Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[OpenVPN][2.4.4.1] Client/Server VPN Solution
#1
[Image: sup_app_icon_660.fw.png]

Module is available for:

x64_OS5/OS7 - last version - 2.4.4.1
x86_OS5/OS6 - last version - 2.4.4.1
ppc_OS6 - last version - 2.4.4.1

Download

Note :



This a Basic Binary for OpenVPN Server
You need have some experience in command line to set it
the WebUI is a simple Startup and stop sequence to automate your command line when your NAS start and stop

All Binaries are located in /raid/data/module/OpenVPN/sys/bin

Qoolbox module updated to latest OpenVPN version and added some small improvements. I didn't test it personaly, thanks to share your experiences to make it better.
Use this old tread for reference in config
http://www.forum.thecus.com/showthread.php?tid=7773
Particulary this post
http://www.forum.thecus.com/showthread.p...328#pid328

Binary flag options :

Code:
OpenVPN 2.3.12 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep 22 2016
[/size][/color]


General Options:

--config file   : Read configuration options from file.

--help          : Show options.

--version       : Show copyright and version information.



Tunnel Options:

--local host    : Local host name or ip address. Implies --bind.

--remote host [port] : Remote host name or ip address.

--remote-random : If multiple --remote options specified, choose one randomly.

--remote-random-hostname : Add a random string to remote DNS name.

--mode m        : Major mode, m = 'p2p' (default, point-to-point) or 'server'.

--proto p       : Use protocol p for communicating with peer.

                 p = udp (default), tcp-server, or tcp-client

--proto-force p : only consider protocol p in list of connection profiles.

                 p = udp6, tcp6-server, or tcp6-client (ipv6)

--connect-retry n : For --proto tcp-client, number of seconds to wait

                   between connection retries (default=5).

--connect-timeout n : For --proto tcp-client, connection timeout (in seconds).

--connect-retry-max n : Maximum connection attempt retries, default infinite.

--http-proxy s p [up] [auth] : Connect to remote host

                 through an HTTP proxy at address s and port p.

                 If proxy authentication is required,

                 up is a file containing username/password on 2 lines, or

                 'stdin' to prompt from console.  Add auth='ntlm' if

                 the proxy requires NTLM authentication.

--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically

                 determine auth method and query for username/password

                 if needed.  auto-nct disables weak proxy auth methods.

--http-proxy-retry     : Retry indefinitely on HTTP proxy errors.

--http-proxy-timeout n : Proxy timeout in seconds, default=5.

--http-proxy-option type [parm] : Set extended HTTP proxy options.

                                 Repeat to set multiple options.

                 VERSION version (default=1.0)

                 AGENT user-agent

--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at

                 address s and port p (default port = 1080).

                 If proxy authentication is required,

                 up is a file containing username/password on 2 lines, or

                 'stdin' to prompt for console.

--socks-proxy-retry : Retry indefinitely on Socks proxy errors.

--resolv-retry n: If hostname resolve fails for --remote, retry

                 resolve for n seconds before failing (disabled by default).

                 Set n="infinite" to retry indefinitely.

--float         : Allow remote to change its IP address/port, such as through

                 DHCP (this is the default if --remote is not used).

--ipchange cmd  : Run command cmd on remote ip address initial

                 setting or change -- execute as: cmd ip-address port#

--port port     : TCP/UDP port # for both local and remote.

--lport port    : TCP/UDP port # for local (default=1194). Implies --bind.

--rport port    : TCP/UDP port # for remote (default=1194).

--bind          : Bind to local address and port. (This is the default unless

                 --proto tcp-client or --http-proxy or --socks-proxy is used).

--nobind        : Do not bind to local address and port.

--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.

--dev-type dt   : Which device type are we using? (dt = tun or tap) Use

                 this option only if the tun/tap device used with --dev

                 does not begin with "tun" or "tap".

--dev-node node : Explicitly set the device node rather than using

                 /dev/net/tun, /dev/tun, /dev/tap, etc.

--lladdr hw     : Set the link layer address of the tap device.

--topology t    : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.

--tun-ipv6      : Build tun link capable of forwarding IPv6 traffic.

--ifconfig l rn : TUN: configure device to use IP address l as a local

                 endpoint and rn as a remote endpoint.  l & rn should be

                 swapped on the other peer.  l & rn must be private

                 addresses outside of the subnets used by either peer.

