Différences entre les versions de « Openvpn »

On va installer ici un openvpn avec un auth-pam, et des certificats

Compilation

* Compilation d'openvpn :
./configure --prefix=/opt/applis/openvpn-2.1.1-1 --disable-lzo --with-ssl-lib=/opt/applis/openssl-1.0.0e-1/lib --with-ssl-headers=/opt/applis/openssl-1.0.0e-1/include

* Compilatio d'auth-pam
# cd /root/install/openvpn-2.1.1/plugin/auth-pam
# make
# mkdir /usr/lib/openvpn/
# cp openvpn-auth-pam.so /usr/lib/openvpn/

* Mise en place de Easy-RSA
# cp -r /root/install/openvpn-2.1.1/easy-rsa/2.0/* /opt/applis/openvpn/easy-rsa/

Gestion des certificats

• /opt/applis/openvpn/easy-rsa/vars

# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"
#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=2048
# In how many days should the root CA key expire?
export CA_EXPIRE=730
# In how many days should certificates expire?
export KEY_EXPIRE=730
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_DIR=/opt/applis/openvpn/easy-rsa/keys
export KEY_COUNTRY=FR
export KEY_PROVINCE=FR
export KEY_CITY=St-Ouen
export KEY_ORG=AGARIK SAS
export KEY_EMAIL=support@agarik.com

* Aller dans le répertoire de Easy-RSA :
# cd /opt/applis/openvpn/easy-rsa/

* Chargez les variables :
# . ./vars

* Nettoyez :
# ./clean-all

* Créez l'authorité de certification :
# ./build-ca

* Générez la clef RSA :
# ./build-key-server vpn1.cg81.fr

* Générez le certificat client :
# ./build-key cg81

* Générez le paramètre de Diffie-Hellman
# ./build-dh

* Copiez les certificats dans le etc de OpenVPN :
# cp /opt/applis/openvpn/easy-rsa/keys/ca.crt /opt/applis/openvpn/etc/
# cp /opt/applis/openvpn/easy-rsa/keys/ca.key /opt/applis/openvpn/etc/
# cp /opt/applis/openvpn/easy-rsa/keys/dh2048.pem /opt/applis/openvpn/etc/
# cp /opt/applis/openvpn/easy-rsa/keys/vpn1.cg81.fr.crt /opt/applis/openvpn/etc/
# cp /opt/applis/openvpn/easy-rsa/keys/vpn1.cg81.fr.csr /opt/applis/openvpn/etc/
# cp /opt/applis/openvpn/easy-rsa/keys/vpn1.cg81.fr.key /opt/applis/openvpn/etc/

server.conf travail

/opt/applis/openvpn/etc/server.conf

proto           tcp
port            443
dev             tun
tmp-dir         /tmp
ca              /opt/applis/openvpn/etc/ca.crt
cert            /opt/applis/openvpn/etc/vpn1.cg81.fr.crt
key             /opt/applis/openvpn/etc/vpn1.cg81.fr.key
dh              /opt/applis/openvpn/etc/dh2048.pem
server          192.168.255.0 255.255.255.0
push            "route 10.42.25.0 255.255.255.240"
push            "route 10.42.25.16 255.255.255.240"
push            "route 10.42.25.64 255.255.255.240"
keepalive       10 120
cipher          AES-128-CBC
#comp-lzo
max-clients     10
user            nobody
group           nobody
username-as-common-name
plugin          /usr/lib/openvpn/openvpn-auth-pam.so system-auth
persist-key
persist-tun
status          /var/log/openvpn-status.log
log             /var/log/openvpn.log
log-append      /var/log/openvpn.log
verb            6

server.conf perso

# Serveur TCP/443
mode server
tls-server
proto udp
port 80
dev tun

# Clés certificats
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth ta.key 0
key-direction 0
cipher AES-256-CBC

# Réseau
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120

# Sécurité
user nobody
group nogroup
chroot /etc/openvpn/jail
persist-key
persist-tun
comp-lzo

# Log
verb 3
mute 20
status openvpn-status.log
log-append /var/log/openvpn.log

Configuration client vpn

#pour signaler que c'est un client !
client

#type d'interface
dev tun

#protocole de communication / se mettre en udp est plus secure
#proto tcp
proto udp

#adresse ip publique du réseau dans lequel le serveur est installé + port identique au serveur
remote 92.43.254.226 443

#tentative de connexion infinie
resolv-retry infinite
nobind

#pour rendre la connexion persistante
persist-key
persist-tun

#pour cacher les avertissements
mute-replay-warnings

#type d'encryptage des données
cipher AES-256-CBC

#emplacement du master CA
ca ca.crt

#emplacement du certificat client
cert ben.crt

#emplacement de la clé privée du client
key ben.key 
tls-auth ta.key 1

#Pour demander le login et password
auth-user-pass



#activation de la compression
comp-lzo
#niveau de verbosité
verb 5

Verifier sa connexion vpn

Vérifier ses DNS https://www.dnsleaktest.com/ (test extended) : on ne doit voir que les dns définis dans le vpn
Vérifier la faille Webrtc https://diafygi.github.io/webrtc-ips/ : on doit voir l ip publique du vpn 
Vérifier ce qui est visible de l'extérieur : https://ipleak.net/