Différences entre les versions de « Openvpn »

On va installer ici un openvpn avec un auth-pam, et des certificats

Compilation

* Compilation d'openvpn :
./configure --prefix=/opt/applis/openvpn-2.1.1-1 --disable-lzo --with-ssl-lib=/opt/applis/openssl-1.0.0e-1/lib --with-ssl-headers=/opt/applis/openssl-1.0.0e-1/include

* Compilatio d'auth-pam
# cd /root/install/openvpn-2.1.1/plugin/auth-pam
# make
# mkdir /usr/lib/openvpn/
# cp openvpn-auth-pam.so /usr/lib/openvpn/

* Mise en place de Easy-RSA
# cp -r /root/install/openvpn-2.1.1/easy-rsa/2.0/* /opt/applis/openvpn/easy-rsa/

Gestion des certificats

• /opt/applis/openvpn/easy-rsa/vars

# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"
#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=2048
# In how many days should the root CA key expire?
export CA_EXPIRE=730
# In how many days should certificates expire?
export KEY_EXPIRE=730
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_DIR=/opt/applis/openvpn/easy-rsa/keys
export KEY_COUNTRY=FR
export KEY_PROVINCE=FR
export KEY_CITY=St-Ouen
export KEY_ORG=AGARIK SAS
export KEY_EMAIL=support@agarik.com

* Aller dans le répertoire de Easy-RSA :
# cd /opt/applis/openvpn/easy-rsa/

* Chargez les variables :
# . ./vars

* Nettoyez :
# ./clean-all

* Créez l'authorité de certification :
# ./build-ca

* Générez la clef RSA (certificat server .crt & .key) :
# ./build-key-server server

* Générez le certificat client :
# ./build-key ben

* Générez le paramètre de Diffie-Hellman
# ./build-dh

* Copiez les certificats dans le etc de OpenVPN :
# cp /opt/applis/openvpn/easy-rsa/keys/server.crt /opt/applis/openvpn/etc/
# cp /opt/applis/openvpn/easy-rsa/keys/server.key /opt/applis/openvpn/etc/
# cp /opt/applis/openvpn/easy-rsa/keys/dh2048.pem /opt/applis/openvpn/etc/
# cp /opt/applis/openvpn/easy-rsa/keys/ben.crt /opt/applis/openvpn/etc/
# cp /opt/applis/openvpn/easy-rsa/keys/ben.csr /opt/applis/openvpn/etc/
# cp /opt/applis/openvpn/easy-rsa/keys/ben.key /opt/applis/openvpn/etc/

server.conf travail

/opt/applis/openvpn/etc/server.conf

proto           tcp
port            443
dev             tun
tmp-dir         /tmp
ca              /opt/applis/openvpn/etc/ca.crt
cert            /opt/applis/openvpn/etc/vpn1.cg81.fr.crt
key             /opt/applis/openvpn/etc/vpn1.cg81.fr.key
dh              /opt/applis/openvpn/etc/dh2048.pem
server          192.168.255.0 255.255.255.0
push            "route 10.42.25.0 255.255.255.240"
push            "route 10.42.25.16 255.255.255.240"
push            "route 10.42.25.64 255.255.255.240"
keepalive       10 120
cipher          AES-128-CBC
#comp-lzo
max-clients     10
user            nobody
group           nobody
username-as-common-name
plugin          /usr/lib/openvpn/openvpn-auth-pam.so system-auth
persist-key
persist-tun
status          /var/log/openvpn-status.log
log             /var/log/openvpn.log
log-append      /var/log/openvpn.log
verb            6

server.conf perso

# Serveur TCP/443
mode server
tls-server
#proto tcp
proto udp
port 80
dev tun

# Clés certificats
remote-cert-eku "TLS Web Client Authentication"
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth ta.key 0
key-direction 0
cipher AES-256-CBC
tls-version-min 1.2
auth SHA512

# Réseau
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120

# Sécurité
user nobody
group nogroup
chroot /etc/openvpn/jail
persist-key
persist-tun
comp-lzo

#client-cert-not-required
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login

# Log
verb 3
mute 20
status openvpn-status.log
log-append /var/log/openvpn.log

Configuration client vpn

# Config Client
client
dev tun
proto udp
remote 217.174.206.178 80

resolv-retry infinite
# Certificats + Cles
remote-cert-eku "TLS Web Server Authentication"
ca ca.crt
cert ben.crt
key ben.key
tls-auth ta.key 1
cipher AES-256-CBC
tls-cipher DHE-RSA-AES256-SHA
auth SHA512

redirect-gateway def1
# Config Securite

#user nobody
#group nobody

nobind
persist-key
persist-tun
comp-lzo

verb 3
auth-user-pass
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]	

Verifier sa connexion vpn

Vérifier ses DNS https://www.dnsleaktest.com/ (test extended) : on ne doit voir que les dns définis dans le vpn
Vérifier la faille Webrtc https://diafygi.github.io/webrtc-ips/ : on doit voir l ip publique du vpn 
Vérifier ce qui est visible de l'extérieur : https://ipleak.net/