                 TAP: configure device to use IP address l as a local

                 endpoint and rn as a subnet mask.

--ifconfig-ipv6 l r : configure device to use IPv6 address l as local

                     endpoint (as a /64) and r as remote endpoint

--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead

                   pass --ifconfig parms by environment to scripts.

--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the

                   connection doesn't match the remote side.

--route network [netmask] [gateway] [metric] :

                 Add route to routing table after connection

                 is established.  Multiple routes can be specified.

                 netmask default: 255.255.255.255

                 gateway default: taken from --route-gateway or --ifconfig

                 Specify default by leaving blank or setting to "nil".

--route-ipv6 network/bits [gateway] [metric] :

                 Add IPv6 route to routing table after connection

                 is established.  Multiple routes can be specified.

                 gateway default: taken from --route-ipv6-gateway or --ifconfig

--max-routes n :  Specify the maximum number of routes that may be defined

                 or pulled from a server.

--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.

--route-metric m : Specify a default metric for use with --route.

--route-delay n [w] : Delay n seconds after connection initiation before

                 adding routes (may be 0).  If not specified, routes will

                 be added immediately after tun/tap open.  On Windows, wait

                 up to w seconds for TUN/TAP adapter to come up.

--route-up cmd  : Run command cmd after routes are added.

--route-pre-down cmd : Run command cmd before routes are removed.

--route-noexec  : Don't add routes automatically.  Instead pass routes to

                 --route-up script using environmental variables.

--route-nopull  : When used with --client or --pull, accept options pushed

                 by server EXCEPT for routes and dhcp options.

--allow-pull-fqdn : Allow client to pull DNS names from server for

                   --ifconfig, --route, and --route-gateway.

--redirect-gateway [flags]: Automatically execute routing

                 commands to redirect all outgoing IP traffic through the

                 VPN.  Add 'local' flag if both OpenVPN servers are directly

                 connected via a common subnet, such as with WiFi.

                 Add 'def1' flag to set default route using using 0.0.0.0/1

                 and 128.0.0.0/1 rather than 0.0.0.0/0.  Add 'bypass-dhcp'

                 flag to add a direct route to DHCP server, bypassing tunnel.

                 Add 'bypass-dns' flag to similarly bypass tunnel for DNS.

--redirect-private [flags]: Like --redirect-gateway, but omit actually changing

                 the default gateway.  Useful when pushing private subnets.

--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.

--push-peer-info : (client only) push client info to server.

--setenv name value : Set a custom environmental variable to pass to script.

--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow

                 directives for future OpenVPN versions to be ignored.

--ignore-unkown-option opt1 opt2 ...: Relax config file syntax. Allow

                 these options to be ignored when unknown

--script-security level: Where level can be:

                 0 -- strictly no calling of external programs

                 1 -- (default) only call built-ins such as ifconfig

                 2 -- allow calling of built-ins and scripts

                 3 -- allow password to be passed to scripts via env

--shaper n      : Restrict output to peer to n bytes per second.

--keepalive n m : Helper option for setting timeouts in server mode.  Send

                 ping once every n seconds, restart if ping not received

                 for m seconds.

--inactive n [bytes] : Exit after n seconds of activity on tun/tap device

                 produces a combined in/out byte count < bytes.

--ping-exit n   : Exit if n seconds pass without reception of remote ping.

--ping-restart n: Restart if n seconds pass without reception of remote ping.

--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a

                 remote address.

--ping n        : Ping remote once every n seconds over TCP/UDP port.

--multihome     : Configure a multi-homed UDP server.

--fast-io       : (experimental) Optimize TUN/TAP/UDP writes.

--remap-usr1 s  : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').

--persist-tun   : Keep tun/tap device open across SIGUSR1 or --ping-restart.

--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.

--persist-local-ip  : Keep local IP address across SIGUSR1 or --ping-restart.

--persist-key   : Don't re-read key files across SIGUSR1 or --ping-restart.

--passtos       : TOS passthrough (applies to IPv4 only).

--tun-mtu n     : Take the tun/tap device MTU to be n and derive the

                 TCP/UDP MTU from it (default=1500).

--tun-mtu-extra n : Assume that tun/tap device might return as many

                 as n bytes more than the tun-mtu size on read

                 (default TUN=0 TAP=32).

--link-mtu n    : Take the TCP/UDP device MTU to be n and derive the tun MTU

                 from it.

--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?

