.TP.B SIGHUPCause OpenVPN to close all tun/tap andnetwork connections,restart, re-read the configuration file (if any),and reopen tun/tap and network connections..TP.B SIGUSR1Like .B SIGHUP,except don't re-read configuration file, and possibly don't close and reopen tundevice, re-read key files, preserve local IP address/port, or preserve most recently authenticatedremote IP address/port based on.B --persist-tun, --persist-key, --persist-local-ip,and.B --persist-remote-ipoptions respectively (see above).This signal may also be internally generated by a timeout condition, governedby the.B --ping-restartoption.This signal, when combined with.B --persist-remote-ip,may besent when the underlying parameters of the host's network interface changesuch as when the host is a DHCP client and is assigned a new IP address.See.B --ipchangeabove for more information..TP.B SIGUSR2Causes OpenVPN to display its current statistics (to the syslogfile if.B --daemonis used, or stdout otherwise)..TP.B SIGINT, SIGTERMCauses OpenVPN to exit gracefully..SH TUN/TAP DRIVER SETUPIf you are running Linux 2.4.7 or higher, you probably have the tun/tap driveralready installed.  If so, there are still a few things you need to do:Make device:.B mknod /dev/net/tun c 10 200Load driver:.B modprobe tunIf you have Linux 2.2 or earlier, you should obtain version 1.1 of thetun/tap driver from.I http://vtun.sourceforge.net/tun/and follow the installation instructions..SH EXAMPLESPrior to running these examples, you should have OpenVPN installed on twomachines with network connectivity between them.  If you have notyet installed OpenVPN, consult the INSTALL file included in the OpenVPNdistribution..SS TUN/TAP Setup:If you are using Linux 2.4 or higher,make the tun device node and load the tun module:.IP.B mknod /dev/net/tun c 10 200.LP.IP.B modprobe tun.LPIf you installed from RPM, the.B mknodstep may be omitted, because the RPM install does that for you.If you have Linux 2.2, you should obtain version 1.1 of thetun/tap driver from.I http://vtun.sourceforge.net/tun/and follow the installation instructions.For other platforms, consult the INSTALL file at.I http://openvpn.sourceforge.net/install.htmlfor more information..SS Firewall Setup:If firewalls exist betweenthe two machines, they should be set to forward UDP port 5000in both directions.  If you do not have control over the firewallsbetween the two machines, you may still be able to use OpenVPN by adding.B --ping 15to each of the.B openvpncommands used below in the examples (this will cause each peer to send outa UDP ping to its remote peer once every 15 seconds which will cause manystateful firewalls to forward packets in both directionswithout an explicit firewall rule).If you are using a Linux iptables-based firewall, you may need to enterthe following command to allow incoming packets on the tun device:.IP.B iptables -A INPUT -i tun+ -j ACCEPT.LPSee the firewalls section below for more information on configuring firewallsfor use with OpenVPN..SS VPN Address Setup:For purposesof our example, our two machines will be called.B may.kgand.B june.kg.If you are constructing a VPN over the internet, then replace.B may.kgand.B june.kgwith the internet hostname or IP address that each machine will useto contact the other over the internet.Now we will choose the tunnel endpoints.  Tunnel endpoints areprivate IP addresses that only have meaning in the context ofthe VPN.  Each machine will use the tunnel endpoint of the othermachine to access it over the VPN.  In our example,the tunnel endpoint for may.kgwill be 10.4.0.1 and for june.kg, 10.4.0.2.Once the VPN is established, you have essentiallycreated a secure alternate path between the two hostswhich is addressed by using the tunnel endpoints.  