OpenVPN 2 Cookbook -- Table of Contents -- OpenVPN 2 Cookbook -- Credits -- About the Author -- About the Reviewers -- www.PacktPub.com -- Support files, eBooks, discount offers and more -- Why Subscribe? -- Free Access for Packt account holders -- Preface -- What this book covers -- What you need for this book -- Who this book is for -- Conventions -- Reader feedback -- Customer support -- Errata -- Piracy -- Questions -- 1. Point-to-Point Networks -- Introduction -- Shortest setup possible -- Getting ready -- How to do it... -- How it works... -- There's more... -- Using the TCP protocol -- Forwarding non-IP traffic over the tunnel -- OpenVPN secret keys -- Getting ready -- How to do it... -- How it works... -- There's more... -- See also -- Multiple secret keys -- Getting ready -- How to do it... -- How it works... -- There's more... -- See also -- Plaintext tunnel -- Getting ready -- How to do it... -- How it works... -- There's more... -- Routing -- Getting ready -- How to do it... -- How it works... -- There's more... -- Routing issues -- Automating the setup -- See also -- Configuration files versus the command-line -- Getting ready -- How to do it... -- How it works... -- There's more... -- OpenVPN 2.1 specifics -- Complete site-to-site setup -- Getting ready -- How to do it... -- How it works... -- There's more... -- See also -- 3-way routing -- Getting ready -- How to do it... -- How it works... -- There's more... -- Scalability -- Routing protocols -- See also -- 2. Client-server IP-only Networks -- Introduction -- Setting up the public and private keys -- Getting ready -- How to do it... -- How it works... -- There's more... -- Using the easy-rsa scripts on Windows -- Some notes on the different variables -- See also -- Simple configuration -- Getting ready -- How to do it... -- How it works... -- There's more... -- 'net30' addresses.

Server-side routing -- Getting ready -- How to do it... -- How it works... -- There's more... -- Linear addresses -- Using the TCP protocol -- Server certificates and ns-cert-type server -- Masquerading -- Using 'client-config-dir' files -- Getting ready -- How to do it... -- How it works... -- There's more... -- Default configuration file -- Troubleshooting -- OpenVPN 2.0 'net30' compatibility -- Allowed options in a 'client-config-dir' file -- Routing: subnets on both sides -- Getting ready -- How to do it... -- How it works... -- There's more... -- Masquerading -- Client-to-client subnet routing -- See also -- Redirecting the default gateway -- Getting ready -- How to do it... -- How it works... -- There's more... -- Redirect-gateway parameters -- Split tunneling -- See also -- Using an 'ifconfig-pool' block -- Getting ready -- How to do it... -- How it works... -- There's more... -- Configuration files on Windows -- Topology subnet -- Client-to-client access -- Using the TCP protocol -- Using the status file -- Getting ready -- How to do it... -- How it works... -- There's more... -- Status parameters -- Disconnecting clients -- Explicit-exit-notify -- Management interface -- Getting ready -- How to do it... -- How it works... -- There's more... -- Server-side management interface -- See Also -- Proxy-arp -- Getting ready -- How to do it... -- How it works... -- There's more... -- User 'nobody' -- TAP-style networks -- Broadcast traffic might not always work -- See also -- 3. Client-server Ethernet-style Networks -- Introduction -- Simple configuration-non-bridged -- Getting ready -- How to do it... -- How it works... -- There's more... -- Differences between TUN and TAP -- Using the TCP protocol -- Making IP fowarding permanent -- See also -- Enabling client-to-client traffic -- Getting ready -- How to do it... -- How it works...