                 'no'    -- Never send DF (Don't Fragment) frames

                 'maybe' -- Use per-route hints

                 'yes'   -- Always DF (Don't Fragment)

--mtu-test      : Empirically measure and report MTU.

--fragment max  : Enable internal datagram fragmentation so that no UDP

                 datagrams are sent which are larger than max bytes.

                 Adds 4 bytes of overhead per datagram.

--mssfix [n]    : Set upper bound on TCP MSS, default = tun-mtu size

                 or --fragment max value, whichever is lower.

--sndbuf size   : Set the TCP/UDP send buffer size.

--rcvbuf size   : Set the TCP/UDP receive buffer size.

--mark value    : Mark encrypted packets being sent with value. The mark value

                 can be matched in policy routing and packetfilter rules.

--txqueuelen n  : Set the tun/tap TX queue length to n (Linux only).

--memstats file : Write live usage stats to memory mapped binary file.

--mlock         : Disable Paging -- ensures key material and tunnel

                 data will never be written to disk.

--up cmd        : Run command cmd after successful tun device open.

                 Execute as: cmd tun/tap-dev tun-mtu link-mtu \

                             ifconfig-local-ip ifconfig-remote-ip

                 (pre --user or --group UID/GID change)

--up-delay      : Delay tun/tap open and possible --up script execution

                 until after TCP/UDP connection establishment with peer.

--down cmd      : Run command cmd after tun device close.

                 (post --user/--group UID/GID change and/or --chroot)

                 (command parameters are same as --up option)

--down-pre      : Run --down command before TUN/TAP close.

--up-restart    : Run up/down commands for all restarts including those

                 caused by --ping-restart or SIGUSR1

--user user     : Set UID to user after initialization.

--group group   : Set GID to group after initialization.

--chroot dir    : Chroot to this directory after initialization.

--cd dir        : Change to this directory before initialization.

--daemon [name] : Become a daemon after initialization.

                 The optional 'name' parameter will be passed

                 as the program name to the system logger.

--syslog [name] : Output to syslog, but do not become a daemon.

                 See --daemon above for a description of the 'name' parm.

--inetd [name] ['wait'|'nowait'] : Run as an inetd or xinetd server.

                 See --daemon above for a description of the 'name' parm.

--log file      : Output log to file which is created/truncated on open.

--log-append file : Append log to file, or create file if nonexistent.

--suppress-timestamps : Don't log timestamps to stdout/stderr.

--writepid file : Write main process ID to file.

--nice n        : Change process priority (>0 = lower, <0 = higher).

--echo [parms ...] : Echo parameters to log output.

--verb n        : Set output verbosity to n (default=1):

                 (Level 3 is recommended if you want a good summary

                 of what's happening without being swamped by output).

               : 0 -- no output except fatal errors

               : 1 -- startup info + connection initiated messages +

                      non-fatal encryption & net errors

               : 2,3 -- show TLS negotiations & route info

               : 4 -- show parameters

               : 5 -- show 'RrWw' chars on console for each packet sent

                      and received from TCP/UDP (caps) or tun/tap (lc)

               : 6 to 11 -- debug messages of increasing verbosity

--mute n        : Log at most n consecutive messages in the same category.

--status file n : Write operational status to file every n seconds.

--status-version [n] : Choose the status file format version number.

                 Currently, n can be 1, 2, or 3 (default=1).

--disable-occ   : Disable options consistency check between peers.

--gremlin mask  : Special stress testing mode (for debugging only).

--comp-lzo      : Use fast LZO compression -- may add up to 1 byte per

                 packet for uncompressible data.

--comp-noadapt  : Don't use adaptive compression when --comp-lzo

                 is specified.

--management ip port [pass] : Enable a TCP server on ip:port to handle

                 management functions.  pass is a password file

                 or 'stdin' to prompt from console.

                 To listen on a unix domain socket, specific the pathname

                 in place of ip and use 'unix' as the port number.

--management-client : Management interface will connect as a TCP client to

                     ip/port rather than listen as a TCP server.

--management-query-passwords : Query management channel for private key

                 and auth-user-pass passwords.

--management-query-proxy : Query management channel for proxy information.

--management-query-remote : Query management channel for --remote directive.

--management-hold : Start OpenVPN in a hibernating state, until a client

                   of the management interface explicitly starts it.

--management-signal : Issue SIGUSR1 when management disconnect event occurs.

