davethebossman
Occasional Visitor
Good morning/afternoon,
My questions pertain mostly to easyRSA and oVPN config files, so if someone feels this thread belongs elsewhere, let me know. However, I'm using a merlin-asus firmware, so I feel this thread belongs in SNB's VPN Section rather than on easyRSA's github or OpenVPN's site.
Please feel free to link to threads that deal with my queries. I've already searched the forums, but I may have missed helpful threads due to poor keyword usage. I don't mind some suggested readings!
Question 1: In easyRSA, I used redundant name schemes in build-ca, build-key-server, and build-key. Example:
>build-ca
Organiz. Name: OpenVPN
Organiz. Unit: JimJohn
Common Name: JimJohn
and likewise...
>build-key-server JimJohnServer
Organiz. Unit: JimJohn
Common Name: JimJohnServer
Name: JimJohnServer
and lastly...
>build-key JimJohnPC
Organiz. Unit: JimJohn
Common Name: JimJohnPC
Name: JimJohnPC
Is the above practice bad/wrong? My setup is for simple home use, with <10 total clients and <3 concurrent clients on the VPN.
Question 2: (on subnets-within-subnets, and client-to-client communication...)
If the ovpn server is behind a modem/router:
-Do I correctly understand that the ovpn server will have its subnet within a subnet?
-Expecting above is correctly understood, do SNB members tend to set their ovpn subnet and modem/router subnet in similar naming fashion? ie. modem/router 192.168.1.254 255.255.255.0, ovpn server 192.168.2.254 255.255.255.0?
------If above is acceptable, what's an example of an acceptable IP for 2 hypothetical clients? 192.168.2.50 and 192.168.2.51? And, should I use static IPs for all my clients? I am getting a bit confused with the use of static IPs for a....... laptop client....... where the client will otherwise need to use auto-issued IPs with other AP's out in the world.
------If above is unacceptable, please provide example addresses for the modem/router, ovpn server, and 2 clients using the VPN tunnel.
-I want to access my printer through the VPN tunnel, and the printer is currently part of my modem/router LAN. To allow print-over-VPN, do I enable client-to-client?
------If yes, is it advisable to consider "learn-address script" for all clients to limit potential collateral from an intrusion? FYI, I have no severely-private data or anything that needs "collateral protection", per se.
------If no, would you advise me to connect my printer to ovpn server and then use "push route" so that any clients using the tunnel can "see" the printer?
------If there are relevant SNB threads that answer the above?
-In my setup, would someone please clarify that "push route" and "client-to-client" are dependent or independent of one another? I get the impression that they can be dependent, but aren't necessarily dependent. Comment.
Question 3:
Settings for modem/router:
-Confirm... disable IPv6 on all clients and routers (yorgi's threads on Asus+VPN, PIA+VPN)?
-on my Actiontec modem/router, should I disable WAN Ping Block Mode? Or can my VPN still use keepalive if WAN Ping Block is enabled?
-Confirm... set static IP on ovpn server (DNS??), then Port Forward of UDP/TCP on modem/router?
-Suggested inbound/outbound policies to add on client Windows Firewall?
-Anything else that will promote pass-through of data between client/ovpn/router, in terms of rules/exceptions?
There are a lot of members that deserve a huge thanks for their regular contributions to this forum (yorgi, thank you for the VPN Guides). It is much appreciated.
David
My questions pertain mostly to easyRSA and oVPN config files, so if someone feels this thread belongs elsewhere, let me know. However, I'm using a merlin-asus firmware, so I feel this thread belongs in SNB's VPN Section rather than on easyRSA's github or OpenVPN's site.
Please feel free to link to threads that deal with my queries. I've already searched the forums, but I may have missed helpful threads due to poor keyword usage. I don't mind some suggested readings!
Question 1: In easyRSA, I used redundant name schemes in build-ca, build-key-server, and build-key. Example:
>build-ca
Organiz. Name: OpenVPN
Organiz. Unit: JimJohn
Common Name: JimJohn
and likewise...
>build-key-server JimJohnServer
Organiz. Unit: JimJohn
Common Name: JimJohnServer
Name: JimJohnServer
and lastly...
>build-key JimJohnPC
Organiz. Unit: JimJohn
Common Name: JimJohnPC
Name: JimJohnPC
Is the above practice bad/wrong? My setup is for simple home use, with <10 total clients and <3 concurrent clients on the VPN.
Question 2: (on subnets-within-subnets, and client-to-client communication...)
If the ovpn server is behind a modem/router:
-Do I correctly understand that the ovpn server will have its subnet within a subnet?
-Expecting above is correctly understood, do SNB members tend to set their ovpn subnet and modem/router subnet in similar naming fashion? ie. modem/router 192.168.1.254 255.255.255.0, ovpn server 192.168.2.254 255.255.255.0?
------If above is acceptable, what's an example of an acceptable IP for 2 hypothetical clients? 192.168.2.50 and 192.168.2.51? And, should I use static IPs for all my clients? I am getting a bit confused with the use of static IPs for a....... laptop client....... where the client will otherwise need to use auto-issued IPs with other AP's out in the world.
------If above is unacceptable, please provide example addresses for the modem/router, ovpn server, and 2 clients using the VPN tunnel.
-I want to access my printer through the VPN tunnel, and the printer is currently part of my modem/router LAN. To allow print-over-VPN, do I enable client-to-client?
------If yes, is it advisable to consider "learn-address script" for all clients to limit potential collateral from an intrusion? FYI, I have no severely-private data or anything that needs "collateral protection", per se.
------If no, would you advise me to connect my printer to ovpn server and then use "push route" so that any clients using the tunnel can "see" the printer?
------If there are relevant SNB threads that answer the above?
-In my setup, would someone please clarify that "push route" and "client-to-client" are dependent or independent of one another? I get the impression that they can be dependent, but aren't necessarily dependent. Comment.
Question 3:
Settings for modem/router:
-Confirm... disable IPv6 on all clients and routers (yorgi's threads on Asus+VPN, PIA+VPN)?
-on my Actiontec modem/router, should I disable WAN Ping Block Mode? Or can my VPN still use keepalive if WAN Ping Block is enabled?
-Confirm... set static IP on ovpn server (DNS??), then Port Forward of UDP/TCP on modem/router?
-Suggested inbound/outbound policies to add on client Windows Firewall?
-Anything else that will promote pass-through of data between client/ovpn/router, in terms of rules/exceptions?
There are a lot of members that deserve a huge thanks for their regular contributions to this forum (yorgi, thank you for the VPN Guides). It is much appreciated.
David
Last edited: