差異處
這裏顯示兩個版本的差異處。
| Both sides previous revision 前次修改 下次修改 | 前次修改 | ||
|
openvpn [2017/12/18 01:45] jz |
openvpn [2018/01/01 23:37] (目前版本) jz |
||
|---|---|---|---|
| 行 51: | 行 51: | ||
| </code> | </code> | ||
| + | ===== Conf ===== | ||
| + | <code bash> | ||
| + | cp /usr/share/openvpn/examples/server.conf /etc/openvpn/server/server.conf | ||
| + | |||
| + | # add following for better cipher | ||
| + | cipher AES-256-CBC | ||
| + | auth SHA512 | ||
| + | tls-version-min 1.2 | ||
| + | tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA | ||
| + | |||
| + | # shared port 443 | ||
| + | proto tcp | ||
| + | port 443 | ||
| + | port-share 127.0.0.1 4443 # e.g. nginx open port at 4443 | ||
| + | </code> | ||
| + | |||
| + | ===== NAT ===== | ||
| + | <code bash> | ||
| + | iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE | ||
| + | </code> | ||
| + | |||
| + | ===== OpenSC ===== | ||
| + | <code bash> | ||
| + | # combine cert into p12 format | ||
| + | openssl pkcs12 -export -out cert_key.p12 -inkey client.key -in client.crt -certfile ca.crt -nodes | ||
| + | # import cert into yubikey | ||
| + | yubico-piv-tool -s 9a -i cert_key.p12 -K PKCS12 -a import-key -a import-cert -k | ||
| + | # show id | ||
| + | openvpn --show-pkcs11-ids opensc-pkcs11.so | ||
| + | # client config: replace cert and key section with following | ||
| + | pkcs11-id piv_II/PKCS.................... # replace this with the id in the previous command output | ||
| + | pkcs11-providers opensc-pkcs11.so | ||
| + | </code> | ||