You cancontrol which networktraffic passes between the hosts (a) over the VPN or (b) independently of the VPN, by choosing whether to use(a) the VPN endpoint address or (b) the public internet address,to access the remote host. For example if you are on may.kg and you wish to connect to june.kgvia.B sshwithout using the VPN (since.B sshhas its own built-in security) you would use the command.B ssh june.kg.However in the same scenario, you could also use the command.B telnet 10.4.0.2to create a telnet session with june.kg over the VPN, that woulduse the VPN to secure the session rather than.B ssh.You can use any address you wish for thetunnel endpointsbut make sure that they are private addresses(such as those that begin with 10 or 192.168) and that they arenot part of any existing subnet on the networks ofeither peer.  If you use an address that is part ofyour local subnet for either of the tunnel endpoints,you will get a weird feedback loop..SS Example 1: A simple tunnel without security.LPOn may:.IP.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 8.LPOn june:.IP.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 8.LPNow verify the tunnel is working by pinging across the tunnel..LPOn may:.IP.B ping 10.4.0.2.LPOn june:.IP.B ping 10.4.0.1.LPThe.B --verb 8option will produce verbose output, similar to the.BR tcpdump (8)program.  Omit the.B --verb 8option to have OpenVPN run quietly..SS Example 2: A tunnel with static-key security (i.e. using a pre-shared secret)First build a static key on may..IP.B openvpn --genkey --secret key.LPThis command will build a random key file called.B key(in ascii format).Now copy.B keyto june over a secure medium such as byusing the.BR scp (1)program..LPOn may:.IP.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 5 --secret key.LPOn june:.IP.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 5 --secret key.LPNow verify the tunnel is working by pinging across the tunnel..LPOn may:.IP.B ping 10.4.0.2.LPOn june:.IP.B ping 10.4.0.1.SS Example 3: A tunnel with full TLS-based securityFor this test, we will designate.B mayas the TLS client and.B juneas the TLS server..I Note that client or server designation only has meaning for the TLS subsystem.  It has no bearing on OpenVPN's peer-to-peer, UDP-based communication model.First, build a separate certificate/key pairfor both may and june (see above where.B --certis discussed for more info).  Then constructDiffie Hellman parameters (see above where.B --dhis discussed for more info).  You can also use theincluded test files client.crt, client.key,server.crt, server.key and tmp-ca.crt.The .crt files are certificates/public-keys, the .keyfiles are private keys, and tmp-ca.crt is a certificationauthority who has signed bothclient.crt and server.crt.  For Diffie Hellmanparameters you can use the included file dh1024.pem..I Note that all client, server, and certificate authority certificates and keys included in the OpenVPN distribution are totally insecure and should be used for testing only..LPOn may:.IP.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --tls-client --ca tmp-ca.crt --cert client.crt --key client.key --reneg-sec 60 --verb 5.LPOn june:.IP.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --tls-server --dh dh1024.pem --ca tmp-ca.crt --cert server.crt --key server.key --reneg-sec 60 --verb 5.LPNow verify the tunnel is working by pinging across the tunnel..LPOn may:.IP.B ping 10.4.0.2.LPOn june:.IP.B ping 10.4.0.1.LPNotice the.B --reneg-sec 60option we used above.  That tells OpenVPN to renegotiatethe data channel keys every minute.Since we used.B --verb 5above, you will see status information on each new key negotiation.For production operations, a key renegotiation interval of 60 secondsis probably too frequent.  Omit the.B --reneg-sec 60option to use OpenVPN's default key renegotiation interval of one hour..SS Routing:Assuming you can ping across the tunnel,the next step is to route a real subnet overthe secure tunnel.  Suppose that may and june have two networkinterfaces each, one connectedto the internet, and the other to a privatenetwork.  Our goal is to securely connectboth private networks.  