--management-forget-disconnect : Forget passwords when management disconnect

                                event occurs.

--management-up-down : Report tunnel up/down events to management interface.

--management-log-cache n : Cache n lines of log file history for usage

                 by the management channel.

--management-client-user u  : When management interface is a unix socket, only

                             allow connections from user u.

--management-client-group g : When management interface is a unix socket, only

                             allow connections from group g.

--management-client-auth : gives management interface client the responsibility

                          to authenticate clients after their client certificate

                             has been verified.

--management-client-pf : management interface clients must specify a packet

                        filter file for each connecting client.

--plugin m [str]: Load plug-in module m passing str as an argument

                 to its initialization function.



Multi-Client Server options (when --mode server is used):

--server network netmask : Helper option to easily configure server mode.

--server-ipv6 network/bits : Configure IPv6 server mode.

--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to

                   easily configure ethernet bridging server mode.

--push "option" : Push a config file option back to the peer for remote

                 execution.  Peer must specify --pull in its config file.

--push-reset    : Don't inherit global push list for specific

                 client instance.

--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets

                 to be dynamically allocated to connecting clients.

--ifconfig-pool-linear : Use individual addresses rather than /30 subnets

                 in tun mode.  Not compatible with Windows clients.

--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool

                 data to file, at seconds intervals (default=600).

                 If seconds=0, file will be treated as read-only.

--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block

                 to be dynamically allocated to connecting clients.

--ifconfig-push local remote-netmask : Push an ifconfig option to remote,

                 overrides --ifconfig-pool dynamic allocation.

                 Only valid in a client-specific config file.

--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to

                 remote, overrides --ifconfig-ipv6-pool allocation.

                 Only valid in a client-specific config file.

--iroute network [netmask] : Route subnet to client.

--iroute-ipv6 network/bits : Route IPv6 subnet to client.

                 Sets up internal routes only.

                 Only valid in a client-specific config file.

--disable       : Client is disabled.

                 Only valid in a client-specific config file.

--client-cert-not-required : Don't require client certificate, client

                 will authenticate using username/password.

--username-as-common-name  : For auth-user-pass authentication, use

                 the authenticated username as the common name,

                 rather than the common name from the client cert.

--auth-user-pass-verify cmd method: Query client for username/password and

                 run command cmd to verify.  If method='via-env', pass

                 user/pass via environment, if method='via-file', pass

                 user/pass via temporary file.

--opt-verify    : Clients that connect with options that are incompatible

                 with those of the server will be disconnected.

--auth-user-pass-optional : Allow connections by clients that don't

                 specify a username/password.

--no-name-remapping : Allow Common Name and X509 Subject to include

                     any printable character.

--client-to-client : Internally route client-to-client traffic.

--duplicate-cn  : Allow multiple clients with the same common name to

                 concurrently connect.

--client-connect cmd : Run command cmd on client connection.

--client-disconnect cmd : Run command cmd on client disconnection.

--client-config-dir dir : Directory for custom client config files.

--ccd-exclusive : Refuse connection unless custom client config is found.

--tmp-dir dir   : Temporary directory, used for --client-connect return file and plugin communication.

--hash-size r v : Set the size of the real address hash table to r and the

                 virtual address table to v.

--bcast-buffers n : Allocate n broadcast buffers.

--tcp-queue-limit n : Maximum number of queued TCP output packets.

--tcp-nodelay   : Macro that sets TCP_NODELAY socket flag on the server

                 as well as pushes it to connecting clients.

--learn-address cmd : Run command cmd to validate client virtual addresses.

--connect-freq n s : Allow a maximum of n new connections per s seconds.

--max-clients n : Allow a maximum of n simultaneously connected clients.

--max-routes-per-client n : Allow a maximum of n internal routes per client.

--stale-routes-check n [t] : Remove routes with a last activity timestamp

                            older than n seconds. Run this check every t

                            seconds (defaults to n).

--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS

                 sessions to a web server at host:port.  dir specifies an

                 optional directory to write origin IP:port data.



Client options (when connecting to a multi-client server):

--client         : Helper option to easily configure client mode.

--auth-user-pass [up] : Authenticate with server using username/password.

                 up is a file containing the username on the first line,

                 and a password on the second. If either the password or both

                 the username and the password are omitted OpenVPN will prompt

                 for them from console.

