content:en_us:7_ug_openvpn
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
content:en_us:7_ug_openvpn [2020/07/20 08:43] 84.9.57.48 |
content:en_us:7_ug_openvpn [2021/03/31 10:14] 84.9.57.48 |
||
|---|---|---|---|
| Line 325: | Line 325: | ||
| ==== Alternative Method ==== | ==== Alternative Method ==== | ||
| - | There is an alternative way of importing the profile information in iOS which is also compatible with Android and Windows, but it means manipulating the .ovpn file. It has the advantage of putting the certificates in a single file with the profile information and is therefore suitable for importing from an e-mail or browser. | + | There is an alternative way of importing the profile information in iOS which is also compatible with Android and Windows, but it means manipulating the .ovpn file to embed the certificates in it. It has the advantage of putting the certificates in a single file with the profile information and is therefore suitable for importing from an e-mail or browser. |
| <note> | <note> | ||
| Line 338: | Line 338: | ||
| </code> | </code> | ||
| - | Your file should look something like this. | + | Your file should then look something like this: |
| + | <code> | ||
| + | client | ||
| + | remote [hostname] 1194 | ||
| + | dev tun | ||
| + | proto udp | ||
| + | resolv-retry infinite | ||
| + | nobind | ||
| + | user nobody | ||
| + | group nobody | ||
| + | persist-key | ||
| + | persist-tun | ||
| + | ns-cert-type server | ||
| + | comp-lzo | ||
| + | verb 3 | ||
| + | float | ||
| + | auth-user-pass | ||
| + | </code> | ||
| Be sure that your 'hostname' is defined correctly. It should match the hostname used to access ClearOS. | Be sure that your 'hostname' is defined correctly. It should match the hostname used to access ClearOS. | ||
| + | Then add your certificates to make the file look like: | ||
| <code> | <code> | ||
| client | client | ||
| Line 376: | Line 394: | ||
| Now you no longer need the separate certificate and key files. This alternative profile can be imported directly from an e-mail in iOS or, if you can put it in a location where you can browse to it, you can download it with the Safari browser. | Now you no longer need the separate certificate and key files. This alternative profile can be imported directly from an e-mail in iOS or, if you can put it in a location where you can browse to it, you can download it with the Safari browser. | ||
| + | |||
| + | <note tip>This method should also work with Windows and Android and possibly most other operating systems. Just be sure that you modify the ovpn file relevant for your O/S.</note> | ||
| === Importing Configuration File into iOS === | === Importing Configuration File into iOS === | ||
| Line 478: | Line 498: | ||
| ===== OpenVPN with Gateway Management/DNSThingy ===== | ===== OpenVPN with Gateway Management/DNSThingy ===== | ||
| - | There is currently (20 Jul 2020) a problem for OpenVPN users trying to access devices on the ClearOS LAN if the ClearOS LAN is protected by Gateway Management or DNSThingy with Don't Talk to Strangers (DTTS) enabled. The official DNSThingy solution is to go into the control panel then go Rules > Enablers (at the top) and add an enabler with the following in it: | + | <note info>If you have had any enablers or any custom firewall set up to allow LAN access by OpenVPN, since Gateway Management v2.5 was released, these are no longer necessary and can be removed</note> |
| - | <code>your_LAN_subnet|td0-65535,ud0-65535</code>Repeat the line for multiple LAN subnets. This will allow all TCP and UDP traffic through to the LAN, but **it will not allow pings (ICMP) **. | + | |
| - | There is an alternative solution which will allow all traffic including ICMP. Create a Custom Firewall rule with the following rule: | + | If you had an Enabler (go Rules > Enablers in the dashboard) like: |
| - | <code>$IPTABLES -I FORWARD -i tun+ -j ACCEPT</code> | + | <code>your_LAN_subnet|td0-65535,ud0-65535</code>It can now be removed |
| - | It is OK to use both solutions at the same time. | + | If you had a Custom Firewall rule with the following rule: |
| + | <code>$IPTABLES -I FORWARD -i tun+ -j ACCEPT</code>It can now be removed. You may have had one rule for each LAN if you have multiple LAN's. | ||
| - | Note that there is a version of Gateway Management in beta testing which fixes this issue, but until it is released this rule will be needed. | + | Similarly there used to be a mini script for a file in /etc/clearos/firewall.d/something. This can now be removed. |
| ===== Softphone/VoIP issue ===== | ===== Softphone/VoIP issue ===== | ||
content/en_us/7_ug_openvpn.txt · Last modified: 2021/03/31 10:14 by 84.9.57.48