What's new

AC66U, setting up OpenVPN for USB storage, questions on keys and certs...

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

davethebossman

Occasional Visitor
Good morning/afternoon,

My questions pertain mostly to easyRSA and oVPN config files, so if someone feels this thread belongs elsewhere, let me know. However, I'm using a merlin-asus firmware, so I feel this thread belongs in SNB's VPN Section rather than on easyRSA's github or OpenVPN's site.

Please feel free to link to threads that deal with my queries. I've already searched the forums, but I may have missed helpful threads due to poor keyword usage. I don't mind some suggested readings!



Question 1: In easyRSA, I used redundant name schemes in build-ca, build-key-server, and build-key. Example:
>build-ca
Organiz. Name: OpenVPN
Organiz. Unit: JimJohn
Common Name: JimJohn

and likewise...

>build-key-server JimJohnServer
Organiz. Unit: JimJohn
Common Name: JimJohnServer
Name: JimJohnServer

and lastly...

>build-key JimJohnPC
Organiz. Unit: JimJohn
Common Name: JimJohnPC
Name: JimJohnPC

Is the above practice bad/wrong? My setup is for simple home use, with <10 total clients and <3 concurrent clients on the VPN.



Question 2: (on subnets-within-subnets, and client-to-client communication...)

If the ovpn server is behind a modem/router:
-Do I correctly understand that the ovpn server will have its subnet within a subnet?

-Expecting above is correctly understood, do SNB members tend to set their ovpn subnet and modem/router subnet in similar naming fashion? ie. modem/router 192.168.1.254 255.255.255.0, ovpn server 192.168.2.254 255.255.255.0?
------If above is acceptable, what's an example of an acceptable IP for 2 hypothetical clients? 192.168.2.50 and 192.168.2.51? And, should I use static IPs for all my clients? I am getting a bit confused with the use of static IPs for a....... laptop client....... where the client will otherwise need to use auto-issued IPs with other AP's out in the world.
------If above is unacceptable, please provide example addresses for the modem/router, ovpn server, and 2 clients using the VPN tunnel.

-I want to access my printer through the VPN tunnel, and the printer is currently part of my modem/router LAN. To allow print-over-VPN, do I enable client-to-client?
------If yes, is it advisable to consider "learn-address script" for all clients to limit potential collateral from an intrusion? FYI, I have no severely-private data or anything that needs "collateral protection", per se.
------If no, would you advise me to connect my printer to ovpn server and then use "push route" so that any clients using the tunnel can "see" the printer?
------If there are relevant SNB threads that answer the above?

-In my setup, would someone please clarify that "push route" and "client-to-client" are dependent or independent of one another? I get the impression that they can be dependent, but aren't necessarily dependent. Comment.



Question 3:
Settings for modem/router:
-Confirm... disable IPv6 on all clients and routers (yorgi's threads on Asus+VPN, PIA+VPN)?

-on my Actiontec modem/router, should I disable WAN Ping Block Mode? Or can my VPN still use keepalive if WAN Ping Block is enabled?

-Confirm... set static IP on ovpn server (DNS??), then Port Forward of UDP/TCP on modem/router?

-Suggested inbound/outbound policies to add on client Windows Firewall?

-Anything else that will promote pass-through of data between client/ovpn/router, in terms of rules/exceptions?


There are a lot of members that deserve a huge thanks for their regular contributions to this forum (yorgi, thank you for the VPN Guides). It is much appreciated.

David
 
Last edited:

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top