--pull           : Accept certain config file options from the peer as if they

                 were part of the local config file.  Must be specified

                 when connecting to a '--mode server' remote host.

--auth-retry t  : How to handle auth failures.  Set t to

                 none (default), interact, or nointeract.

--static-challenge t e : Enable static challenge/response protocol using

                 challenge text t, with e indicating echo flag (0|1)

--server-poll-timeout n : when polling possible remote servers to connect to

                 in a round-robin fashion, spend no more than n seconds

                 waiting for a response before trying the next server.

--explicit-exit-notify [n] : On exit/restart, send exit signal to

                 server/remote. n = # of retries, default=1.



Data Channel Encryption Options (must be compatible between peers):

(These options are meaningful for both Static Key & TLS-mode)

--secret f [d]  : Enable Static Key encryption mode (non-TLS).

                 Use shared secret file f, generate with --genkey.

                 The optional d parameter controls key directionality.

                 If d is specified, use separate keys for each

                 direction, set d=0 on one side of the connection,

                 and d=1 on the other side.

--auth alg      : Authenticate packets with HMAC using message

                 digest algorithm alg (default=SHA1).

                 (usually adds 16 or 20 bytes per packet)

                 Set alg=none to disable authentication.

--cipher alg    : Encrypt packets with cipher algorithm alg

                 (default=BF-CBC).

                 Set alg=none to disable encryption.

--prng alg [nsl] : For PRNG, use digest algorithm alg, and

                  nonce_secret_len=nsl.  Set alg=none to disable PRNG.

--keysize n     : Size of cipher key in bits (optional).

                 If unspecified, defaults to cipher-specific default.

--engine [name] : Enable OpenSSL hardware crypto engine functionality.

--no-replay     : Disable replay protection.

--mute-replay-warnings : Silence the output of replay warnings to log file.

--replay-window n [t]  : Use a replay protection sliding window of size n

                        and a time window of t seconds.

                        Default n=64 t=15

--no-iv         : Disable cipher IV -- only allowed with CBC mode ciphers.

--replay-persist file : Persist replay-protection state across sessions

                 using file.

--test-crypto   : Run a self-test of crypto features enabled.

                 For debugging only.



TLS Key Negotiation Options:

(These options are meaningful only for TLS-mode)

--tls-server    : Enable TLS and assume server role during TLS handshake.

--tls-client    : Enable TLS and assume client role during TLS handshake.

--key-method m  : Data channel key exchange method.  m should be a method

                 number, such as 1 (default), 2, etc.

--ca file       : Certificate authority file in .pem format containing

                 root certificate.

--capath dir    : A directory of trusted certificates (CAs and CRLs).

--dh file       : File containing Diffie Hellman parameters

                 in .pem format (for --tls-server only).

                 Use "openssl dhparam -out dh1024.pem 1024" to generate.

--cert file     : Local certificate in .pem format -- must be signed

                 by a Certificate Authority in --ca file.

--extra-certs file : one or more PEM certs that complete the cert chain.

--key file      : Local private key in .pem format.

--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we

   will accept from the peer.  If version is unrecognized and 'or-highest'

   is specified, require max TLS version supported by SSL implementation.

--tls-version-max <version> : sets the maximum TLS version we will use.

--pkcs12 file   : PKCS#12 file containing local private key, local certificate

                 and optionally the root CA certificate.

--verify-hash   : Specify SHA1 fingerprint for level-1 cert.

--tls-cipher l  : A list l of allowable TLS ciphers separated by : (optional).

               : Use --show-tls to see a list of supported TLS ciphers.

--tls-timeout n : Packet retransmit timeout on TLS control channel

                 if no ACK from remote within n seconds (default=2).

--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.

--reneg-pkts n  : Renegotiate data chan. key after n packets sent and recvd.

--reneg-sec n   : Renegotiate data chan. key after n seconds (default=3600).

--hand-window n : Data channel key exchange must finalize within n seconds

                 of handshake initiation by any peer (default=60).

--tran-window n : Transition window -- old key can live this many seconds

                 after new key renegotiation begins (default=3600).

--single-session: Allow only one session (reset state on restart).

--tls-exit      : Exit on TLS negotiation failure.

--tls-auth f [d]: Add an additional layer of authentication on top of the TLS

                 control channel to protect against DoS attacks.

                 f (required) is a shared-secret passphrase file.

                 The optional d parameter controls key directionality,

                 see --secret option for more info.