We will assume that may's private subnetis 10.0.0.0/24 and june's is 10.0.1.0/24..LPFirst, ensure that IP forwarding is enabled on both peers.On Linux, enable routing:.IP.B echo 1 > /proc/sys/net/ipv4/ip_forward.LPand enable tun packet forwarding through the firewall:.IP.B iptables -A FORWARD -i tun+ -j ACCEPT.LPOn may:.IP.B route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2.LPOn june:.IP.B route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1.LPNow any machine on the 10.0.0.0/24 subnet canaccess any machine on the 10.0.1.0/24 subnetover the secure tunnel (or vice versa).In a production environment, you could put the route command(s)in a shell script and execute with the.B --upoption..SH FIREWALLSOpenVPN's usage of a single UDP port makes it fairly firewall-friendly.You should add an entry to your firewall rules to allow incoming OpenVPNpackets.  On Linux 2.4+:.IP.B iptables -A INPUT -p udp -s 1.2.3.4 --dport 5000 -j ACCEPT.LPThis will allow incoming packets on UDP port 5000 (OpenVPN's default UDP port)from an OpenVPN peer at 1.2.3.4.If you are using HMAC-based packet authentication (the default in any ofOpenVPN's secure modes), having the firewall filter on sourceaddress can be considered optional, since HMAC packet authenticationis a much more secure method of verifying the authenticity ofa packet source.  In that case:.IP.B iptables -A INPUT -p udp --dport 5000 -j ACCEPT.LPwould be adequate and would not render the host inflexible withrespect to its peer having a dynamic IP address.OpenVPN also works well on stateful firewalls.  In some cases, you maynot need to add any static rules to the firewall list if you areusing a stateful firewall that knows how to track UDP connections.If you specify.B --ping n,OpenVPN will be guaranteedto send a packet to its peer at least once every.B nseconds.  If.B nis less than the stateful firewall connection timeout, you canmaintain an OpenVPN connection indefinitely without explicitfirewall rules.You should also add firewall rules to allow incoming IP traffic ontun or tap devices such as:.IP.B iptables -A INPUT -i tun+ -j ACCEPT.LPto allow input packets from tun devices,.IP.B iptables -A FORWARD -i tun+ -j ACCEPT.LPto allow input packets from tun devices to be forwarded toother hosts on the local network,.IP.B iptables -A INPUT -i tap+ -j ACCEPT.LPto allow input packets from tap devices, and.IP.B iptables -A FORWARD -i tap+ -j ACCEPT.LPto allow input packets from tap devices to be forwarded toother hosts on the local network.These rules are secure if you use packet authentication,since no incoming packets will arrive on a tun or tapvirtual deviceunless they first pass an HMAC authentication test..SH FAQ.I http://openvpn.sourceforge.net/faq.html.SH HOWTOFor a more comprehensive guide to setting up OpenVPNin a production setting, see the OpenVPN HOWTO at.I http://openvpn.sourceforge.net/howto.html.SH PROTOCOLFor a description of OpenVPN's underlying protocol,see the file ssl.h included in the OpenVPN source distribution orbrowse the file in the CVS repository at.I http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/openvpn/openvpn/ssl.h.SH WEBOpenVPN's web site is at.I http://openvpn.sourceforge.net/Go here to download the latest version of OpenVPN, subscribeto the mailing lists, read the mailing listarchives, or browse the CVS repository..SH BUGSReport all bugs to the OpenVPN users list <openvpn-users@lists.sourceforge.net>.To subscribe to the list or see the archives, go to.I http://sourceforge.net/mail/?group_id=48978.SH "SEE ALSO".BR dhcpcd (8),.BR ifconfig (8),.BR openssl (1),.BR route (8),.BR scp (1).BR ssh (1).SH NOTES .LPThis product includes software developed by theOpenSSL Project (.I http://www.openssl.org/)For more information on the TLS protocol, see.I http://www.ietf.org/internet-drafts/draft-ietf-tls-rfc2246-bis-01.txtFor more information on the tun/tap driver see.I http://vtun.sourceforge.net/tun/For more information on the LZO real-time compression library see.I http://www.oberhumer.com/opensource/lzo/.SH COPYRIGHTCopyright (C) 2002 by James Yonan. This program is free software;you can redistribute it and/or modifyit under the terms of the GNU General Public License as published bythe Free Software Foundation; either version 2 of the License, or(at your option) any later version..SH AUTHORSJames Yonan <jim@yonan.net>