OpenVPN

Information Directory

---

Client.ovpn

• OpenVPN client config
  • Android: pkcs12 vpn-client1.p12 can be removed (line 57), as Android imports certs into it's keychain

OpenVPN-Server.conf

• OpenVPN server config for OpenWrt
  • Will need to be modified slightly for other Linux/BSD distros:
    • option and list aren't utilized & should be removed
    • _ should be changed to -

openvpn.conf-default

• OpenVPN server config for Sophos UTM/XG
  • Located at: /var/sec/chroot-openvpn/etc/openvpn/openvpn.conf-default
    • tls-crypt.psk must be manually added to the directory /var/sec/chroot-openvpn/etc/openvpn
      • Generate with: openvpn --genkey --secret /var/sec/chroot-openvpn/etc/openvpn/tls-crypt.psk
    • The two blank lines following [<OPTIONS>] should remain, followed by the EOF blank line, or three in total.
      • When SSL VPN is enabled in WebAdmin, ConfD will append an additional two options to the end of
        /var/sec/chroot-openvpn/etc/openvpn/openvpn.conf
        • Upon SSL VPN being enabled in WebAdmin, ConfD utilizes openvpn.conf-default to dynamically create /var/sec/chroot-openvpn/etc/openvpn/openvpn.conf; once disabled, it deletes openvpn.conf
    • The single # at the beginning of the file is for vim, else it won't apply syntax highlighting in config files.

EC TLS Ciphers

• x64 systems can process SHA512 faster than SHA256

DH Keys

• It's recommended to generate multiple DH [Diffie-Hellman] values at the same time (2048, 3072, 4096)
  • DH generation takes substantial time, with each subsequent generation occurring faster due to the rand file

---

OpenSSL

• Guides
  • Documents
  • HowTo
  • Man Page

OpenVPN

• Android

  • OpenVPN on Android
  • Remove "Your Network Could be Monitored" Toast
  • Trust CA cert's Root Certificate

• Forum

  • OpenVPN Forum

• Guides

  • OpenVPN HowTo
  • OpenVPN Man Page
  • OpenVPN Wikis

• Tuning

  • Buffer Tuning
  • MTU Tuning