--askpass [file]: Get PEM password from controlling tty before we daemonize.

--auth-nocache  : Don't cache --askpass or --auth-user-pass passwords.

--crl-verify crl ['dir']: Check peer certificate against a CRL.

--tls-verify cmd: Run command cmd to verify the X509 name of a

                 pending TLS connection that has otherwise passed all other

                 tests of certification.  cmd should return 0 to allow

                 TLS handshake to proceed, or 1 to fail.  (cmd is

                 executed as 'cmd certificate_depth subject')

--tls-export-cert [directory] : Get peer cert in PEM format and store it

                 in an openvpn temporary file in [directory]. Peer cert is

                 stored before tls-verify script execution and deleted after.

--verify-x509-name name: Accept connections only from a host with X509 subject

                 DN name. The remote host must also pass all other tests

                 of verification.

--ns-cert-type t: Require that peer certificate was signed with an explicit

                 nsCertType designation t = 'client' | 'server'.

--x509-track x  : Save peer X509 attribute x in environment for use by

                 plugins and management interface.

--remote-cert-ku v ... : Require that the peer certificate was signed with

                 explicit key usage, you can specify more than one value.

                 value should be given in hex format.

--remote-cert-eku oid : Require that the peer certificate was signed with

                 explicit extended key usage. Extended key usage can be encoded

                 as an object identifier or OpenSSL string representation.

--remote-cert-tls t: Require that peer certificate was signed with explicit

                 key usage and extended key usage based on RFC3280 TLS rules.

                 t = 'client' | 'server'.



SSL Library information:

--show-ciphers  : Show cipher algorithms to use with --cipher option.

--show-digests  : Show message digest algorithms to use with --auth option.

--show-engines  : Show hardware crypto accelerator engines (if available).

--show-tls      : Show all TLS ciphers (TLS used only as a control channel).



Generate a random key (only for non-TLS static key encryption mode):

--genkey        : Generate a random key to be used as a shared secret,

                 for use with the --secret option.

--secret file   : Write key to file.



Tun/tap config mode (available with linux 2.4+):

--mktun         : Create a persistent tunnel.

--rmtun         : Remove a persistent tunnel.

--dev tunX|tapX : tun/tap device

--dev-type dt   : Device type.  See tunnel options above for details.

--user user     : User to set privilege to.

--group group   : Group to set privilege to.



General Standalone Options:

--show-gateway : Show info about default gateway.
[color=#000000][size=small][u]
[/u]


OpenVPN Community Software





OpenVPN is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. Starting with the fundamental premise that complexity is the enemy of security, OpenVPN offers a cost-effective, lightweight alternative to other VPN technologies that is well-targeted for the SME and enterprise markets.



OpenVPN combines security with ease-of-use


OpenVPN's lightweight design sheds many of the complexities that characterize other VPN implementations. The OpenVPN security model is based on SSL, the industry standard for secure communications via the internet. OpenVPN implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or 2-factor authentication, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.
-----------------------------------------------------------------------------------------------------
[Image: linkedinbutton.jpg]
Download modules from my forum pirinel.ro
Reply
#2
Good news, I will test it with OS7 to the end of the week. It`s possible to add this module to your repo ?

[Edit]

2016/09/23 19:16:05: The App will install/upgrade, please do not reload or close the admin UI
2016/09/23 19:16:34: -----------------------------------------------------
2016/09/23 19:16:34: Copy server.conf from sample directory to main directory
2016/09/23 19:16:34: -----------------------------------------------------
2016/09/23 19:16:34: edit your server.conf with the following :
2016/09/23 19:16:34: -----------------------------------------------------
2016/09/23 19:16:34: ca /raid/data/OPENVPN_CONFIG/certs/ca.pem
2016/09/23 19:16:34: cert /raid/data/OPENVPN_CONFIG/certs/cert.pem
2016/09/23 19:16:34: key /raid/data/OPENVPN_CONFIG/private/key.nopass.pem
2016/09/23 19:16:34: dh /raid/data/OPENVPN_CONFIG/dh2048.pem
2016/09/23 19:16:34: -----------------------------------------------------
2016/09/23 19:16:34: All is done
2016/09/23 19:16:34: OpenVPN - CLient and Server VPN Solution
2016/09/23 19:16:34: ------------------
2016/09/23 19:16:34: Geek Version
2016/09/23 19:16:34: ------------------
2016/09/23 19:16:34: on your mark, get set, GO!
2016/09/23 19:16:34: App installation successful.

but
2016/09/23 19:16:35: File extract failed, please make sure it is a module file
2016/09/23 19:16:35: App installation failed.

and module install failed.

