When setting UP a DAL router as OpenVPN Server, it could be useful to add some extra OpenVPN parameters, that differ from the default ones used by DAL.
This can be done in the "Advanced Options" section, following the rules below:
- All openvpn parameters must start with ‘--’
- If multiple commands, they must be separated by a space
This will create a new line in the OpenVPN config is created for every occurrence of ‘--’, for example, inserting --auth SHA256 --push "route 192.168.2.0 255.255.255.0":
adds the following lines to the server config file:
push "route 192.168.2.0 255.255.255.0“
If illegal options are given or format is wrong (for example the "--" is missing), the openvpn server will fail to start and in the System > Logs section there will be an error like the following example:
If the override box is selected, then the config file will consist of only the commands from advanced options section (almost same as using a server config file). This is not usually recommended as it would be OpenVPN that will manage the network and not the device.
Examples of most commonly used commands:
Usage: The tls-auth option adds "extra protection" to the TLS channel by requiring that incoming packets have a valid signature generated using a PSK key (that need to be shared between the peers).
This can aid in mitigating denial-of-service attempts from unauthenticated clients, as junk traffic can be dropped much sooner.
Example of Command to add on DAL: - --tls-auth /etc/config/ta.key 0
Where ta.key is the secret file that must be copied into the /etc/config/ path of the DAL router files system (see how to upload files here: Upload and download files).
The second parameter should be '0' on the server and '1' on the clients
Usage: Push commands can be used to push configuration options to the client for remote execution. (Note: the option must be enclosed in double quotes ("") and the client must specify –pull in its config file).
Some example of most commonly used:
Push routes: this allow the client to reach other private subnets behind the server.
Example of Command to add on DAL: ---push "route 192.168.2.0 255.255.255.0“
Push Default Gateway: this will configure all clients to redirect their default network gateway through the VPN, causing all IP traffic such as web browsing and # and DNS lookups to go through the VPN
Example of Command to add on DAL: - --push "redirect-gateway def1 bypass-dhcp"
Push DNS: set the DNS addresse to the Client:
Example of Command to add on DAL: --push "dhcp-option DNS 188.8.131.52"
Usage: Specify the message digest algoritm to use to authenticate data channel packets (The default is SHA1 ).
Example of Command to add on DAL: --auth SHA256
Usage: Define the Cipher Algoritm to use for the encryption of data channel packets.
The default is BF-CBC, but when cipher negotiation (NCP) is allowed, OpenVPN 2.4 and newer on both client and server side will automatically upgrade to AES-256-GCM.
Example of Command to add on DAL: ---cipher AES-128-GCM
CLIENTS COMMUNICATIONS VIA THE TUNNEL
Usage: This allows different clients to be able to "see" each other (By default, clients will only see the server)
Command to add on DAL: --client-to-client
Sep 20, 2020