="udp"
declare -x OVPN_PUSH
declare -x OVPN_ROUTES
declare -x OVPN_SERVER="192.168.255.0/24"
declare -x OVPN_SERVER_URL="udp://VPN.SERVERNAME.COM"
declare -x OVPN_TLS_CIPHER=""
Code: Select all
Mon Aug 3 13:00:55 2020 192.168.1.63:59163 TLS: Initial packet from [AF_INET]192.168.1.63:59163, sid=f6d0693f a8657365
Mon Aug 3 13:00:56 2020 192.168.1.63:59163 VERIFY OK: depth=1, CN=Jasin-Easy-RSA CA
Mon Aug 3 13:00:56 2020 192.168.1.63:59163 VERIFY OK: depth=0, CN=uzytkownik_nopass
Mon Aug 3 13:00:56 2020 192.168.1.63:59163 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Aug 3 13:00:56 2020 192.168.1.63:59163 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Aug 3 13:00:56 2020 192.168.1.63:59163 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Aug 3 13:00:56 2020 192.168.1.63:59163 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Aug 3 13:00:56 2020 192.168.1.63:59163 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Aug 3 13:00:56 2020 192.168.1.63:59163 [uzytkownik_nopass] Peer Connection Initiated with [AF_INET]192.168.1.63:59163
Mon Aug 3 13:00:56 2020 uzytkownik_nopass/192.168.1.63:59163 MULTI_sva: pool returned IPv4=192.168.255.6, IPv6=(Not enabled)
Mon Aug 3 13:00:56 2020 uzytkownik_nopass/192.168.1.63:59163 MULTI: Learn: 192.168.255.6 -> uzytkownik_nopass/192.168.1.63:59163
Mon Aug 3 13:00:56 2020 uzytkownik_nopass/192.168.1.63:59163 MULTI: primary virtual IP for uzytkownik_nopass/192.168.1.63:59163: 192.168.255.6
Mon Aug 3 13:00:56 2020 uzytkownik_nopass/192.168.1.63:59163 PUSH: Received control message: 'PUSH_REQUEST'
Mon Aug 3 13:00:56 2020 uzytkownik_nopass/192.168.1.63:59163 send_push_reply(): safe_cap=940
Mon Aug 3 13:00:56 2020 uzytkownik_nopass/192.168.1.63:59163 SENT CONTROL [uzytkownik_nopass]: 'PUSH_REPLY,block-outside-dns,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 192.168.255.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.255.6 192.168.255.5' (status=1)
Mon Aug 3 13:00:56 2020 uzytkownik_nopass/192.168.1.63:59163 IP packet with unknown IP version=0 seen
Code: Select all
iptables: No chain/target/match by that name.
Enabling IPv6 Forwarding
sysctl: error setting key 'net.ipv6.conf.default.forwarding': Read-only file system
Failed to enable IPv6 Forwarding default
sysctl: error setting key 'net.ipv6.conf.all.forwarding': Read-only file system
Failed to enable IPv6 Forwarding
Running 'openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd '
Mon Aug 3 12:58:10 2020 OpenVPN 2.3.12 armv6-alpine-linux-muslgnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 12 2016
Mon Aug 3 12:58:10 2020 library versions: LibreSSL 2.4.4, LZO 2.09
Mon Aug 3 12:58:10 2020 Diffie-Hellman initialized with 2048 bit key
Mon Aug 3 12:58:10 2020 Control Channel Authentication: using '/etc/openvpn/pki/ta.key' as a OpenVPN static key file
Mon Aug 3 12:58:10 2020 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Aug 3 12:58:10 2020 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Aug 3 12:58:10 2020 Socket Buffers: R=[180224->180224] S=[180224->180224]
Mon Aug 3 12:58:10 2020 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:05
Mon Aug 3 12:58:10 2020 TUN/TAP device tun0 opened
Mon Aug 3 12:58:10 2020 TUN/TAP TX queue length set to 100
Mon Aug 3 12:58:10 2020 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Aug 3 12:58:10 2020 /sbin/ip link set dev tun0 up mtu 1500
Mon Aug 3 12:58:10 2020 /sbin/ip addr add dev tun0 local 192.168.255.1 peer 192.168.255.2
Mon Aug 3 12:58:10 2020 /sbin/ip route add 192.168.254.0/24 via 192.168.255.2
Mon Aug 3 12:58:10 2020 /sbin/ip route add 192.168.255.0/24 via 192.168.255.2
Mon Aug 3 12:58:10 2020 GID set to nogroup
Mon Aug 3 12:58:10 2020 UID set to nobody
Mon Aug 3 12:58:10 2020 UDPv4 link local (bound): [undef]
Mon Aug 3 12:58:10 2020 UDPv4 link remote: [undef]
Mon Aug 3 12:58:10 2020 MULTI: multi_init called, r=256 v=256
Mon Aug 3 12:58:10 2020 IFCONFIG POOL: base=192.168.255.4 size=62, ipv6=0
Mon Aug 3 12:58:10 2020 Initialization Sequence Completed
Thank you for your time.