So I have binaries at system, but at GUI hasn`t a Openvpn module on installed module list...

N5810 - OS7
Reply
#3
Upgrade from 2.3.5 installed fine for me.
Thanx for the great update, I use this module a lot.

After install the only real issue was that my already configured start.sh and stop.sh were overwritten with the default (empty) files.
Is it possible to check existence of these files before the start of the upgrade, make a backup and place them back later on in the proces?

Also because I use my own keys that are not in the default location, the upgrade script started creating all kind of examples and new keys again.
It is not really bad, just overkill and all kind of extra files on my system I do not need.
Is it a good option to skip those steps when doing an upgrade (implying you already have a running config)?

BTW, I also made a post at that time with some sample configs
http://forum.thecus.com/showthread.php?tid=7779

I made some modifications to mine over time (for example I am using Link Agregation now). Will see if I can post them later this weekend and update that topic as well Smile
Thecus N5550 (CPU: D2550 @ 1.86GHz, BIOS: CDV_T26 X64)
Disks:  4*3TB Raid5 (4 * Hitachi Ultrastar 7K3000 HUA723030ALA640)
Memory:  8GB (2*4GB Corsair CMSO8GX3M2A1333C9)
Firmware: 2.05.14.5 (with MEM=4G removed from menu.lst)
Reply
#4
(09-24-2016, 01:34 AM)VDR Wrote: Good news, I will test it with OS7 to the end of the week. It`s possible to add this module to your repo ?

[Edit]

2016/09/23 19:16:05: The App will install/upgrade, please do not reload or close the admin UI
2016/09/23 19:16:34: -----------------------------------------------------
2016/09/23 19:16:34: Copy server.conf from sample directory to main directory
2016/09/23 19:16:34: -----------------------------------------------------
2016/09/23 19:16:34: edit your server.conf with the following :
2016/09/23 19:16:34: -----------------------------------------------------
2016/09/23 19:16:34: ca /raid/data/OPENVPN_CONFIG/certs/ca.pem
2016/09/23 19:16:34: cert /raid/data/OPENVPN_CONFIG/certs/cert.pem
2016/09/23 19:16:34: key /raid/data/OPENVPN_CONFIG/private/key.nopass.pem
2016/09/23 19:16:34: dh /raid/data/OPENVPN_CONFIG/dh2048.pem
2016/09/23 19:16:34: -----------------------------------------------------
2016/09/23 19:16:34: All is done
2016/09/23 19:16:34: OpenVPN - CLient and Server VPN Solution
2016/09/23 19:16:34: ------------------
2016/09/23 19:16:34: Geek Version
2016/09/23 19:16:34: ------------------
2016/09/23 19:16:34: on your mark, get set, GO!
2016/09/23 19:16:34: App installation successful.

but
2016/09/23 19:16:35: File extract failed, please make sure it is a module file
2016/09/23 19:16:35: App installation failed.

and module install failed.

So I have binaries at system, but at GUI hasn`t a Openvpn module on installed module list...

N5810 - OS7

Strange, i have also N5810 for OS7 and installation is fine. Can you download again the module ?
Anyway, i will make some small adjustments and then publish a new version in the repository
-----------------------------------------------------------------------------------------------------
[Image: linkedinbutton.jpg]
Download modules from my forum pirinel.ro
Reply
#5
I uninstalled, downloaded, installed and.... all is ok at this time. Strange, but I think, it was a problem with my NAS, because before that I restarted NAS and I`ve got the module in GUI list.
Reply
#6
Hi, seems to be an important update to 2.4.4.
I want to buy and install it. Can you pleae update?

https://openvpn.net/index.php/download/c...loads.html
Reply
#7
updated to 2.4.4.0
-----------------------------------------------------------------------------------------------------
[Image: linkedinbutton.jpg]
Download modules from my forum pirinel.ro
Reply
#8
(12-11-2017, 07:30 AM)outkastm Wrote: updated to 2.4.4.0
awezome, thanks. Donated for download.