There's more... -- Broadcast traffic may affect scalability -- Filtering traffic -- TUN-style networks -- Bridging-Linux -- Getting ready -- How to do it... -- How it works... -- There's more... -- Fixed addresses & the default gateway -- Name resolution -- See also -- Bridging-Windows -- Getting ready -- How to do it... -- How it works... -- See also -- Checking broadcast and non-IP traffic -- Getting ready -- How to do it... -- How it works... -- External DHCP server -- Getting ready -- How to do it... -- How it works... -- There's more... -- DHCP server configuration -- DHCP relay -- Tweaking the /etc/sysconfig/network-scripts -- Using the status file -- Getting ready -- How to do it... -- How it works... -- There's more... -- Difference with TUN-style networks -- Disconnecting clients -- See also -- Management interface -- Getting ready -- How to do it... -- How it works... -- There's more... -- Client side management interface -- See also -- 4. PKI, Certificates, and OpenSSL -- Introduction -- Certificate generation -- Getting ready -- How to do it... -- How it works... -- There's more... -- See also -- xCA: a GUI for managing a PKI (Part 1) -- Getting ready -- How to do it... -- How it works... -- There's more... -- xCA : a GUI for managing a PKI (Part 2) -- Getting ready -- How to do it... -- How it works... -- There's more... -- OpenSSL tricks: x509, pkcs12, verify output -- Getting ready -- How to do it... -- How it works... -- Revoking certificates -- Getting ready -- How to do it... -- How it works... -- There's more... -- What is needed to revoke a certificate -- See also -- The use of CRLs -- Getting ready -- How to do it... -- How it works... -- There's more... -- See also -- Checking expired/revoked certificates -- Getting ready -- How to do it... -- How it works... -- There's more... -- Intermediary CAs -- Getting ready.

How to do it... -- How it works... -- There's more... -- Multiple CAs: stacking, using --capath -- Getting ready -- How to do it... -- How it works... -- There's more... -- Stacking CRLs -- Using the --capath directive -- 5. Two-factor Authentication with PKCS#11 -- Introduction -- Initializing a hardware token -- Getting ready -- How to do it... -- How it works... -- There's more... -- Public and private objects -- OpenSC versus Aladdin PKI Client driver -- Getting a hardware token ID -- Getting ready -- How to do it... -- How it works... -- There's more... -- What about automatic selection? -- PKCS#11 libraries -- Using a hardware token -- Getting ready -- How to do it... -- How it works... -- There's more... -- What is different? -- Using the OpenSC driver -- Using the management interface to list PKCS#11 certificates -- Getting ready -- How to do it... -- How it works... -- See also -- Selecting a PKCS#11 certificate using the management interface -- Getting ready -- How to do it... -- How it works... -- There's more... -- Generating a key on the hardware token -- Getting ready -- How to do it... -- How it works... -- Private method for getting a PKCS#11 certificate -- Getting ready -- How to do it... -- How it works... -- There's more... -- See also -- Pin caching example -- Getting ready -- How to do it... -- How it works... -- There's more... -- See also -- 6. Scripting and Plugins -- Introduction -- Using a client-side up/down script -- Getting ready -- How to do it... -- How it works... -- There's more... -- Environment variables -- Calling the 'down' script before the connection terminates -- Advanced: verify the remote hostname -- Windows login greeter -- Getting ready -- How to do it... -- How it works... -- There's more... -- Spaces in filenames -- setenv or setenv-safe -- Security considerations.

Using client-connect/client-disconnect scripts -- Getting ready -- How to do it... -- How it works... -- There's more... -- 'client-disconnect' scripts -- Environment variables -- Absolute paths -- Using a 'learn-address' script -- Getting ready -- How to do it... -- How it works... -- There's more... -- User 'nobody' -- The 'update' action -- Using a 'tls-verify' script -- Getting ready -- How to do it... -- How it works... -- There's more... -- Using an 'auth-user-pass-verify' script -- Getting ready -- How to do it... -- How it works... -- There's more... -- Specifying the username and password in a file on the client -- Passing the password via environment variables -- Script order -- Getting ready -- How to do it... -- How it works... -- There's more... -- Script security and logging -- Getting ready -- How to do it... -- How it works... -- There's more... -- Using the 'down-root' plugin -- Getting ready -- How to do it... -- How it works... -- There's more... -- See also -- Using the PAM authentication plugin -- Getting ready -- How to do it... -- How it works... -- There's more... -- See also -- 7. Troubleshooting OpenVPN: Configurations -- Introduction -- Cipher mismatches -- Getting ready -- How to do it... -- How it works... -- There's more... -- TUN versus TAP mismatches -- Getting ready -- How to do it... -- How it works... -- Compression mismatches -- Getting ready -- How to do it... -- How it works... -- There's more... -- Key mismatches -- Getting ready -- How to do it... -- How it works... -- See also -- Troubleshooting MTU and tun-mtu issues -- Getting ready -- How to do it... -- How it works... -- There's more... -- See also -- Troubleshooting network connectivity -- Getting ready -- How to do it... -- How it works... -- There's more... -- Troubleshooting 'client-config-dir' issues -- Getting ready -- How to do it...

How it works...