After a day of messing with openvpn I managed to start it from a putty terminal and load the files from my VPN-service (NordvPN). I do this by running /raid/data/module/OpenVPN/sys/bin/openvpn <path to the ovpnfile>/file.nordvpn.com.utp.ovpn . After entering my username/pass the client works. I have to press CTRL-C to end. But I want to start it automatically and cannot find the start or stop files? So how do I get this to work on module start?

Opening the module shows a screen where I am suppost to be able to modify the "Startup sequence", "Stop sequence" and the "Server.conf". But I can only edit the Server.conf. Start and Stop say "Change Done" upon clicking Modify, but they remain blank.

Any idea?
Reply
#9
updated to 2.4.4.1, fixed saving issue for start/stop scripts
-----------------------------------------------------------------------------------------------------
[Image: linkedinbutton.jpg]
Download modules from my forum pirinel.ro
Reply
#10
Hi, I want to run Openvpn as a client to my NordVPN account. So I only want my NAS to run the VPN, not to act as a server.
I put the NordVPN keys into a folder (/raid/module/OpenVPN/etc/keys/ovpn_tcp/)

If I ssh into my NAS this command starts the VPN:

raid/data/module/OpenVPN/sys/bin/openvpn /raid/module/OpenVPN/etc/keys/ovpn_tcp/nl161.nordvpn.com.utp.ovpn
Have to enter user/pass and it works. But want to use the start/stop/server scripts to automate instead having to ssh all times to get it working.

I made a user/pass file and got the .ovpn into the server.conf , see below.
Can anybody help me with the start/stop code to activate this?


Code:
client
dev tun
proto udp
remote 131.255.4.107 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0

explicit-exit-notify 3

remote-cert-tls server

#mute 10000
auth-user-pass /raid/module/OpenVPN/etc/config/nordvpnauth.txt

comp-lzo
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512

<ca>
-----BEGIN CERTIFICATE-----
<REMOVED FOR POSTING>

-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
<REMOVED FOR POSTING>
-----END OpenVPN Static key V1-----
Reply
#11
i'll have a look on that
-----------------------------------------------------------------------------------------------------
[Image: linkedinbutton.jpg]
Download modules from my forum pirinel.ro
Reply
#12
Be sure to have 2.4.4.1 module version
create a file named auth.txt in /raid/data/OPENVPN_CONFIG/ with 2 lines
Code:
username
password

In server.conf where you have added your nordVPN config, add this line

Code:
auth-user-pass /raid/data/OPENVPN_CONFIG/auth.txt

In start.sh add this line

Code:
/raid/data/module/OpenVPN/sys/bin/openvpn --config /raid/data/OPENVPN_CONFIG/server.conf
-----------------------------------------------------------------------------------------------------
[Image: linkedinbutton.jpg]
Download modules from my forum pirinel.ro
Reply
#13
(12-23-2017, 09:01 PM)outkastm Wrote: Be sure to have 2.4.4.1 module version
create a file named auth.txt in /raid/data/OPENVPN_CONFIG/ with 2 lines
Code:
username
password

In server.conf where you have added your nordVPN config, add this line

Code:
auth-user-pass /raid/data/OPENVPN_CONFIG/auth.txt

In start.sh add this line

Code:
/raid/data/module/OpenVPN/sys/bin/openvpn --config /raid/data/OPENVPN_CONFIG/server.conf

thx. So only one line in start? and none in stop?
Reply
#14
well i'll check for a line to stop
-----------------------------------------------------------------------------------------------------
[Image: linkedinbutton.jpg]
Download modules from my forum pirinel.ro
Reply
#15
you can add in stop.sh

Code:
killall openvpn
-----------------------------------------------------------------------------------------------------
[Image: linkedinbutton.jpg]
Download modules from my forum pirinel.ro
Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
  [ UrBackup ] Client/server backup system outkastm 42 18,331 02-10-2018, 03:05 AM
Last Post: outkastm
  [OpenVPN - Geek Version] [2.3.5] Client/Server VPN Solution Qoolbox 61 32,691 07-13-2017, 06:56 AM
Last Post: pizzix
  [ Adito VPN x86 & x64 ] [ 0.9.1.0 ] OpenVPN-ALS Server Qoolbox 37 13,186 12-19-2013, 07:06 AM
Last Post: Qoolbox
  [ Adito VPN x86 & x64 ] [ 0.9.1.0 ] OpenVPN-ALS Server 0 7,531 Less than 1 minute ago
Last Post:

Forum Jump:


Users browsing this thread: 1 Guest(s)